403 Forbidden error when creating a Bitbucket Cloud or GitHub Repository in Bamboo

Still need help?

The Atlassian Community is here for you.

Ask the community

Problem

When creating a Bitbucket.org (Cloud) or GitHub repository in Bamboo, you receive the error message: Failed to load data from Bitbucket. [403 Forbidden] / Failed to load data from GitHub. [403 Forbidden].

The following warning is observed in the <bamboo-home>/atlassian-bamboo.log:

Bitbucket:

2017-01-23 12:08:00,618 WARN [http-nio-8085-exec-13] [XsrfResourceFilter] Additional XSRF checks failed for request: http://localhost:8085/rest/hg/latest/bb/repositories/ , origin: https://domain , referrer: https://domain/build/admin/create/newPlan.action , credentials in request: true , allowed via CORS: false

GitHub:

2017-01-23 12:08:00,618 WARN [http-nio-8085-exec-13] [XsrfResourceFilter] Additional XSRF checks failed for request: http://localhost:8085/rest/git/latest/gh/repositories/username/ , origin: https://domain , referrer: https://domain/build/admin/create/newPlan.action , credentials in request: true , allowed via CORS: false


Cause

This usually happens due to Tomcat configuration issues when running Bamboo behind a reverse proxy or load balancer.

If you have installed Bamboo using the Bamboo EC2 Wizard and you're unsure if there is a reverse proxy present, the wizard installs an Apache reverse proxy in-front of Bamboo thus making the following configuration relevant. There's a bug report logged here that is specific to the EC2 wizard not configuring these settings initially:

Regardless of any fix to the wizard, due to the dependency of this configuration being specific to the URL the application is accessed on this configuration still may need to be updated manually at some point.

Resolution

If Bamboo is run behind a proxy and you are encountering issues with the origin based CSRF protection then please check if the following parameters are correctly configured in the <bamboo-install>/conf/server.xml (located in /media/atlassian-data/installs/bamboo/current/conf if you installed Bamboo via the EC2 Wizard) for the tomcat connector that your proxy is forwarding connections to:

  • the configured proxyName matches the hostname that the application is accessed on.
  • the configured proxyPort matches the port that the application is accessed on.
  • the configured scheme matches the scheme that the application is accessed with. 

Any changes to the server.xml will require Bamboo to be restarted to take effect.


For example, if Bamboo is running behind apache and the url to access Bamboo is https://example.domain/ then the correct proxy settings are the following

  • proxyName="example.domain"
  • proxyPort="443"
  • scheme="https"

For the same example, and Bamboo is accessed over http instead of https:

  • proxyName="example.domain"
  • proxyPort="80"
  • scheme="http"

For reference, here is an example of the connector after the attributes have been added when the reverse proxy is proxying requests from https://example.domain to the tomcat http connector on port 8085:

<Connector
            protocol="HTTP/1.1"
            port="8085"

            maxThreads="150" minSpareThreads="25"
            connectionTimeout="20000"
            disableUploadTimeout="true"
            acceptCount="100"

            enableLookups="false"
            maxHttpHeaderSize="8192"

            useBodyEncodingForURI="true"
            URIEncoding="UTF-8"

            redirectPort="8443"
            scheme="https"
            proxyName="example.domain"
            proxyPort="443"
            />

Last modified on Sep 23, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.