How to configure an outbound HTTP and HTTPS proxy for Stash

'How Do I...' and 'How to...' Guide to Stash

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.


This page defines how to configure Stash such that it can communicate externally through an outbound proxy. This is required to access servers outside the network it's hosted in, such as the Atlassian Marketplace. If you wish to host Stash behind a reverse-proxy (or inbound proxy), please refer to Proxying and securing Stash.


Proxy Support is configured in Stash by passing certain system properties to the Java Virtual Machine (JVM) on startup. These properties follow the conventions defined by Oracle:

  • http.proxyHost
  • http.proxyPort (default: 80)
  • http.nonProxyHosts (default: <none>)
  • https.proxyHost
  • https.proxyPort

The http.proxyHost property must be defined to configure an HTTP proxy, and https.proxyHost for an HTTPS proxy. System property configuration is described in further detail within our Setting Properties and Options on Startup documentation.

The http.proxyHost and http.proxyPort properties indicate the proxy server and the port that the HTTP protocol handler will use. For example: -Dhttp.proxyPort=8080 -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=localhost

The property http.nonProxyHosts indicates the hosts which should be connected to directly and not through the proxy server. The value can be a list of hosts, each separated by a |, and in addition a wildcard character (*) can be used for matching. For example:


(info) The pipe character (|) may need to be escaped in Linux, as per our JAVA Option '-Dhttp.nonProxyHosts' Does Not Work KB article.

If the http.nonProxyHosts property is not configured, all web requests will be routed through the proxy. For example, if connecting the Stash and JIRA applications together with Application Links, we would recommend bypassing the proxy and communicating on the internal network with this property. Routing through the proxy can have ramifications when taking into account IP validation on those links - the source IP of the server can be different depending on how the traffic is routed.

(warning) At the minimum, the http.nonProxyHosts must exclude localhost, otherwise certain functionality may not properly work. For example:



NTLM is not supported by UPM. Please refer to  Unable to locate Jira server for this macro. It may be due to Application Link configuration.  for further comments.

It is not supported by Stash either:  STASH-7694 - Getting issue details... STATUS

It is not supported by JIRA either:  JRA-2398 - Getting issue details... STATUS

How to make it work with Stash, then?

As you can see from past comments: here and here, customers reported success by following the steps below:

  • Install Cntlm Authentication Proxy locally to their JIRA/Stash server
  • Configured and tested it to make sure "Cntlm" works with their corporate NTLM and then used the parameters

    How to test Cntlm is working with your NTLM

    Update your user, domain, and proxy information in cntlm.ini, then test your proxy with this command (run in your Cntlm installation folder):

    cntlm -c cntlm.ini -I -M

    It will ask for your password, and hopefully print your required authentication information, which must be saved in your cntlm.ini

    Sample cntlm.ini:

    Username            user
    Domain              domain
    # provide actual value if autodetection fails
    # Workstation         pc-name
    NoProxy             127.0.0.*, 192.168.*
    Gateway             no
    SOCKS5Proxy         5000
    # provide socks auth info if you want it
    # SOCKS5User          socks-user:socks-password
    # printed authentication info from the previous step
    Auth            NTLMv2
    PassNTLMv2      98D6986BCFA9886E41698C1686B58A09

    Note: on linux the config file is cntlm.conf

  • Have the configuration described on the section above point to the "Cntlm" proxy instead - and that one will do the job to talk to NTLM.

If connecting Stash to any other applications, the application URL should be added to the nonProxyHosts argument. Otherwise what can happen is when Stash attempts to talk to another Atlassian application the HTTP request can timeout, or not resolve. This will prevent the applications from linking. For example when connecting Stash to JIRA (located on


Configuring Authentication

Proxy authentication is configured by passing the below properties to Java:

  • http.proxyUser
  • http.proxyPassword
  • https.proxyUser
  • https.proxyPassword


Modify <Stash Installation>/bin/ and add the following to JVM_SUPPORT_RECOMMENDED_ARGS:

JVM_SUPPORT_RECOMMENDED_ARGS="-Dhttp.proxyUser=atlaspirate -Dhttp.proxyPassword=yarrrrr -Dhttps.proxyUser=atlaspirate -Dhttps.proxyPassword=yarrrrr"


  1. Open the command window from Start >> Run >> type in 'cmd' >> Enter
  2. cd to the bin directory of your STASH installation directory
  3. Run:

    tomcat8w //ES//AtlassianStash
  4. Click on the Java tab to see the list of current start-up options.
  5. Add the proxy configuration options on their own lines under Java Options 

  6. Restart Stash

Last modified on Nov 2, 2018

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.