This project impements a set of plugins for authenticating users through Cloudflare Access on Atlassian products.
Currently supported products are:
- JIRA >= 7.2
- Confluence >= 6.x
- Bitbucket >= 6.x
This instructions applies to all supported Atlassian products, installed locally.
- Download product plugin from Releases
- Login in the Atlassian application as administrator
- Go to Manage add-ons on the administration page or menu
- Select Upload add-on and upload the JAR you downloaded
- Go to System configuration or administration page
- Go to Cloudflare Access menu on the left side menu
- Setup your Cloudflare Access and server details
If you are using Application Links like JIRA + Bitbucket or JIRA + Confluence, you need to setup the Bypassing Reverse Proxy applications link layout.
- Setup one additional unproxied connector in both applications explained here. Note that this connector should not be secured by Cloudflare Access.
- Setup the application link following this KB
- When creating the link with applications already behind Access you will receive a warning asking to replace the URL as id redirected once. When this happens just replace the URL in the field with the unsecured URL.
- Home Directory: JIRA Confluence Bitbucket
Symptoms:
- No user, even the administrator, is able to access the Atlassian application even being authenticated on Cloudflare Access
Cause:
- Plugin misconfigutation on Atlassian application; OR
- Changes on Cloudflare Access configuration;
Solution:
Restart the application with cloudflareAccessPlugin.filters.disabled
flag set to true
and verify the plugin configuration against Cloudflare Access configuration.
To change the flag include the following in your system JAVA_OPTS
environment variable:
-DcloudflareAccessPlugin.filters.disabled=true
After updating your system JAVA_OPTS
restart the Atlassian application, you will be able to login with your application credentials and verify the configuration.
After verifying the configuration you should remove the flag and restart the application.
Symptoms:
- Plugin installation progress stuck
Cause:
Most likely you have a reverse proxy in front of the applicatio with a small limit for uploading files.
Solution:
Check the browser network panel while uploading the plugin looking for 4xx
HTTP errors.
If you see a HTTP 413
, you need to increase the upload file size limit on your reverse proxy.
For NGINX see this.
Symptoms:
- System Dashboard page is empty
- User profile page displays an error message on the Activity Stream gadget
Cause:
JIRA requests some URL internally through HTTP. Using Access this requests will require authentication but JIRA does not provide any means of passing authentication for this requests.
Solution:
Go to your Cloudflare Access configuration and create a policy to bypass requests containing /rest/gadgets/
, example:
If your main policy path is
/jira
you should create a new one setting the path as/jira/rest/gadgets/
and containing a bypass policy for everyone.
Symptoms:
- Some macros are displaying title or description with a text starting with __MSG_xxxx
Cause:
Very likelly the macros plugin was unable to load the proper message bundles and cached the texts with placeholders.
Solution:
- Go to Confluence Administration page
- Go to Cache Management
- Clear all caches which name contanins "Macro" or "Gadget"
Symptoms:
- Some images/css/js are not loaded properly
- You are seeing similar messages on the log:
2015-09-01 17:25:46.530585500 2015-09-01 07:25:46,530 ajp-nio-127.0.0.104-8009-exec-23 WARN anonymous 1045x1465x1 sibktb 127.0.0.1 /rest/auth/latest/session [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://example.domain/rest/auth/latest/session , origin: https://another-origin.domain , referrer: null , credentials in request: true , allowed via CORS: false}}
Cause:
REST calls are protected against Cross Site Request Forgery (CSRF) and as requests are proxied through Cloudflare, the REST calls will fail with similar messages on Atlassian products.
Solution:
Please refer to the following links for more details and how to fix this problem on your server:
- Cross Site Request Forgery (CSRF) protection changes in Atlassian REST
- Unable to create issue after upgrading to JIRA 7
The atlas-run
command currently is not copying the scheme defined on the base Tomcat when starting the application.
The solution is to configure the local proxy (Nginx/Apache) to set the Origin
header with a URL like http://<Your testing domain>
Also this leads to other CSRF checks where content is not returned, in that case is best to install and manage the Atlassian product manually.
Install the Atlassian SDK following instructions on Set up the Atlassian Plugin SDK and build a project.
To build the modules common
and base-plugin
:
atlas-mvn clean package -PnoProduct
To build all modules:
atlas-mvn clean package
The images below are available on Docker hub for development and testing.
These images are configured to:
- Setup the context path on Tomcat
- Create a secondary connector to enable application links
These images do not have the plugin installed, it should be installed/updated after starting them.
I recommend having a reverse proxy in front of the Atlassian containers, with distinct paths forwarding to JIRA, Confluence and Bitbucket.
Sample NGINX configuration:
server {
listen 80 default_server;
server_name <yourservename.com>;
location /jira {
proxy_pass http://localhost:8080/jira;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /confluence {
proxy_pass http://localhost:8090/confluence;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /bitbucket {
proxy_pass http://localhost:7990/bitbucket;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
- Start the desired Atlassian application container (JIRA, Confluence, Bitbucket)
- Download product plugin from Releases
- Follow the installation instructions