BAD_XFORWARD_IP; Request not allowed from IP Address
Problem
When using Trusted Applications, a request may fail with the error BAD_XFORWARD_IP
, followed by the IP Address that failed. This causes the request to fail. All functionality between the two applications will not function correctly.
The following message will appear in the destination application log file:
BAD_XFORWARD_IP; Request not allowed from IP address: {0}; ["127.0.0.1"]
Diagnosis
Environment
- Two applications are connected together using Application Links
- The authentication method used is Trusted Applications
Cause
The X-Forwarded-For
address in the header of the request coming from the source Source application is not trusted by the Destination application. Usually X-Forwarded-For
refers to the client to the reverse proxy, in this case the IP address of the Source application, however with some proxy servers it might be modified manually. The "Incoming Authentication" does not list this IP Address in the "IP Patterns" section.
Resolution
Option 1
- Add the IP address of the Source
X-Forwarded-For
header to the "IP Patterns" section. This must be added to the "Incoming Authentication" section of the Destination application.
Option 2
- Removing all IP Patterns from the "Incoming Authentication" will allow all requests to come into the Destination application.
Notes for Reverse Proxy Usage
Ensure that any IP addresses used by a reverse proxy are added to the "IP Patterns" section, if they differ from the Source application. You should also ensure that your Reverse Proxy is configured correctly.
Alternatively, you may wish to bypass the reverse proxy, and create an unproxied Application Link.
Atlassian recommends OAuth
All new Application Links are created using OAuth. It provides all of the functionality of Trusted Applications and Basic Authentication. OAuth allows applications to authenticate and authorise users without accessing their credentials.