Solved Error creating project, XSRF check failed on Jira
-
Getting this error on a new install of Jira. The Jira server runs on its own VM, served over port 8080, no SSL. In front of it is an Nginx reverse proxy that handles all of the SSL for it. This error appears to be related to the handling of the reverse proxy, but I cannot find a configuration that works. Has anyone seen this error and had luck getting Nginx working in front of Jira?
-
Welcome to Jira https. I did this awhile ago but not using a proxy.
Never understood their fascination with using ports other than 80 and 443.
On the jira server, what is
ss -atunshowing?I think the redirectPort=8443 option is causing this issue. This option is present in both connector options, and you arent using it.
-
Here is the server.xml file.
<?xml version="1.0" encoding="utf-8"?> <Server port="8005" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.startup.VersionLoggerListener"/> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/> <Service name="Catalina"> <!-- ============================================================================================================== DEFAULT - Direct connector with no proxy for unproxied access to Jira. If using a http/https proxy, comment out this connector. ============================================================================================================== --> <!-- <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/> --> <!-- ============================================================================================================== HTTP - Proxying Jira via Apache or Nginx over HTTP If you're proxying traffic to Jira over HTTP, uncomment the below connector and comment out the others. Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs. See the following for more information: Apache - https://confluence.atlassian.com/x/4xQLM nginx - https://confluence.atlassian.com/x/DAFmGQ ============================================================================================================== --> <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" bindOnInit="false" scheme="http" proxyName="MY FQDN" proxyPort="80"/> <!-- ============================================================================================================== HTTPS - Proxying Jira via Apache or Nginx over HTTPS If you're proxying traffic to Jira over HTTPS, uncomment the below connector and comment out the others. Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs. See the following for more information: Apache - https://confluence.atlassian.com/x/PTT3MQ nginx - https://confluence.atlassian.com/x/DAFmGQ ============================================================================================================== --> <!-- <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https" proxyName="jira.example.com" proxyPort="443"/> --> <!-- ============================================================================================================== AJP - Proxying Jira via Apache over HTTP or HTTPS If you're proxying traffic to Jira using the AJP protocol, uncomment the following connector line See the following for more information: Apache - https://confluence.atlassian.com/x/QiJ9MQ ============================================================================================================== --> <!-- <Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" /> --> <Engine name="Catalina" defaultHost="localhost"> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true"> <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/> <Manager pathname=""/> <JarScanner scanManifest="false"/> </Context> </Host> <Valve className="org.apache.catalina.valves.AccessLogValve" pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""/> </Engine> </Service> </Server> -
I believe that I have the correct sections commented out, and the correct section uncommented. Seems all correct.
-
And here is my Nginx Conf file.
server { client_max_body_size 80M; server_name fqdn; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_redirect off; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_pass http://jiraIP:8080/; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass_request_headers on; } ssl_stapling on; ssl_stapling_verify on; ssl_session_cache shared:SSL:10m; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; listen 80; listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/fqdn/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/fqdn/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } -
-
-
@aaronstuder said in Error creating project, XSRF check failed on Jira:
https://confluence.atlassian.com/jirakb/integrating-jira-with-nginx-426115340.html
Yeah, so far that's been pretty useless.
-
Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?
-
@kelly said in Error creating project, XSRF check failed on Jira:
Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?
That’s what he described. Pretty standard reverse proxy config.
-
@scottalanmiller it sounds like Jira needs a setting to trust the proxy.
-
@kelly said in Error creating project, XSRF check failed on Jira:
Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?
Correct. Trying to keep things as simple as possible (while still being secure.) This is not on cloud, it's hosted in colo, so that's a private network entirely that the non-SSL traffic is on, and all inside a single virtual switch on a single box.
-
@scottalanmiller said in Error creating project, XSRF check failed on Jira:
@kelly said in Error creating project, XSRF check failed on Jira:
Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?
Correct. Trying to keep things as simple as possible (while still being secure.) This is not on cloud, it's hosted in colo, so that's a private network entirely that the non-SSL traffic is on, and all inside a single virtual switch on a single box.
Ok, the document you're referencing is for 80 to 8080, not 443 to 8080. I'm trying to remember how you need to set the conf files because I've done this, but it has been awhile.
-
@kelly said in Error creating project, XSRF check failed on Jira:
@scottalanmiller said in Error creating project, XSRF check failed on Jira:
@kelly said in Error creating project, XSRF check failed on Jira:
Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?
Correct. Trying to keep things as simple as possible (while still being secure.) This is not on cloud, it's hosted in colo, so that's a private network entirely that the non-SSL traffic is on, and all inside a single virtual switch on a single box.
Ok, the document you're referencing is for 80 to 8080, not 443 to 8080. I'm trying to remember how you need to set the conf files because I've done this, but it has been awhile.
Yeah, reading their description, versus what the config file details are, they don't seem to match up. I did try both connectors, though, and neither worked. But I agree that the lower one with port 443 that is currently commented out makes way more sense to be the right one. I'll switch back to that.
-
Welcome to Jira https. I did this awhile ago but not using a proxy.
Never understood their fascination with using ports other than 80 and 443.
On the jira server, what is
ss -atunshowing?I think the redirectPort=8443 option is causing this issue. This option is present in both connector options, and you arent using it.
-
@scottalanmiller said in Error creating project, XSRF check failed on Jira:
@kelly said in Error creating project, XSRF check failed on Jira:
@scottalanmiller said in Error creating project, XSRF check failed on Jira:
@kelly said in Error creating project, XSRF check failed on Jira:
Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?
Correct. Trying to keep things as simple as possible (while still being secure.) This is not on cloud, it's hosted in colo, so that's a private network entirely that the non-SSL traffic is on, and all inside a single virtual switch on a single box.
Ok, the document you're referencing is for 80 to 8080, not 443 to 8080. I'm trying to remember how you need to set the conf files because I've done this, but it has been awhile.
Yeah, reading their description, versus what the config file details are, they don't seem to match up.
That drives me batty.
-
@momurda said in Error creating project, XSRF check failed on Jira:
Welcome to Jira https. I did this awhile ago but not using a proxy.
Never understood their fascination with using ports other than 80 and 443.
On the jira server, what is
ss -atunshowing?I think the redirectPort=8443 option is causing this issue. This option is present in both connector options, and you arent using it.
You win the internet (for me at least) today. This was it.
-
@kelly said in Error creating project, XSRF check failed on Jira:
@scottalanmiller said in Error creating project, XSRF check failed on Jira:
@kelly said in Error creating project, XSRF check failed on Jira:
Just to be clear you're trying to receive SSL traffic on 443 on the external facing connection of your proxy, and then forward it to 8080 on your JIRA server. Is that correct?
Correct. Trying to keep things as simple as possible (while still being secure.) This is not on cloud, it's hosted in colo, so that's a private network entirely that the non-SSL traffic is on, and all inside a single virtual switch on a single box.
Ok, the document you're referencing is for 80 to 8080, not 443 to 8080. I'm trying to remember how you need to set the conf files because I've done this, but it has been awhile.
This mattered too, but I had been using both configs and neither worked. It was removing 8443 that did it.
-
For those coming along later, here is the exact server.xml that works:
<?xml version="1.0" encoding="utf-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <Server port="8005" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.startup.VersionLoggerListener"/> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/> <Service name="Catalina"> <!-- ============================================================================================================== DEFAULT - Direct connector with no proxy for unproxied access to Jira. If using a http/https proxy, comment out this connector. ============================================================================================================== --> <!-- <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/> --> <!-- ============================================================================================================== HTTP - Proxying Jira via Apache or Nginx over HTTP If you're proxying traffic to Jira over HTTP, uncomment the below connector and comment out the others. Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs. See the following for more information: Apache - https://confluence.atlassian.com/x/4xQLM nginx - https://confluence.atlassian.com/x/DAFmGQ ============================================================================================================== --> <!-- <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" bindOnInit="false" scheme="http" proxyName="jira.a-closer-look.com" proxyPort="80"/> --> <!-- ============================================================================================================== HTTPS - Proxying Jira via Apache or Nginx over HTTPS If you're proxying traffic to Jira over HTTPS, uncomment the below connector and comment out the others. Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs. See the following for more information: Apache - https://confluence.atlassian.com/x/PTT3MQ nginx - https://confluence.atlassian.com/x/DAFmGQ ============================================================================================================== --> <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https" proxyName="jira.a-closer-look.com" proxyPort="443"/> <!-- ============================================================================================================== AJP - Proxying Jira via Apache over HTTP or HTTPS If you're proxying traffic to Jira using the AJP protocol, uncomment the following connector line See the following for more information: Apache - https://confluence.atlassian.com/x/QiJ9MQ ============================================================================================================== --> <!-- <Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" /> --> <Engine name="Catalina" defaultHost="localhost"> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true"> <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/> <Manager pathname=""/> <JarScanner scanManifest="false"/> </Context> </Host> <Valve className="org.apache.catalina.valves.AccessLogValve" pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""/> </Engine> </Service> </Server>
