How to create an unproxied application link

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

When working with application links, it may be necessary to bypass any existing reverse proxy or SSL configuration, without disrupting normal usage for your instances.

For example, the following setting in an Apache proxy has been known to interfere with forwarding of authentication between Confluence and Jira when using the Jira Issues macro:

RequestHeader unset Authorization

The equivalent setting in NGiNX is:

proxy_set_header Authorization "";

Let's take Confluence and JIRA:

  • Confluence
    • Proxied address: https://confluence.mycompany.com/
    • Unproxied address: http://192.168.100.100:8095/
  • JIRA
    • Proxied address: https://jira.mycompany.com/
    • Unproxied address: http://192.168.100.100:8081/

You must be able to browse the application via the unproxied URL. Some network configurations may allow communication between the two servers, but you must be able to browse to the two unproxied addresses for the purpose of creating the application link.

To bypass a reverse proxy or SSL configuration, introduce an additional HTTP connector in Tomcat. The following is a bare minimum HTTP connector for use in Tomcat across Atlassian Products:
<Connector port="8080" connectionTimeout="20000" maxThreads="200" minSpareThreads="10" 
	enableLookups="false" acceptCount="10" URIEncoding="UTF-8" />

To make use of this, edit the server.xml file for the application in question. The connector must be added inside the Service element. You will also need to restart the application to take effect.

You should adjust the value of the port attribute in the new connector. Ensure to use a port that isn't already used by any application on the same physical machine. For example, if you have JIRA listening for incoming connections on port 8080 (which is in turn connected to a reverse proxy), you should change your new connector to something else, such as 8081.

tip/resting Created with Sketch.

Running Jira 7.12.3, 7.13.0 or higher?

In these versions of JIRA (and above) you must add some additional parameters to the connector:

relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`&quot;&lt;&gt;"

For more information, please see this Jira specific KB article.

If web.xml has been edited as per our documentation to redirect to SSL, the following lines will need to be removed:

Click here to expand...
<security-constraint>
  <web-resource-collection>
    <web-resource-name>all-except-attachments</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
    <url-pattern>*.jspa</url-pattern>
    <url-pattern>/browse/*</url-pattern>
	<url-pattern>/issues/*</url-pattern> 
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

As of Bitbucket Server 5.0, you can't configure any Tomcat connectors directly as the application runs on Spring Boot.

The usual server.xml configurations have been replaced by properties that need to be configured on <Bitbucket home directory>/shared/bitbucket.properties

Similarly, you can't configure web.xml.

In order to add a new HTTP connector for this purpose, this is the only configuration you need:

server.additional-connector.1.port=8080

Please read through Migrate server.xml customizations to bitbucket.properties



  1. See How to bypass a reverse proxy or SSL in Application Links for more information on setting up an unproxied HTTP connector.
  2. Ensure that the HTTP connector is configured on both side of the application, using different ports


  1. Access one of the application using the new unproxied port. <ip address:unproxied port> (eg: 127.0.0.1:8080)
  2. Set each application's base URL to the unproxied address.
  3. Create a new application link as usual, using the unproxied address as the application URL.
  4. Set the base URL for each instance back to the proxied address.
  5. Edit the application link (at each application) by clicking "Edit" next to link for the other application.
  6. In the Display URL text box, type the proxied address. It will be different from the application URL (which cannot be changed).
  7. Click Update.

Only a single URL may be specified for the application link URL. This means that all application link traffic will be directed to a single node if the load balancer is bypassed.

This may be desirable in certain scenarios where a single node is dedicated to back end operations and excluded from client traffic.

There is a bug that all remote events fail if the base URL does not match the application link URL. The fix was released in the following versions:

  • Bitbucket Server 4.0.4+:  BSERV-7802 - Getting issue details... STATUS
  • Bamboo 5.13.1+:  BAM-17579 - Getting issue details... STATUS

If you create the unproxied application URL in Confluence, the Whitelist entry for Jira will display the Display URL while it is actually pointing to the Application URL that the request is coming from.

CONFSERVER-57968 - Getting issue details... STATUS

Description

When working with application links, it may be necessary to bypass any existing reverse proxy or SSL configuration, without disrupting normal usage for your instances.

ProductJira, Confluence, Bitbucket, Bamboo, Fisheye
PlatformServer
Last modified on Oct 15, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.