When IIS acts as a reverse proxy, i.e. performs HTTP (port) forwarding it requires additional configuration to correctly work with the SSO state machine.
If you are running Apache - see Configuring Apache as a reverse proxy for EasySSO. If you are running NGINX - see Configuring NGINX as reverse proxy for EasySSO.
For IIS, you need to have the URL Rewrite module installed. This is a module from Microsoft available from https://www.iis.net/downloads/microsoft/url-rewrite
Once installed the setting can be configured via GUI or web.config XML file.
The purpose of configuration is to add a "jespa-connection-id" HTTP header that has a value combining the remote client's IP address and port.
Configuring IIS via GUI
In GUI (please note, all strings in quotes are meant to be string constants for you to enter, don't enter the quotation marks)
- Navigate to the specific site configuration for your Atlassian application
- Click the URL Rewrite icon
- Click "View Server Variables"
- Click "Add..." and add the variable "HTTP_JESPA_CONNECTION_ID"
- Click "Back to Rules"
- Click "Add Rule(s)..."
- Select "Inbound Rules"/"Blank Rule"
- Give the Rule some meaningful name "set Jespa-Connection-Id header for SSO" for example
- Select "Matches the pattern", "Regular expression", enter ".*" as the regex, check "Ignore case"
- Skip the "Conditions" section
- Open the "Server Variables" section
- Click "Add"
- Add "HTTP_JESPA_CONNECTION_ID", set value to "{REMOTE_ADDR}:{REMOTE_PORT}", check "Replace the existing value"
- Select "None" in "Action"
- Click "Apply" to save the rule
- Make sure this rule is at the top of the rules chain for the site
Configuring via web.config
If you want to configure this via XML, web.config needs to be:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <allowedServerVariables> ... <add name="HTTP_JESPA_CONNECTION_ID"/> ... </allowedServerVariables> <rules> ... <rule name="set header"> <match url=".*" /> <serverVariables> <set name="HTTP_JESPA_CONNECTION_ID" value="{REMOTE_ADDR}:{REMOTE_PORT}" /> </serverVariables> <action type="None" /> </rule> ... </rules> </rewrite> </system.webServer> </configuration>
Please note that the allowed server variable list can only be altered in web.config if C:\Windows\System32\inetsrv\config\applicationHost.config has this section "unlocked" with overrideModeDefault="Allow" instead of overrideModeDefault="Deny".
<sectionGroup name="rewrite"> ... <section name="allowedServerVariables" overrideModeDefault="Allow" /> ... </sectionGroup>
If you don't want to change the settings in the file (which will apply to all sites) - the only way is to add HTTP_JESPA_CONNECTION_ID variable to the allowed list via GUI (see above).
Once you reconfigured your IIS this way the telltale sign of it working will be in jespa.log at log level 4 - see *bold values*, showing the remote client's IP address and port as opposed to the proxy's one. Some values have been obscured with ****
2015-03-13 19:44:37: HttpSecurityService: C: GET /rest/mywork/latest/status/notification/count
2015-03-13 19:44:37: HttpSecurityService: Request Headers: host=********* | x-requested-with=XMLHttpRequest | accept=application/json, text/javascript, /; q=0.01 | referer=******* | accept-language=en-AU | accept-encoding=gzip, deflate | user-agent=Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) | dnt=1 | cookie=confluence-sidebar.width=55; confluence.browse.space.cookie=space-blogposts; JSESSIONID=592AF09B33C01304B1D068007FA41E93 | authorization=NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== | jespa-connection-id=172.16.9.39:62624 | x-forwarded-for=172.16.9.39 | x-forwarded-host=******* | x-forwarded-server=******** | connection=Keep-Alive
2015-03-13 19:44:37: HttpSecurityService: Loading session state from session 592AF09B33C01304B1D068007FA41E93
2015-03-13 19:44:37: HttpSecurityService: Importing provider state
2015-03-13 19:44:37: HttpSecurityService: Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2015-03-13 19:44:37: HttpSecurityService: 172.16.9.39:62624: token.length=40
2015-03-13 19:44:37: HttpSecurityService: AuthContext: 172.16.9.39:62624