Integrating Stash with Apache HTTP Server
This page explains how to establish a network topology in which Apache HTTP Server acts as a reverse proxy for Stash. Typically, such a configuration would be used when Stash is installed in a protected zone 'behind the firewall', and Apache HTTP Server provides a gateway through which users outside the firewall can access Stash. You may wish to do this if you want to:
- use a different port number to access Stash
- use a different context path to access Stash
Be aware that Stash does not need to run behind a web server, since it is capable of serving web requests directly; to secure Stash when run in this way see Securing Stash with Tomcat using SSL. For an overview of other network topology options, see Proxying and securing Stash. Otherwise, if you want to install Stash in an environment that incorporates Apache HTTP Server, this document is for you.
When Stash is set up following the instructions on this page, external access to Stash uses a reverse proxy, without using SSL. All communication between the user's browser and Apache, and so Stash, will be unsecured, but users do not have direct access to Stash.
- Stash, by default, will listen for requests on port 7990 – this port can be changed if required.
- Stash (Tomcat) needs to know the URL (proxy name) that Apache serves.
- The address with which to access Stash will be http://<proxy name>:7990. Change the base URL for Stash if required.
- Any existing links with other applications will need to be reconfigured using this new URL for Stash.
- You can set the context path for Stash if you are running another Atlassian application, or Java web application, at the same hostname and context path as Stash.
- Securing Git operations between the user's computer and Stash is a separate consideration - see Enabling SSH access to Git.
About using Apache software
Configuring Tomcat 7
The Stash distribution includes an instance of Tomcat 7, the configuration of which is determined by the contents of the
<Stash home directory>/shared/server.xml file. Note that any changes that you make to the
server.xml file will only be effective upon starting or re-starting Stash.
You may find it helpful to refer to the Apache Tomcat 7.0 Proxy Support HowTo page.
Configuring Apache HTTP Server
You may find it helpful to refer to the Apache HTTP Server Documentation, which describes how you can control Apache HTTP Server by changing the contents of the
httpd.conf file. The section on Apache Module mod_proxy is particularly relevant. Note that any changes you make to the
httpd.conf file will only be effective upon starting or re-starting Apache HTTP Server.
Step 1: Configure the Tomcat Connector
Find the normal (non-SSL)
Connector directive in Tomcat's
<Stash home directory>/shared/server.xml file, and add the
proxyPort attributes as shown below. Instead of
mycompany.com, set the
proxyName attribute to your domain name that Apache HTTP Server will be configured to serve. This informs Stash of the domain name and port of the requests that reach it via Apache HTTP Server, and is important to the correct operation of the Stash functions that construct URLs.
Note: Apache HTTP Server's
ProxyPreserveHost directive is another way to have the hostname of the incoming request recognised by Stash instead of the hostname at which Stash is actually running. However, the
ProxyPreserveHost directive does not cause the scheme to be properly set. Since we have to mess with Tomcat's
Connector directive anyway, we recommend that you stick with the above-described approach, and don't bother to set the
ProxyPreserveHost in Apache HTTP Server.
For more information about configuring the Tomcat Connector, refer to the Apache Tomcat 7.0 HTTP Connector Reference.
Step 2: Change Stash's base URL
After re-starting Stash, open a browser window and log into Stash using an administrator account. Go to the Stash administration area and click Server settings (under 'Settings'), and change Base URL to match the proxy URL (the URL that Apache HTTP Server will be serving).
Step 3 (optional): Set a context path for Stash
By default, Stash is configured to run with an empty context path; in other words, from the 'root' of the server's name space. In that default configuration, Stash is accessed at:
It's perfectly fine to run Stash with the empty context path as above. Alternatively, you can set a context path by changing the
Context directive in Tomcat's
<Stash home directory>/shared/server.xml file:
If you do set a context path, it is important that the same path be used in Step 5, when setting up the
ProxyPassReverse directives. You should also append the context path to Stash's base URL (see Step 2).
Step 4: Enable
mod_proxy_http in Apache HTTP Server
mod_proxy documentation, you will read that
mod_proxy can be used as a forward proxy, or as a reverse proxy (gateway); you want the latter. Where the
mod_proxy documentation mentions 'origin server', it refers to your Stash server. Unless you have a good reason for doing otherwise, load
mod_proxy_http dynamically, using the LoadModule directive; that means un-commenting the following lines in the
Experienced administrators may be aware of the Apache Connector module,
mod_jk. Atlassian does not recommend use of the
mod_jk module with Stash, since it has proven itself to be less reliable than
Step 5: Configure
mod_proxy to map requests to Stash
Suppose Apache HTTP Server is configured to serve the
mycompany.com domain; then the above directives tell Apache HTTP Server to forward web requests of the form
http://mycompany.com/* to the Tomcat connector (Stash) running on port
7990 on the same machine.
connectiontimeout attribute specifies the number of seconds Apache HTTP Server waits for the creation of a connection to Stash.
timeout attribute specifies the number of seconds Apache HTTP Server waits for data to be sent to Stash.
If you set up a context path for Stash in Step 3, you'll need to use that context path in your
ProxyPassReverse directives. Suppose your context path is set to "
/stash", the directives would be as follows:
If Stash is to run on a different domain and/or different port, you should use that domain and/or port number in the
ProxyPassReverse directives; for example, suppose that Stash will run on port
private.mycompany.com under the context path
/stash, then you would use the following directives:
Step 6: Configure
mod_proxy to disable forward proxying
If you are using Apache HTTP Server as a reverse proxy only, and not as a forward proxy server, you should turn forward proxying off by including a
ProxyRequests directive in the
httpd.conf file, as follows:
Step 7: Allow proxying to Stash from everywhere
Strictly speaking, this step is unnecessary because access to proxied resources is unrestricted by default. Nevertheless, we explicitly allow access to Stash from any host so that this policy will be applied regardless of any subsequent changes to access controls at the global level. Use the
Proxy directive in the
httpd.conf file as follows:
Proxy directive provides a context for the directives that are contained within its delimiting tags. In this case, we specify a wild-card url (the asterisk), which applies the two contained directives to all proxied requests.
Order directive controls the order in which any
Deny directives are applied. In the above configuration, we specify "
Deny,Allow", which tells Apache HTTP Server to apply any
Deny directives first, and if any match, the request is denied unless it also matches an
Allow directive. In fact, "
Deny,Allow" is the default; we include it merely for the sake of clarity. Note that we specify one
Allow directive, which is described below, and don't specify any
Allow directive, in this context, controls which hosts can access Stash via Apache HTTP Server. Here, we specify that all hosts are allowed access to Stash.
Step 8 (optional): Configure Apache HTTP Server for SSL
If you want to set up SSL access to Stash, follow the instructions on Securing Stash with Apache using SSL. When you are finished, users will be able to make secure connections to Apache HTTP Server; connections between Apache HTTP Server and Stash will remain unsecured (not using SSL). If you don't want to set up SSL access, you can skip this section entirely.
Note: It would be possible to set up an SSL connection between Apache HTTP Server and Tomcat (Stash), but that configuration is very unusual, and not recommended in most circumstances.
A note about application links
When an application link is established between Stash and another Atlassian product (for example JIRA), and Stash is operating behind Apache HTTP Server, the link from the other product to Stash must be via the proxy URL; that is, the 'reciprocal URL' from, say JIRA, to Stash must match the proxy name and port that you set at Step 1.
In general, if you are having problems:
- Ensure that Stash works as expected when running directly from Tomcat on
- Watch the log files (usually in /var/log/httpd/ or /var/log/apache2/). Check that you have a
LogLeveldirective in your
httpd.conf, and turn up logging (
LogLevel debug) to get more info.
- Check out the Stash Knowledge Base.
- On Fedora Core 4 people have reported 'permission denied' errors when trying to get mod_proxy (and mod_jk) working. Disabling SELinux (
/etc/selinux/config) apparently fixes this.
- Some users have reported problems with user sessions being hijacked when the mod_cache module is enabled. If you have such problems, disable the mod_cache module. Note that this module is enabled by default in some Apache HTTP Server version 2 distributions.
Was this helpful?
Thanks for your feedback!