Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

reverse proxy authentication header is processed by confluence

Leo Sanin
Leo Sanin July 11, 2011

Hello,
we have a confluence 3.5 installation that works fine, if accessed directly; login via html form.

We are now trying to access it via apache reverse proxy. We would like login for confluence to be independent (via html form) from the login to reverse proxy (basic auth). What happens, though, is that confluence is trying to process (unsuccessfully) the basic auth header from the reverse proxy, and the user gets 401. In confluence log I see these messages:

2011-07-08 15:33:18,582 INFO [http-8081-30] [confluence.security.login.DefaultLoginManager] onFailedLoginAttempt
Failed login attempt for user 'user1@unhcr.org':
Request URL: http://10.9.36.50:8081/confluence/
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0
Remote Address: 193.134.136.78
X-Forwarded-For: 193.134.136.246

We don't want to touch anything in the reverse proxy, or tomcat (as there are other applications running under it); is it possible to do something inside the confluence installation to force it to ignore the authentication request from the reverse proxy?

Thanks,
Leo.

Answer
Watch
Like Be the first to like this
2956 views

2 answers

0 votes
BCCHR IT
BCCHR IT June 14, 2016

This is super freaking old thread, but for anyone else who's come here with this issue. The work around is to unset the Authorization header when using Apache2 as a reverse proxy.

RequestHeader unset Authorization

The same can be done with NGiNX

proxy_set_header Authorization "";

This works great and solves the issue.

However, if your confluence installation allows anonymous access, and the authentication used with NGiNX/Apache2 isn't the same as Confluence. You'll run into pop-ups for specific elements.

For instance the following link "rest/mywork/latest/status/notification/new"

<status>
<status-code>401</status-code>
<message>
Client must be authenticated to access this resource.
</message>
</status>
Reply
0 votes
twong_atlassian
twong_atlassian
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 13, 2011

Could you simply use mod_headers in the vhost definition to strip the auth header before processing the proxy pass?

http://httpd.apache.org/docs/2.0/mod/mod_headers.html

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events