Error creating project, XSRF check failed on Jira


  • Service Provider

    Getting this error on a new install of Jira. The Jira server runs on its own VM, served over port 8080, no SSL. In front of it is an Nginx reverse proxy that handles all of the SSL for it. This error appears to be related to the handling of the reverse proxy, but I cannot find a configuration that works. Has anyone seen this error and had luck getting Nginx working in front of Jira?


  • Service Provider

    Here is the server.xml file.

    <?xml version="1.0" encoding="utf-8"?>
    <Server port="8005" shutdown="SHUTDOWN">
        <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
        <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
        <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
        <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
        <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
    
        <Service name="Catalina">
            <!--
             ==============================================================================================================
             DEFAULT - Direct connector with no proxy for unproxied access to Jira.
    
             If using a http/https proxy, comment out this connector.
             ==============================================================================================================
            -->
    
            <!-- <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
                       maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
                       acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/> -->
    
            <!--
             ==============================================================================================================
             HTTP - Proxying Jira via Apache or Nginx over HTTP
    
             If you're proxying traffic to Jira over HTTP, uncomment the below connector and comment out the others.
             Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.
    
             See the following for more information:
    
                Apache - https://confluence.atlassian.com/x/4xQLM
                nginx  - https://confluence.atlassian.com/x/DAFmGQ
             ==============================================================================================================
            -->
    
            <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
                       maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
                       acceptCount="100" disableUploadTimeout="true" bindOnInit="false" scheme="http"
                       proxyName="MY FQDN" proxyPort="80"/>
    	
            <!--
             ==============================================================================================================
             HTTPS - Proxying Jira via Apache or Nginx over HTTPS
    
             If you're proxying traffic to Jira over HTTPS, uncomment the below connector and comment out the others.
             Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.
    
             See the following for more information:
    
                Apache - https://confluence.atlassian.com/x/PTT3MQ
                nginx  - https://confluence.atlassian.com/x/DAFmGQ
             ==============================================================================================================
            -->
    <!--
            <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
                       maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
                       acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
                       proxyName="jira.example.com" proxyPort="443"/>
    -->
            <!--
             ==============================================================================================================
             AJP - Proxying Jira via Apache over HTTP or HTTPS
             
             If you're proxying traffic to Jira using the AJP protocol, uncomment the following connector line
             See the following for more information:
    
                Apache - https://confluence.atlassian.com/x/QiJ9MQ
             ==============================================================================================================
            -->
    
            <!--
            <Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />
            -->
    
            <Engine name="Catalina" defaultHost="localhost">
                <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
    
                    <Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
                        <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
                                  factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
                        <Manager pathname=""/>
                        <JarScanner scanManifest="false"/>
                    </Context>
    
                </Host>
                <Valve className="org.apache.catalina.valves.AccessLogValve"
                       pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
            </Engine>
        </Service>
    </Server>
    

  • Service Provider

    I believe that I have the correct sections commented out, and the correct section uncommented. Seems all correct.


  • Service Provider

    And here is my Nginx Conf file.

    server {
        client_max_body_size 80M;
        server_name fqdn;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_redirect off;
        location / {
            proxy_set_header X-Real-IP $remote_addr;
    	proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://jiraIP:8080/;
            proxy_redirect off;
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    	proxy_pass_request_headers on;
        }
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_session_cache shared:SSL:10m;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        listen 80;
    
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/fqdn/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/fqdn/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    }
    

  • Service Provider

    0_1536216957660_Screenshot from 2018-09-06 01-55-47.png




  • Service Provider



  • Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?


  • Service Provider

    @kelly said in Error creating project, XSRF check failed on Jira:

    Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?

    That’s what he described. Pretty standard reverse proxy config.


  • Service Provider

    @scottalanmiller it sounds like Jira needs a setting to trust the proxy.


  • Service Provider

    @kelly said in Error creating project, XSRF check failed on Jira:

    Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?

    Correct. Trying to keep things as simple as possible (while still being secure.) This is not on cloud, it's hosted in colo, so that's a private network entirely that the non-SSL traffic is on, and all inside a single virtual switch on a single box.



  • @scottalanmiller said in Error creating project, XSRF check failed on Jira:

    @kelly said in Error creating project, XSRF check failed on Jira:

    Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?

    Correct. Trying to keep things as simple as possible (while still being secure.) This is not on cloud, it's hosted in colo, so that's a private network entirely that the non-SSL traffic is on, and all inside a single virtual switch on a single box.

    Ok, the document you're referencing is for 80 to 8080, not 443 to 8080. I'm trying to remember how you need to set the conf files because I've done this, but it has been awhile.


  • Service Provider

    @kelly said in Error creating project, XSRF check failed on Jira:

    @scottalanmiller said in Error creating project, XSRF check failed on Jira:

    @kelly said in Error creating project, XSRF check failed on Jira:

    Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?

    Correct. Trying to keep things as simple as possible (while still being secure.) This is not on cloud, it's hosted in colo, so that's a private network entirely that the non-SSL traffic is on, and all inside a single virtual switch on a single box.

    Ok, the document you're referencing is for 80 to 8080, not 443 to 8080. I'm trying to remember how you need to set the conf files because I've done this, but it has been awhile.

    Yeah, reading their description, versus what the config file details are, they don't seem to match up. I did try both connectors, though, and neither worked. But I agree that the lower one with port 443 that is currently commented out makes way more sense to be the right one. I'll switch back to that.



  • Welcome to Jira https. I did this awhile ago but not using a proxy.
    Never understood their fascination with using ports other than 80 and 443.
    On the jira server, what is
    ss -atun showing?

    I think the redirectPort=8443 option is causing this issue. This option is present in both connector options, and you arent using it.



  • @scottalanmiller said in Error creating project, XSRF check failed on Jira:

    @kelly said in Error creating project, XSRF check failed on Jira:

    @scottalanmiller said in Error creating project, XSRF check failed on Jira:

    @kelly said in Error creating project, XSRF check failed on Jira:

    Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?

    Correct. Trying to keep things as simple as possible (while still being secure.) This is not on cloud, it's hosted in colo, so that's a private network entirely that the non-SSL traffic is on, and all inside a single virtual switch on a single box.

    Ok, the document you're referencing is for 80 to 8080, not 443 to 8080. I'm trying to remember how you need to set the conf files because I've done this, but it has been awhile.

    Yeah, reading their description, versus what the config file details are, they don't seem to match up.

    That drives me batty.


  • Service Provider

    @momurda said in Error creating project, XSRF check failed on Jira:

    Welcome to Jira https. I did this awhile ago but not using a proxy.
    Never understood their fascination with using ports other than 80 and 443.
    On the jira server, what is
    ss -atun showing?

    I think the redirectPort=8443 option is causing this issue. This option is present in both connector options, and you arent using it.

    You win the internet (for me at least) today. This was it.


  • Service Provider

    @kelly said in Error creating project, XSRF check failed on Jira:

    @scottalanmiller said in Error creating project, XSRF check failed on Jira:

    @kelly said in Error creating project, XSRF check failed on Jira:

    Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?

    Correct. Trying to keep things as simple as possible (while still being secure.) This is not on cloud, it's hosted in colo, so that's a private network entirely that the non-SSL traffic is on, and all inside a single virtual switch on a single box.

    Ok, the document you're referencing is for 80 to 8080, not 443 to 8080. I'm trying to remember how you need to set the conf files because I've done this, but it has been awhile.

    This mattered too, but I had been using both configs and neither worked. It was removing 8443 that did it.


  • Service Provider

    For those coming along later, here is the exact server.xml that works:

    <?xml version="1.0" encoding="utf-8"?>
    <!--
      Licensed to the Apache Software Foundation (ASF) under one or more
      contributor license agreements.  See the NOTICE file distributed with
      this work for additional information regarding copyright ownership.
      The ASF licenses this file to You under the Apache License, Version 2.0
      (the "License"); you may not use this file except in compliance with
      the License.  You may obtain a copy of the License at
    
          http://www.apache.org/licenses/LICENSE-2.0
    
      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
    -->
    <Server port="8005" shutdown="SHUTDOWN">
        <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
        <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
        <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
        <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
        <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
    
        <Service name="Catalina">
            <!--
             ==============================================================================================================
             DEFAULT - Direct connector with no proxy for unproxied access to Jira.
    
             If using a http/https proxy, comment out this connector.
             ==============================================================================================================
            -->
    
            <!-- <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
                       maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
                       acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/> -->
    
            <!--
             ==============================================================================================================
             HTTP - Proxying Jira via Apache or Nginx over HTTP
    
             If you're proxying traffic to Jira over HTTP, uncomment the below connector and comment out the others.
             Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.
    
             See the following for more information:
    
                Apache - https://confluence.atlassian.com/x/4xQLM
                nginx  - https://confluence.atlassian.com/x/DAFmGQ
             ==============================================================================================================
            -->
    <!--
            <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
                       maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
                       acceptCount="100" disableUploadTimeout="true" bindOnInit="false" scheme="http"
                       proxyName="jira.a-closer-look.com" proxyPort="80"/>
    -->	
            <!--
             ==============================================================================================================
             HTTPS - Proxying Jira via Apache or Nginx over HTTPS
    
             If you're proxying traffic to Jira over HTTPS, uncomment the below connector and comment out the others.
             Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.
    
             See the following for more information:
    
                Apache - https://confluence.atlassian.com/x/PTT3MQ
                nginx  - https://confluence.atlassian.com/x/DAFmGQ
             ==============================================================================================================
            -->
    
            <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
                       maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" 
                       acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
                       proxyName="jira.a-closer-look.com" proxyPort="443"/>
    
            <!--
             ==============================================================================================================
             AJP - Proxying Jira via Apache over HTTP or HTTPS
             
             If you're proxying traffic to Jira using the AJP protocol, uncomment the following connector line
             See the following for more information:
    
                Apache - https://confluence.atlassian.com/x/QiJ9MQ
             ==============================================================================================================
            -->
    
            <!--
            <Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />
            -->
    
            <Engine name="Catalina" defaultHost="localhost">
                <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
    
                    <Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
                        <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
                                  factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
                        <Manager pathname=""/>
                        <JarScanner scanManifest="false"/>
                    </Context>
    
                </Host>
                <Valve className="org.apache.catalina.valves.AccessLogValve"
                       pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
            </Engine>
        </Service>
    </Server>