Apache reverse proxy POST 403

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by qkslvrwolf on Server Fault See other posts from Server Fault or by qkslvrwolf
Published on 2013-10-18T15:00:12Z Indexed on 2013/10/18 15:56 UTC
Read the original article Hit count: 434

Filed under:
|
|
|

I am trying to get Jira and Stash to talk to each other via a Trusted Application link. The setup, currently, looks like this:

Jira -> http -> Jira Proxy -https-> stash proxy -http-> stash.

Jira and the Jira proxy are on the same machine.

The Jira Proxy is showing 403 Forbidden for POST requests from the stash server. It works (or seems to ) for everything else. I contend that since we're seeing 403 forbiddens in the access log for apache, Jira is never seeing the request.

Why is apache forbidding posts,and how do I fix it?

Note that the IPs for both Stash and the Stash Proxy are in the "trusted host" section.

My config:

LogLevel info
CustomLog "|/usr/sbin/rotatelogs /var/log/apache2/access.log 86400" common 

ServerSignature off
ServerTokens prod

Listen 8443

<VirtualHost *:443>

    ServerName jira.company.com

    SSLEngine on
    SSLOptions +StrictRequire
    SSLCertificateFile /etc/ssl/certs/server.cer
    SSLCertificateKeyFile /etc/ssl/private/server.key
    SSLProtocol +SSLv3 +TLSv1
    SSLCipherSuite DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA

    # If context path is not "/wiki", then send to /jira.
    RedirectMatch 301 ^/$ https://jira.company.com/jira
    RedirectMatch 301 ^/gsd(.*)$ https://jira.company.com/jira$1

    ProxyRequests On
        ProxyPreserveHost On
        ProxyVia On
    ProxyPass /jira http://localhost:8080/jira
    ProxyPassReverse /jira http://localhost:8080/jira

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    RewriteEngine on
        RewriteLog "/var/log/apache2/rewrite.log"
        RewriteLogLevel 2
    # Disable TRACE/TRACK requests, per security.
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]

    DocumentRoot /var/www
        DirectoryIndex index.html
    <Directory /var/www>
        Options FollowSymLinks
        AllowOverride None
        Order deny,allow
        Allow from all
    </Directory>

    <LocationMatch "/">
               Order deny,allow
               Deny from all
            allow from x.x.71.8
            allow from x.x.8.123
            allow from x.x.120.179
            allow from x.x.120.73
            allow from x.x.120.45
            satisfy any
            SetEnvif Remote_Addr "x.x.71.8" TRUSTED_HOST
            SetEnvif Remote_Addr "x.x.8.123" TRUSTED_HOST
            SetEnvif Remote_Addr "x.x.120.179" TRUSTED_HOST
            SetEnvif Remote_Addr "x.x.120.73" TRUSTED_HOST
            SetEnvif Remote_Addr "x.x.120.45" TRUSTED_HOST
    </LocationMatch>

    <LocationMatch ^>
                SSLRequireSSL
                AuthType CompanyNet
                PubcookieInactiveExpire -1
                PubcookieAppID jira.company.com
                require valid-user
                RequestHeader set userid %{REMOTE_USER}s
        </LocationMatch>
</VirtualHost>

# Port open for SSL, non-pubcookie access.  Used to access APIs with Basic Auth.
<VirtualHost *:8443>

        SSLEngine on
        SSLOptions +StrictRequire
        SSLCertificateFile /etc/ssl/certs/server.cer
        SSLCertificateKeyFile /etc/ssl/private/server.key
        SSLProtocol +SSLv3 +TLSv1
        SSLCipherSuite DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA

        ProxyRequests On
        ProxyPreserveHost On
        ProxyVia On
        ProxyPass /jira http://localhost:8080/jira
        ProxyPassReverse /jira http://localhost:8080/jira

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        RewriteEngine on
        RewriteLog "/var/log/apache2/rewrite.log"
        RewriteLogLevel 2
        # Disable TRACE/TRACK requests, per security.
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]

        DocumentRoot /var/www
        DirectoryIndex index.html
        <Directory /var/www>
                Options FollowSymLinks
                AllowOverride None
                Order deny,allow
                Allow from all
        </Directory>
</VirtualHost>

<VirtualHost jira.company.com:80>
        ServerName jira.company.com
        RedirectMatch 301 /(.*)$ https://jira.company.com/$1
        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
</VirtualHost>

<VirtualHost *:80>
        ServerName go.company.com
        RedirectMatch 301 /(.*)$ https://jira.company.com/$1
        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
</VirtualHost>

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about apache2

Related posts about reverse-proxy

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle