-
Type:
Suggestion
-
Resolution: Unresolved
-
None
-
Component/s: Administration - Others
-
None
-
1
Issue Summary
Starting from Jira 9.15 a websudo functionality has been enhanced by introducing IP address/subnet allowlist(Tightening access with a websudo allowlist).
This feature, by default, uses the X-Forwarded-For header as the source of the client's IP address. However, in case this header includes multiple IPs, its parsing will fail with IllegalArgumentException since the current feature implementation doesn't suppose it to have multiple values.
Although X-Forwarded-For header is not formally standardized, having several IPs is totally expected situation when accessing Jira from behind the proxy (X-Forwarded-For will list comma-separated IPs of client and proxies in such case):
X-Forwarded-For: <client>, <proxy1>, <proxy2>
Steps to Reproduce
Configure the allow list according to documentation and try to access Jira from behind the proxy that appends X-Forwarded-For header with its own IP along with client one.
Expected Results
Jira should be able to successfully parse the HTTP header content and retrieve the client IP to compare against the configured allow list.
Actual Results
In case the mentioned HTTP header contains multiple IPs, its parsing will fail and you will not be able to access the administration page protected by websudo functionality (even if your address is included in the allow list)
The below exception is thrown in the atlassian-jira.log file:
2024-05-16 11:47:44,382+0200 http-nio-8081-exec-9 ERROR jira_admin 707x137x1 1mnm50 203.0.113.195,198.51.100.178,127.0.0.1 /secure/admin/WebSudoAuthenticate.jspa [c.a.j.w.c.admin.websudo.WebSudoIPAllowListManager] Exception while reading IP address 203.0.113.195,198.51.100.178 read from header X-Forwarded-For java.lang.IllegalArgumentException: '203.0.113.195,198.51.100.178' is not an IP string literal. at com.atlassian.ip.InetAddresses.forString(InetAddresses.java:64) at com.atlassian.ip.IPMatcher.matches(IPMatcher.java:46) at com.atlassian.jira.web.component.admin.websudo.WebSudoIPAllowListManager.isAllowed(WebSudoIPAllowListManager.java:79) at com.atlassian.jira.web.action.admin.WebSudoAuthenticate.doValidation(WebSudoAuthenticate.java:137)
Workaround
You could reconfigure your proxy to prevent it from adding its IP to the HTTP head (only keeping the client IP there).
Alternatively, you could utilize some other custom HTTP header (defining it at server.tomcat.remoteip.remote-ip-header configuration property in the jira-config.properties file) to supply client IP information for websudo allow list verification.