Configuring the allowlist

Bamboo administrators can choose to allow outgoing connections and content by adding URLs to the allowlist. You can use the allowlist to test connections for:

  • Git

  • GitHub

  • Bitbucket Cloud

  • Bitbucket Data Center

If the content is from an unapproved source, Bamboo will display an error and prompt the user to add the URL to the allowlist.

Application links are automatically added to the allowlist. You don't need to manually add them. 

When connecting to Bitbucket Data Center, Bamboo adds an SSH entry with the default port 7999. If you're using a custom SSH port, then manually modify the entry.

Check out how to modify an SSH port

On this page:

Add allowed URLs to the allowlist

To add a URL to the allowlist:

  1. From the Administration menu, select Overview.

  2. On the left sidebar, under Security, select Allowlist

  3. Enter the URL or expression you want to allow.

  4. Select the Type of expression (see below for examples of the types available).

  5. Select Add

Your URL or expression appears in the allowlist.

To test that your allowlisted URL is working as expected, you can enter a URL in the Test a URL field. Icons will indicate whether incoming and/or outgoing traffic is allowed for that URL

Expression types

When adding a URL to the allowlist, you can choose from a number of expression types. 

When deciding the best expression type to use, aim for a more restrictive URL rather than a less restrictive one to best protect your site.

Type

Description

Example

Domain name

Allows all URLs from the specified domain.

https://www.example.com

Exact match

Allows only the specified URL.

https://www.example.com/thispage

Wildcard Expression

Allows all matching URLs. Use the wildcard * character to replace one or more characters.

https://*example.com

Regular Expression

Allows all URLs matching the regular expression.

http(s)?://www\.example\.com

When you create an application link, the URL is automatically added to the Confluence allowlist. By default, outbound requests from these URLs are only allowed for authenticated users.

To change the default behavior for all application links, including new application links:

  1. From the Administration menu, select Overview.

  2. On the left sidebar, under Security, select Allowlist, and then Configure Settings.

  3. Select either:

    • Allow all users to allow outbound requests for all users, including anonymous users

    • Allow authenticated users to deny outbound requests for anonymous users

    • Restrict by default to deny outbound requests for all users (the applink will not be added to the allowlist at all)

  4. Save your changes.

All existing application links and any new application links added to the allowlist will use this setting. 

Disable the allowlist

The allowlist is enabled by default. You can choose to disable the allowlist; however, this will allow all URLs, including malicious content.

We strongly discourage you from disabling the allowlist, as it will leave you vulnerable to Server-Side Request Forgery (SSRF) attacks. 

To disable the allowlist:

  1. From the Administration menu, select Overview.

  2. On the left sidebar, under Security, select Allowlist

  3. Select Turn off allowlist.

  4. Select Confirm

All URLs will now be allowed. This is not recommended.

Last modified on Aug 27, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.