Nils Hofmeister, profile picture
Uploaded byNils Hofmeister
PPTX, PDF3,502 views

Atlassian meets Kerberos

The document details the first meeting of the Atlassian User Group Hamburg held in 2014, focusing on the implementation of single sign-on (SSO) for Jira and Confluence environments using Kerberos. It outlines the challenges, solutions, and the current status of projects related to Active Directory integration, as well as various methods of configuring proxies for authentication. Next steps include further integrating production instances and improving automation processes.

Embed presentation

Downloaded 19 times
Erstes Treffen 2014 der Atlassian Usergroup Hamburg - AUGHH 2 1 .01. 2014, ergo n D ate n p ro j e kte Gmb H
Nils Hofmeister Bigpoint GmbH Canada Russia Europe North America Atlassian meets Kerberos How we imp lemented S S O 3 t imes ; ) South America Asia Africa Australia Drehbahn 47-48, 20354 HAMBURG, GERMANY PRESENTATION
Intro      Intro - Environment Jira and LAMP Confluence and „native“ kerberization Proxy solution Next steps
Intro E nviron ment       Active Directory Kerberos Windows + Mac + Linux clients Linux servers (almost all Debian) MySQL Jira + Confluence installed via shell scripts from tarball
Intro E nviron ment   Jira  889 users, 406 groups, 335.726 tickets  109 active projects, 91 retired  Jira Agile (aka Greenhopper) active for 27 projects  Started 07.09.2010 Confluence  662 users, 168 groups, 203 spaces, 32.678 pages*  Team Calendars, Balsamiq, Gliffy, Linking, Redirection, Cont ent Formatting, ...  Started 13.04.2011 SELECT COUNT( * * ) FROM CONTENT WHERE CONTENTTYPE = "page" AND CONTENT_STATUS = "current" AND PREVVER IS NULL
Intro E nviron ment http://technet.microsoft.com/en-us/library/Bb742516.kerb01_big(l=en-us).gif
Canada Russia North America What we tried Europe Asia South America Africa Australia
Jira and LAMP D oes t h e j o b o kay. . . • • • • Apache does Kerberos auth Apache calls „Loginproxy“ Loginproxy identifies pwd Loginproxy redirects • AD sync via php cron • Groups + users + membership
Jira and LAMP D oes t h e j o b o kay. . . Pro: • Utilizes our Apache Kerberos voodoo • Works quite stable... Con: • Pretty complicated piece of custom SW • Awkward cron job • Utilizes some deprecated legacy stuff • ...sometimes not reliable, hard to debug • External Jira clients hard or impossible to use http://talljerome.com/images/wrkpstr_wrongtool.jpg
Confluence and native kerberization Least comp licated in t h eor y • • • • • No proxy Directly call Tomcat Kerberos via SPNEGO Custom http authenticator Some handish keytab handling • AD sync via Python cron • Groups + users + membership
Confluence and native kerberization Least comp licated in t h eor y Pro: • Simple design • Feels like „we tamed the monster“ Con: • We could only reproduce it once • All other instances refused to work • Customized SPNEGO lib • Auth errors nearly impossible to debug http://ih3.redbubble.net/image.3818192.2622/flat,550x550,075,f.jpg
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e • • • • Apache does Kerberos auth Apache reverse proxy Rewrite rules + write header Custom http authenticator • AD sync via standard AD directory
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e Pro: • Reuse of given Apache expertise • Reuse of http authenticator • Little application customizing • Easy handling of SSL • No custom AD synchronization • Least customized stack Con: • AD/LDAP config is a pain • Hard to find the right vhost configuration http://www.mantiburi.com/files/5113/7329/5814/my-little-pony.png
Canada Russia North America How the proxy stuff works Europe Asia South America Africa Australia
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e <Server port="8001" shutdown="SHUTDOWN" debug="0" address="127.0.0.1"> <Service name="Tomcat-Standalone"> <Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" packetSize="20000" /> <Engine name="Standalone" defaultHost="localhost" debug="0"> <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false"> <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true"> <Manager pathname="" /> </Context> </Host> </Engine> </Service> </Server>
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e public class RemoteUserAuthenticator extends ConfluenceAuthenticator { ... public Principal getUser(HttpServletRequest request, HttpServletResponse response) { ... String remoteUser = request.getHeader("remote_user"); ... Principal user = getUser(remoteUser); ... // Modify session signaling that we are authenticated now. request.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, user); request.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, null); log.debug("Logged in via SSO with User " + remoteUser); return user; } } https://github.com/Bigpoint/remoteuser-confluence-authenticator
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e "ldap.group.filter": "(&(objectCategory=Group)(|(cn=confluence*)(cn=balsamiq*)(cn=AllEmployees)))“ ... "ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
Canada Russia Next steps Europe North America Asia South America Africa Australia
Next Steps We are n o t t h ere yet . . . • • • • • • Test instances – done Confluence production – done Jira production + reverse proxy – todo Jira production + AD – todo Integrate production instances – todo Better understanding of AD integration – todo • In general • Better automation would be great (e.g. Chef)

More Related Content

PPTX
Sherlock Homepage - A detective story about running large web services - NDC ...
byMaarten Balliauw
 
PDF
Securing REST APIs
byClaire Hunsaker
 
PDF
HTML5 Server Sent Events/JSF JAX 2011 Conference
byRoger Kitain
 
PDF
Tips and Tricks For Faster Asp.NET and MVC Applications
bySarvesh Kushwaha
 
PPTX
Servletarchitecture,lifecycle,get,post
byvamsi krishna
 
PPTX
Authentication and beyond, Atlassian aplications
byAmbientia
 
PDF
HTML5 Refresher
byIvano Malavolta
 
PPTX
Play + scala + reactive mongo
byMax Kremer
 
Sherlock Homepage - A detective story about running large web services - NDC ...
byMaarten Balliauw
 
Securing REST APIs
byClaire Hunsaker
 
HTML5 Server Sent Events/JSF JAX 2011 Conference
byRoger Kitain
 
Tips and Tricks For Faster Asp.NET and MVC Applications
bySarvesh Kushwaha
 
Servletarchitecture,lifecycle,get,post
byvamsi krishna
 
Authentication and beyond, Atlassian aplications
byAmbientia
 
HTML5 Refresher
byIvano Malavolta
 
Play + scala + reactive mongo
byMax Kremer
 

What's hot

PDF
Plugin-based software design with Ruby and RubyGems
bySadayuki Furuhashi
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
PDF
High Performance Hibernate JavaZone 2016
byVlad Mihalcea
 
PPTX
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
byMaarten Balliauw
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
PPT
Simplify your integrations with Apache Camel
byKenneth Peeples
 
PPTX
Java Play RESTful ebean
byFaren faren
 
PPTX
40+ tips to use Postman more efficiently
bypostmanclient
 
PDF
TriHUG 2/14: Apache Sentry
bytrihug
 
PPTX
Scaling asp.net websites to millions of users
byoazabir
 
PDF
Drupal Performance : DrupalCamp North
byPhilip Norton
 
PPTX
Sherlock Homepage - A detective story about running large web services - WebN...
byMaarten Balliauw
 
PDF
Building an API Security Ecosystem
byPrabath Siriwardena
 
PDF
The never-ending REST API design debate
byRestlet
 
PDF
High-Performance Hibernate Devoxx France 2016
byVlad Mihalcea
 
PPTX
Web api scalability and performance
byHimanshu Desai
 
PPTX
Java Play Restful JPA
byFaren faren
 
PPTX
10 performance and scalability secrets of ASP.NET websites
byoazabir
 
PPTX
Building Scalable .NET Web Applications
byBuu Nguyen
 
PDF
Asynchronous web apps with the Play Framework 2.0
byOscar Renalias
 
Plugin-based software design with Ruby and RubyGems
bySadayuki Furuhashi
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
High Performance Hibernate JavaZone 2016
byVlad Mihalcea
 
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
byMaarten Balliauw
 
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
Simplify your integrations with Apache Camel
byKenneth Peeples
 
Java Play RESTful ebean
byFaren faren
 
40+ tips to use Postman more efficiently
bypostmanclient
 
TriHUG 2/14: Apache Sentry
bytrihug
 
Scaling asp.net websites to millions of users
byoazabir
 
Drupal Performance : DrupalCamp North
byPhilip Norton
 
Sherlock Homepage - A detective story about running large web services - WebN...
byMaarten Balliauw
 
Building an API Security Ecosystem
byPrabath Siriwardena
 
The never-ending REST API design debate
byRestlet
 
High-Performance Hibernate Devoxx France 2016
byVlad Mihalcea
 
Web api scalability and performance
byHimanshu Desai
 
Java Play Restful JPA
byFaren faren
 
10 performance and scalability secrets of ASP.NET websites
byoazabir
 
Building Scalable .NET Web Applications
byBuu Nguyen
 
Asynchronous web apps with the Play Framework 2.0
byOscar Renalias
 

Recently uploaded

PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PPTX
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
PDF
Smart Cloud Solutions-Smart,Secure & Scalable
byfloydjsmith02
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PDF
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
PDF
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
PPTX
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PDF
What Is AI LXP and Why Enterprises Are Adopting It.pdf
byneuralminds4
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PPTX
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
Smart Cloud Solutions-Smart,Secure & Scalable
byfloydjsmith02
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
What Is AI LXP and Why Enterprises Are Adopting It.pdf
byneuralminds4
 
connectives-linking words in English.ppt
byAmrMohammed82
 
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 

Atlassian meets Kerberos

  • 1.
    Erstes Treffen 2014der Atlassian Usergroup Hamburg - AUGHH 2 1 .01. 2014, ergo n D ate n p ro j e kte Gmb H
  • 2.
    Nils Hofmeister Bigpoint GmbH Canada Russia Europe NorthAmerica Atlassian meets Kerberos How we imp lemented S S O 3 t imes ; ) South America Asia Africa Australia Drehbahn 47-48, 20354 HAMBURG, GERMANY PRESENTATION
  • 3.
    Intro      Intro - Environment Jiraand LAMP Confluence and „native“ kerberization Proxy solution Next steps
  • 4.
    Intro E nviron ment       ActiveDirectory Kerberos Windows + Mac + Linux clients Linux servers (almost all Debian) MySQL Jira + Confluence installed via shell scripts from tarball
  • 5.
    Intro E nviron ment   Jira 889 users, 406 groups, 335.726 tickets  109 active projects, 91 retired  Jira Agile (aka Greenhopper) active for 27 projects  Started 07.09.2010 Confluence  662 users, 168 groups, 203 spaces, 32.678 pages*  Team Calendars, Balsamiq, Gliffy, Linking, Redirection, Cont ent Formatting, ...  Started 13.04.2011 SELECT COUNT( * * ) FROM CONTENT WHERE CONTENTTYPE = "page" AND CONTENT_STATUS = "current" AND PREVVER IS NULL
  • 6.
  • 7.
    Canada Russia North America What wetried Europe Asia South America Africa Australia
  • 8.
    Jira and LAMP Does t h e j o b o kay. . . • • • • Apache does Kerberos auth Apache calls „Loginproxy“ Loginproxy identifies pwd Loginproxy redirects • AD sync via php cron • Groups + users + membership
  • 9.
    Jira and LAMP Does t h e j o b o kay. . . Pro: • Utilizes our Apache Kerberos voodoo • Works quite stable... Con: • Pretty complicated piece of custom SW • Awkward cron job • Utilizes some deprecated legacy stuff • ...sometimes not reliable, hard to debug • External Jira clients hard or impossible to use http://talljerome.com/images/wrkpstr_wrongtool.jpg
  • 10.
    Confluence and nativekerberization Least comp licated in t h eor y • • • • • No proxy Directly call Tomcat Kerberos via SPNEGO Custom http authenticator Some handish keytab handling • AD sync via Python cron • Groups + users + membership
  • 11.
    Confluence and nativekerberization Least comp licated in t h eor y Pro: • Simple design • Feels like „we tamed the monster“ Con: • We could only reproduce it once • All other instances refused to work • Customized SPNEGO lib • Auth errors nearly impossible to debug http://ih3.redbubble.net/image.3818192.2622/flat,550x550,075,f.jpg
  • 12.
    Proxy Solution M ost eff ic ient way fo r u s in p rac t ic e • • • • Apache does Kerberos auth Apache reverse proxy Rewrite rules + write header Custom http authenticator • AD sync via standard AD directory
  • 13.
    Proxy Solution M ost eff ic ient way fo r u s in p rac t ic e Pro: • Reuse of given Apache expertise • Reuse of http authenticator • Little application customizing • Easy handling of SSL • No custom AD synchronization • Least customized stack Con: • AD/LDAP config is a pain • Hard to find the right vhost configuration http://www.mantiburi.com/files/5113/7329/5814/my-little-pony.png
  • 14.
    Canada Russia North America How theproxy stuff works Europe Asia South America Africa Australia
  • 15.
    Proxy Solution M ost eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 16.
    Proxy Solution M ost eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 17.
    Proxy Solution M ost eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 18.
    Proxy Solution M ost eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 19.
    Proxy Solution M ost eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 20.
    Proxy Solution M ost eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 21.
    Proxy Solution M ost eff ic ient way fo r u s in p rac t ic e <Server port="8001" shutdown="SHUTDOWN" debug="0" address="127.0.0.1"> <Service name="Tomcat-Standalone"> <Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" packetSize="20000" /> <Engine name="Standalone" defaultHost="localhost" debug="0"> <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false"> <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true"> <Manager pathname="" /> </Context> </Host> </Engine> </Service> </Server>
  • 22.
    Proxy Solution M ost eff ic ient way fo r u s in p rac t ic e public class RemoteUserAuthenticator extends ConfluenceAuthenticator { ... public Principal getUser(HttpServletRequest request, HttpServletResponse response) { ... String remoteUser = request.getHeader("remote_user"); ... Principal user = getUser(remoteUser); ... // Modify session signaling that we are authenticated now. request.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, user); request.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, null); log.debug("Logged in via SSO with User " + remoteUser); return user; } } https://github.com/Bigpoint/remoteuser-confluence-authenticator
  • 23.
    Proxy Solution M ost eff ic ient way fo r u s in p rac t ic e "ldap.group.filter": "(&(objectCategory=Group)(|(cn=confluence*)(cn=balsamiq*)(cn=AllEmployees)))“ ... "ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
  • 24.
  • 25.
    Next Steps We aren o t t h ere yet . . . • • • • • • Test instances – done Confluence production – done Jira production + reverse proxy – todo Jira production + AD – todo Integrate production instances – todo Better understanding of AD integration – todo • In general • Better automation would be great (e.g. Chef)