How to configure an outbound HTTP and HTTPS proxy for Stash
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products will end after February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.
This page defines how to configure Stash such that it can communicate externally through an outbound proxy. This is required to access servers outside the network it's hosted in, such as the Atlassian Marketplace. If you wish to host Stash behind a reverse-proxy (or inbound proxy), please refer to Proxying and securing Stash.
Proxy Support is configured in Stash by passing certain system properties to the Java Virtual Machine (JVM) on startup. These properties follow the conventions defined by Oracle:
http.proxyHost property must be defined to configure an HTTP proxy, and
https.proxyHost for an HTTPS proxy. System property configuration is described in further detail within our Setting Properties and Options on Startup documentation.
http.proxyPort properties indicate the proxy server and the port that the HTTP protocol handler will use. For example:
-Dhttp.proxyHost=proxy.example.org -Dhttp.proxyPort=8080 -Dhttps.proxyHost=proxy.example.org -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=localhost
http.nonProxyHosts indicates the hosts which should be connected to directly and not through the proxy server. The value can be a list of hosts, each separated by a |, and in addition a wildcard character (*) can be used for matching. For example:
The pipe character (|) may need to be escaped in Linux, as per our JAVA Option '-Dhttp.nonProxyHosts' Does Not Work KB article.
http.nonProxyHosts property is not configured, all web requests will be routed through the proxy. For example, if connecting the Stash and JIRA applications together with Application Links, we would recommend bypassing the proxy and communicating on the internal network with this property. Routing through the proxy can have ramifications when taking into account IP validation on those links - the source IP of the server can be different depending on how the traffic is routed.
At the minimum, the http.nonProxyHosts must exclude localhost, otherwise certain functionality may not properly work. For example:
NTLM is not supported by UPM. Please refer tofor further comments.
How to make it work with Stash, then?
- Install Cntlm Authentication Proxy locally to their JIRA/Stash server
Configured and tested it to make sure "Cntlm" works with their corporate NTLM and then used the parametersHow to test Cntlm is working with your NTLM
Update your user, domain, and proxy information in
cntlm.ini, then test your proxy with this command (run in your Cntlm installation folder):
cntlm -c cntlm.ini -I -M http://google.ro
It will ask for your password, and hopefully print your required authentication information, which must be saved in your
Username user Domain domain # provide actual value if autodetection fails # Workstation pc-name Proxy my_proxy_server.com:80 NoProxy 127.0.0.*, 192.168.* Listen 127.0.0.1:54321 Listen 192.168.1.42:8080 Gateway no SOCKS5Proxy 5000 # provide socks auth info if you want it # SOCKS5User socks-user:socks-password # printed authentication info from the previous step Auth NTLMv2 PassNTLMv2 98D6986BCFA9886E41698C1686B58A09
Note: on linux the config file is
- Have the configuration described on the section above point to the "Cntlm" proxy instead - and that one will do the job to talk to NTLM.
If connecting Stash to any other applications, the application URL should be added to the
nonProxyHosts argument. Otherwise what can happen is when Stash attempts to talk to another Atlassian application the HTTP request can timeout, or not resolve. This will prevent the applications from linking. For example when connecting Stash to JIRA (located on
Proxy authentication is configured by passing the below properties to Java:
<Stash Installation>/bin/setenv.sh and add the following to
JVM_SUPPORT_RECOMMENDED_ARGS="-Dhttp.proxyUser=atlaspirate -Dhttp.proxyPassword=yarrrrr -Dhttps.proxyUser=atlaspirate -Dhttps.proxyPassword=yarrrrr"
- Open the command window from
Start >> Run >> type in 'cmd' >> Enter
cdto the bin directory of your STASH installation directory
- Click on the Java tab to see the list of current start-up options.
Add the proxy configuration options on their own lines under Java Options
-Dhttp.proxyUser=atlaspirate -Dhttp.proxyPassword=yarrrrr -Dhttps.proxyUser=atlaspirate -Dhttps.proxyPassword=yarrrrr
- Restart Stash