Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Apache reverse proxy 403 on POST

s
s October 17, 2013

I am trying to get Jira and Stash to talk to each other via a Trusted Application link. The setup, currently, looks like this:

Jira -> http -> Jira Proxy -https-> stash proxy -http-> stash.

Jira and the Jira proxy are on the same machine.

The Jira Proxy is showing 403 Forbidden for POST requests from the stash server. It works (or seems to ) for everything else. I contend that since we're seeing 403 forbiddens in the access log for apache, Jira is never seeing the request.

Why is apache forbidding posts,and how do I fix it?

Note that the IPs for both Stash and the Stash Proxy are in the "trusted host" section.

My config:

ErrorLog "|/usr/sbin/rotatelogs /var/log/apache2/error.log 86400"

LogLevel info
CustomLog "|/usr/sbin/rotatelogs /var/log/apache2/access.log 86400" common 

ServerSignature off
ServerTokens prod

Listen 8443

<VirtualHost *:443>

	ServerName jira.company.com

	SSLEngine on
	SSLOptions +StrictRequire
	SSLCertificateFile /etc/ssl/certs/server.cer
	SSLCertificateKeyFile /etc/ssl/private/server.key
	SSLProtocol +SSLv3 +TLSv1
	SSLCipherSuite DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA

	# If context path is not "/wiki", then send to /jira.
	RedirectMatch 301 ^/$ https://jira.company.com/jira
	RedirectMatch 301 ^/gsd(.*)$ https://jira.company.com/jira$1
	
	ProxyRequests On
        ProxyPreserveHost On
        ProxyVia On
	ProxyPass /jira http://localhost:8080/jira
	ProxyPassReverse /jira http://localhost:8080/jira

	<Proxy *>
		Order deny,allow
		Allow from all
	</Proxy>

	RewriteEngine on
        RewriteLog "/var/log/apache2/rewrite.log"
        RewriteLogLevel 2
	# Disable TRACE/TRACK requests, per security.
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]

	DocumentRoot /var/www
        DirectoryIndex index.html
	<Directory /var/www>
		Options FollowSymLinks
		AllowOverride None
		Order deny,allow
		Allow from all
	</Directory>

	<LocationMatch "/">
               Order deny,allow
               Deny from all
    		allow from x.x.71.8
    		allow from x.x.8.123
    		allow from x.x.120.179
    		allow from x.x.120.73
    		allow from x.x.120.45
    		satisfy any
    		SetEnvif Remote_Addr "x.x.71.8" TRUSTED_HOST
    		SetEnvif Remote_Addr "x.x.8.123" TRUSTED_HOST
    		SetEnvif Remote_Addr "x.x.120.179" TRUSTED_HOST
    		SetEnvif Remote_Addr "x.x.120.73" TRUSTED_HOST
    		SetEnvif Remote_Addr "x.x.120.45" TRUSTED_HOST
	</LocationMatch>

	<LocationMatch ^>
                SSLRequireSSL
                AuthType CompanyNet
                PubcookieInactiveExpire -1
                PubcookieAppID jira.company.com
                require valid-user
                RequestHeader set userid %{REMOTE_USER}s
        </LocationMatch>
</VirtualHost>

# Port open for SSL, non-pubcookie access.  Used to access APIs with Basic Auth.
<VirtualHost *:8443>

        SSLEngine on
        SSLOptions +StrictRequire
        SSLCertificateFile /etc/ssl/certs/server.cer
        SSLCertificateKeyFile /etc/ssl/private/server.key
        SSLProtocol +SSLv3 +TLSv1
        SSLCipherSuite DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA

        ProxyRequests On
        ProxyPreserveHost On
        ProxyVia On
        ProxyPass /jira http://localhost:8080/jira
        ProxyPassReverse /jira http://localhost:8080/jira

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        RewriteEngine on
        RewriteLog "/var/log/apache2/rewrite.log"
        RewriteLogLevel 2
        # Disable TRACE/TRACK requests, per security.
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]

        DocumentRoot /var/www
        DirectoryIndex index.html
        <Directory /var/www>
                Options FollowSymLinks
                AllowOverride None
                Order deny,allow
                Allow from all
        </Directory>
</VirtualHost>

<VirtualHost jira.company.com:80>
        ServerName jira.company.com
        RedirectMatch 301 /(.*)$ https://jira.company.com/$1
        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
</VirtualHost>

<VirtualHost *:80>
        ServerName go.company.com
        RedirectMatch 301 /(.*)$ https://jira.company.com/$1
        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
</VirtualHost>

Answer
Watch
Like Be the first to like this
2333 views

1 answer

0 votes
Tiago Comasseto
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 17, 2013

Hi Sean,

In case both applications are on the same network I usually set the application to the direct address and just edit the application link configuration and modify the Display URL to use the proxied URL.

This way the cross-application communication is done bypassing the proxy and the URL that is displayed to the end user is the proxied URL, this usually avoid problems and the final result is the same.

Cheers

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.