In my previous post I explained how to setup your Atlassian applications behind a proxy server.
One of the benefits I didn’t mention was that as your usage grows, if you need to move one (or more) of the applications off onto their own servers, you can do this by getting the application setup on the new server and then changing your Apache config file settings to make the ProxyPass and ProxyPassReverse point to the new server IP instead of “localhost” for the application in question.
However, if you are using Crowd for your centralized Authentication and SSO, you may find that logging into the application you moved becomes a little, shall we say “quirky”? The best way to explain what you’ll see and how to fix it, is by way of an example.
Let’s say you had JIRA, Confluence and Crowd all installed on one server as described in my previous post. As part of the Crowd setup for JIRA and Confluence, you will have setup a “crowd.properties” file to tell each application where to authenticate. The default setting in that file is “http://localhost:8095/crowd/services” and we’ll assume you left it that way for both JIRA and Confluence.
As you get more and more users up and running, you’ve decided that JIRA needs it’s own server to handle the load, so you move it to another server and modify the ProxyPass settings to point to the right location. When you were setting up the JIRA on the new server, you were smart and remembered that a locahost url for Crowd wouldn’t work anymore, so you changed the JIRA “crowd.properties” file to point to “http://your.server.name/crowd/services”. All seems to be well with the world. You can still login to JIRA, so the Crowd integration seems to be working. You browse over to Confluence and you hit a login screen. What’s this? A login screen? So, you login to Confluence using the same credentials - hmm, it seems to work. You browse back to JIRA and you hit another login screen. What in the world is going on?
You’ve entered the netherworld of “Trusted Proxy Servers” (bum BUM BUM BUUUMMMMM)!!!
If you were to login to the Crowd Administration Console, goto the Administration Tab and click the “Trusted Proxy Servers” section, you’ll see a list of IPs and a text box to allow you to add more. The only IP in the system at the moment is likely “127.0.0.1”. The reason you are not staying logged in between JIRA and Confluence now is because when you login from JIRA, the request is coming from the new JIRA server via the Apache proxy. The IP being associated with the session is the public IP of your Apache instance, not the 127.0.0.1 “localhost” IP that Confluence registers when it talks to Crowd directly on port 8095.
If you find the public IP of your Apache instance and put it here in Trusted Proxy Servers, you will find that everything magically works again! If you are having trouble, I recommend turning the logging on “root” and “com.atlassian.crowd” to ALL, browse to JIRA or Confluence after logging into the other and then look in the logs - you’ll see something about the session tokens “not matching” and the IP address being registered will be right there in the logs. Just don’t forget to turn the logging back to INFO when you’re done - no sense running out of disk space in about 15 minutes…