Details
-
Bug
-
Resolution: Won't Fix
-
Low
-
3.10.0
-
None
-
Severity 3 - Minor
-
Description
Summary
When using AJP to proxy communication to FishEye/Crucible under some scenarios the connection can drop from HTTPS to HTTP. This is likely caused by there being no configuration options for AJP to set the scheme or port like there is for proxying over HTTP.
Environment
- Load balancer terminating SSL and sending requests to Apache
- Apache using AJP to proxy requests to FishEye/Crucible
Specifically, I used the following configuration.
haproxy
- haproxy terminates SSL on port 443, in the output below, this is company.com
- Sends requests to Apache on port 80
- Frontend
acl url_fisheye path_beg /fisheye use_backend fisheye-backend if url_fisheye
- Backend
backend fisheye-backend mode http server fecru.internal.company.com 192.168.10.20:80 check
Apache
- Accepts requests on port 80 and uses AJP (mod_jk) to proxy to FishEye/Crucible
<VirtualHost *:80> ... JkMount /fisheye* ajp13_worker
worker.list=ajp13_worker worker.ajp13_worker.port=8009 worker.ajp13_worker.host=localhost worker.ajp13_worker.type=ajp13
FishEye configuration
<web-server context="/fisheye" site-url="https://company.com/fisheye"> <http bind=":8060" proxy-host="company.com" proxy-port="443" proxy-scheme="https"/> <ajp13 bind="8009"/></web-server>
Steps to Reproduce
- Establish and environment similar to the above
- Logout of FishEye
- Navigate to https://fisheye.company.com/login
- Submit with valid credentials
Expected Results
- Communication remains over the secure channel and is not redirected to HTTP.
Actual Results
The POST is redirected to an unsecure channel.
Remote Address:172.20.44.48:443 Request URL:https://company.com/fisheye/login Request Method:POST Status Code:302 Found Response Headers view source Content-Length:0 Date:Wed, 28 Oct 2015 23:20:16 GMT Expires:Thu, 01 Jan 1970 00:00:00 GMT Location:http://company.com/fisheye/?_redir=login Server:Apache/2.4.7 (Ubuntu) Set-Cookie:remember=jeff:41:8b92355eab514a6d49a21dbb8248ecf2;Path=/fisheye;Expires=Thu, 27-Oct-2016 23:20:16 GMT;HttpOnly Set-Cookie:FESESSIONID=z5evg811w4sn1w3v037kwzbxu;Path=/fisheye;HttpOnly Set-Cookie:crucibleprefs1="D%3D1446074416917%3Bshp%3DN%3Basv%3Dfe";Path=/fisheye;Expires=Thu, 27-Oct-2016 23:20:16 GMT X-AUSERNAME:anonymous X-UA-Compatible:IE=Edge Request Headers view source Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding:gzip, deflate Accept-Language:en-US,en;q=0.8 Cache-Control:max-age=0 Connection:keep-alive Content-Length:101 Content-Type:application/x-www-form-urlencoded Cookie:atl.xsrf.token.slashfisheye=a675bbe27477b8b4658e6ed8ef66c64afd57e8d7; FESESSIONID=17a08gvpurq7s1ll6a2bi7ddx5; crucibleprefs1="D%3D1446074294660%3Bshp%3DN%3Basv%3Dfe"; optimizelyEndUserId=oeu1399385644358r0.2884020113851875; returnVisitor=1; OACAP=393.5_754.1_902.1_935.1; __qca=P0-1487220908-1428155797695; mt.v=2.1215808955.1400537156465; km_ai=R7vC9Qcl5hOxN6rWazWABBY52QE%3D; km_lv=x; __ATL_TOKEN=UgDeh00gXlBQGnexMhuikg00; nlsrv291=true; nlssid291=0; OAGEO=CG%7Co%7C%7C%7C35.69%7C139.69%7C%7C%7C%7C%7C; __aid_user_id=655362%3Abca30b61-95e8-4e00-a799-034953ec9145; __ATL_TOKEN_STG=uItd4NHvDb2aWxwmCaEswQ00; ajs_anonymous_id=%22c9896d09-061f-429b-979d-86ca8692060b%22; kvcd=1445885452147; km_uq=; OAVARS[default]=DEFAULT; nlsrv205=true; nlssid205=0; OAVARS[a15fcadf]=DEFAULT; __atl_path=172.24.36.105.1413314072841320; OAVARS[a79838e6]=DEFAULT; _hp2_id.1778711898=1235959031877874.3481776940.2531432783; __insp_slim=1446072923259; __insp_wid=1157084781; __insp_nv=true; __insp_ref=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8%3D; __insp_targlpu=https%3A%2F%2Fmarketplace.atlassian.com%2Fplugins%2Fcom.atlassian.devrel.developer-toolbox-plugin; __insp_targlpt=Atlassian%20Developer%20Toolbox%20%7C%20Atlassian%20Marketplace; __insp_norec_sess=true; __utma=80426056.839466148.1399384708.1446072354.1446072923.663; __utmb=80426056.5.10.1446072923; __utmc=80426056; __utmz=80426056.1446072923.663.381.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __utmv=80426056.|3=Has%20logged%20in=Yes=1; _gat=1; _sio=c9896d09-061f-429b-979d-86ca8692060b; optimizelyPPID=655362%3Abca30b61-95e8-4e00-a799-034953ec9145; optimizelySegments=%7B%22172567725%22%3A%22gc%22%2C%22172648779%22%3A%22false%22%2C%22172668220%22%3A%22search%22%2C%22176560975%22%3A%22search%22%2C%22176875467%22%3A%22gc%22%2C%22176926205%22%3A%22false%22%2C%221029627244%22%3A%22gc%22%2C%221033959192%22%3A%22false%22%2C%221055842897%22%3A%22referral%22%2C%222134410170%22%3A%22search%22%2C%222136470130%22%3A%22gc%22%2C%222138270218%22%3A%22false%22%2C%222198800110%22%3A%22search%22%2C%222204230094%22%3A%22false%22%2C%222205380071%22%3A%22gc%22%2C%222616870029%22%3A%22stash%22%2C%222631660020%22%3A%22stash%22%2C%222634280139%22%3A%22jira-agile_high-perf%22%2C%223170030171%22%3A%22true%22%2C%223174420008%22%3A%22true%22%2C%223178260009%22%3A%22true%22%2C%223206571187%22%3A%22returning%22%2C%223240310788%22%3A%22true%22%2C%223444160983%22%3A%22true%22%2C%223514291269%22%3A%22true%22%7D; optimizelyBuckets=%7B%222773830021%22%3A%222748610044%22%2C%223539011028%22%3A%223514612375%22%2C%223721640680%22%3A%223702600931%22%7D; ajs_user_id=%22655362%3Abca30b61-95e8-4e00-a799-034953ec9145%22; ajs_group_id=null; _ga=GA1.2.839466148.1399384708 Host:company.com Origin:https://company.com Referer:https://company.com/fisheye/login Upgrade-Insecure-Requests:1 User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
Workaround
Switch from using AJP to proxy over HTTP with ProxyPass and ProxyPassReverse - https://confluence.atlassian.com/fisheye/integrating-with-other-web-servers-298976937.html