Proxying and securing Stash

This page provides an overview of some common network topology options for running Stash, including running Stash behind a reverse proxy and securing access to Stash by using HTTPS (HTTP over SSL).

Note that Stash does not need to run behind a web server – it is capable of serving web requests directly using the bundled Tomcat application server. On this page, 'connecting to Stash' really means connecting to Tomcat, which is used to serve Stash content.

Connecting to Stash directly over HTTP

Connecting directly to Stash (that is, Tomcat) is the default install configuration, as described in the Stash install documentation:

On this page:

When set up this way, the user accesses Stash directly over HTTP, without using SSL – all communication between the user's browser and Stash will be unsecured. 

Stash_topo_basic

You may also wish to consider the following:

  • Stash, by default, will listen for requests on port 7990 – this port can be changed if required.
  • The address with which to access Stash, by default, will be http://<computer name>:7990. Change the base URL for Stash if required.
  • You can set the context path for Stash if you are running another Atlassian application, or Java web application, at the same hostname and context path as Stash.
  • Securing Git operations between the user's computer and Stash is a separate consideration - see Enabling SSH access to Git.

Securing access to Stash using HTTPS

Access to Stash can be secured by enabling HTTPS (HTTP over SSL) for the Tomcat application server that is bundled with Stash. You should consider doing this, and making secure access mandatory, if Stash will be internet-facing and usernames, passwords and other proprietary data may be at risk.

When set up in this way, access to Stash is direct, and all communication between the user's browser and Stash will be secured using SSL.

See Securing Stash with Tomcat using SSL for configuration details.

STash_topo_direct_ssl

Note that:

  • Stash will listen for requests on port 8443. This port can be changed if required.
  • The address with which to access Stash, by default, will be https://<computer name>:8443. Change the base URL for Stash if required.
  • Any existing links with other applications will need to be reconfigured using this new URL for Stash.
  • You can set the context path for Stash if you are running another Atlassian application, or Java web application, at the same hostname and context path as Stash.
  • Securing Git operations between the user's computer and Stash is a separate consideration - see Enabling SSH access to Git.

Using a reverse proxy for Stash

You can run Stash behind a reverse proxy, for example Apache HTTP Server. You may wish to do this if you want to:

When set up this way, external access to Stash is via a reverse proxy, without using SSL. All communication between the user's browser and Apache, and so Stash, will be unsecured, but users do not have direct access to Stash. An example scenario is where Apache provides a gateway through which users outside the firewall can access Stash.

See Integrating Stash with Apache HTTP Server for configuration details.

Stash_topo_proxy

Note that:

  • Stash, by default, will listen for requests on port 7990 – this port can be changed if required.
  • Stash (Tomcat) needs to know the URL (proxy name) that Apache serves.
  • The address with which to access Stash will be http://<proxy name>:7990. Change the base URL for Stash if required.
  • Any existing links with other applications will need to be reconfigured using this new URL for Stash.
  • You can set the context path for Stash if you are running another Atlassian application, or Java web application, at the same hostname and context path as Stash.
  • Securing Git operations between the user's computer and Stash is a separate consideration - see Enabling SSH access to Git.

Securing a reverse proxy using HTTPS

You can run Stash behind a reverse proxy, such as Apache HTTP Server or nginx, that is secured using HTTPS (HTTP over SSL). You should consider doing this, and making secure access mandatory, if usernames, passwords and other proprietary data may be at risk. An example scenario is where Apache HTTP Server provides a gateway through which users outside the firewall can access Stash. 

When set up in this way, external access to Stash is via a reverse proxy, where external communication with the proxy uses HTTPS. All communication between the user's browser and the reverse proxy will be secured, whereas communication between the proxy and Stash will not be secured (it doesn't use SSL). 

See the following pages for configuration details:

Stash_topo_proxy_ssl

Note that:

  • The reverse proxy (for example, Apache) will listen for requests on port 443.
  • Stash, by default, will listen for requests on port 7990. Stash (Tomcat) needs to know the URL (proxy name) that the proxy serves.
  • Stash (Tomcat) should be configured to refuse requests on port 7990 and to redirect those to the proxy on port 443.
  • Securing Git operations between the user's computer and Stash is a separate consideration - see Enabling SSH access to Git.
  • It would be possible to set up an SSL connection between the proxy server and Tomcat (Stash), but that configuration is very unusual, and not recommended in most circumstances.
  • Incidentally, note that Stash 2.10 and later versions do not support  mod_auth_basic.

Redirection notice

This page will redirect to /display/BitbucketServer/Proxying+and+securing+Bitbucket+Server .

This page provides an overview of some common network topology options for running Stash, including running Stash behind a reverse proxy and securing access to Stash by using HTTPS (HTTP over SSL).

Note that Stash does not need to run behind a web server – it is capable of serving web requests directly using the bundled Tomcat application server. On this page, 'connecting to Stash' really means connecting to Tomcat, which is used to serve Stash content.

Connecting to Stash directly over HTTP

Connecting directly to Stash (that is, Tomcat) is the default install configuration, as described in the Stash install documentation:

On this page:

When set up this way, the user accesses Stash directly over HTTP, without using SSL – all communication between the user's browser and Stash will be unsecured. 

Stash_topo_basic

You may also wish to consider the following:

  • Stash, by default, will listen for requests on port 7990 – this port can be changed if required.
  • The address with which to access Stash, by default, will be http://<computer name>:7990. Change the base URL for Stash if required.
  • You can set the context path for Stash if you are running another Atlassian application, or Java web application, at the same hostname and context path as Stash.
  • Securing Git operations between the user's computer and Stash is a separate consideration - see Enabling SSH access to Git.

Securing access to Stash using HTTPS

Access to Stash can be secured by enabling HTTPS (HTTP over SSL) for the Tomcat application server that is bundled with Stash. You should consider doing this, and making secure access mandatory, if Stash will be internet-facing and usernames, passwords and other proprietary data may be at risk.

When set up in this way, access to Stash is direct, and all communication between the user's browser and Stash will be secured using SSL.

See Securing Stash with Tomcat using SSL for configuration details.

STash_topo_direct_ssl

Note that:

  • Stash will listen for requests on port 8443. This port can be changed if required.
  • The address with which to access Stash, by default, will be https://<computer name>:8443. Change the base URL for Stash if required.
  • Any existing links with other applications will need to be reconfigured using this new URL for Stash.
  • You can set the context path for Stash if you are running another Atlassian application, or Java web application, at the same hostname and context path as Stash.
  • Securing Git operations between the user's computer and Stash is a separate consideration - see Enabling SSH access to Git.

Using a reverse proxy for Stash

You can run Stash behind a reverse proxy, for example Apache HTTP Server. You may wish to do this if you want to:

When set up this way, external access to Stash is via a reverse proxy, without using SSL. All communication between the user's browser and Apache, and so Stash, will be unsecured, but users do not have direct access to Stash. An example scenario is where Apache provides a gateway through which users outside the firewall can access Stash.

See Integrating Stash with Apache HTTP Server for configuration details.

Stash_topo_proxy

Note that:

  • Stash, by default, will listen for requests on port 7990 – this port can be changed if required.
  • Stash (Tomcat) needs to know the URL (proxy name) that Apache serves.
  • The address with which to access Stash will be http://<proxy name>:7990. Change the base URL for Stash if required.
  • Any existing links with other applications will need to be reconfigured using this new URL for Stash.
  • You can set the context path for Stash if you are running another Atlassian application, or Java web application, at the same hostname and context path as Stash.
  • Securing Git operations between the user's computer and Stash is a separate consideration - see Enabling SSH access to Git.

Securing a reverse proxy using HTTPS

You can run Stash behind a reverse proxy, such as Apache HTTP Server or nginx, that is secured using HTTPS (HTTP over SSL). You should consider doing this, and making secure access mandatory, if usernames, passwords and other proprietary data may be at risk. An example scenario is where Apache HTTP Server provides a gateway through which users outside the firewall can access Stash. 

When set up in this way, external access to Stash is via a reverse proxy, where external communication with the proxy uses HTTPS. All communication between the user's browser and the reverse proxy will be secured, whereas communication between the proxy and Stash will not be secured (it doesn't use SSL). 

See the following pages for configuration details:

Stash_topo_proxy_ssl

Note that:

  • The reverse proxy (for example, Apache) will listen for requests on port 443.
  • Stash, by default, will listen for requests on port 7990. Stash (Tomcat) needs to know the URL (proxy name) that the proxy serves.
  • Stash (Tomcat) should be configured to refuse requests on port 7990 and to redirect those to the proxy on port 443.
  • Securing Git operations between the user's computer and Stash is a separate consideration - see Enabling SSH access to Git.
  • It would be possible to set up an SSL connection between the proxy server and Tomcat (Stash), but that configuration is very unusual, and not recommended in most circumstances.
  • Incidentally, note that Stash 2.10 and later versions do not support  mod_auth_basic.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport