Redirect HTTP Requests to HTTPS
背景
Bitbucket Server 4.0 enables additional security to protect against XSRF attacks a thorough explanation of XSRF and why it has been enabled on Bitbucket server is out of scope for this article. Briefly XSRF protection is enabled to prevent users being tricked into unintentionally submitting malicious data. For more information see https://en.wikipedia.org/wiki/Cross-site_request_forgery
This article describes how to securely redirect HTTP requests to the correct HTTPS URL, and never allow plain HTTP access (or mixed HTTP/HTTPS access) to your Bitbucket Server instance.
You can configure your Bitbucket Server instance for HTTPS by following the instructions on the page Secure Bitbucket with Tomcat using SSL. You may also wish to listen to plain HTTP requests and redirect them instantly to the secure HTTPS URL. This allows users to navigate to http://bitbucket.mycompany.com/... (for example, by typing the URL directly in a browser) and still load the correct URL https://bitbucket.mycompany.com
instead of receiving no content or a blank page.
Prior to Bitbucket Server 4.0, a security constraint for redirecting from HTTP to HTTPS was not enforced, meaning users could type "http://<stash-url>" into their browser and still be shown a functioning version of Bitbucket Server (or Stash). Included with the release of Bitbucket Server 4.0 was a fix to enforce the security constraint. Using the previous security configuration with Bitbucket Server 4.0 means trying to access the application over an insecure connection, meaning if users type "http" when trying to get to the application, they could encounter erroneous behavior.
症状
If your Bitbucket Server instance has been misconfigured to allow HTTP or mixed HTTP/HTTPS access, then you may observe the following error being triggered by Bitbucket's XSRF protection.
How to redirect using Apache
Edit /etc/httpd/conf/httpd.conf
RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
You will need to restart Apache for your changes to take effect.
apachectl -k graceful
- Verify that request are being redirected, see the section below on verification.
How to redirect using Nginx
Edit
/etc/nginx/nginx.conf
and add the following section:server { listen 80; server_name mycompany.com; return 301 https://$server_name$request_uri; }
Run the following command to have Nginx reload it's configuration.
nginx -s reload
Verify that request are being redirected, see the section below on verification.
How to redirect using HAProxy
The below snippet configures a frontend named bitbucket-frontend to redirect all http traffic to https.
frontend bitbucket-frontend redirect scheme https code 301 if !{ ssl_fc }
Restart HAProxy
/etc/init.d/haproxy restart
Verify that request are being redirected, see the section below on verification.
How to redirect using Amazon ELB or other proxy
How to redirect without using proxy
Verification
There are a number of ways to verify that configuration has been setup correctly two of them are.
- Using a browser once Bitbucket Server starts entirely, try navigating to any page within the application prefixed by "http," and you should be automatically redirected to the same address prefixed by "https."
Using curl run the following command
curl -v http://bitbucket.mycompany.com/
Verify that you get a response with a 301 or 302 header such as
* Connected to bitbucket.mycompany.com (172.x.x.x) port 80 (#0) > GET / HTTP/1.1 > Host: stash.atlassian.com > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Server: nginx < Date: Fri, 25 Sep 2015 02:35:29 GMT < Content-Type: text/html < Content-Length: 178 < Connection: keep-alive < Location: https://bitbucket.mycompany.com/