Redirect HTTP Requests to HTTPS

Background

Bitbucket Server 4.0 enables additional security to protect against XSRF attacks a thorough explanation of XSRF and why it has been enabled on Bitbucket server is out of scope for this article. Briefly XSRF protection is enabled to prevent users being tricked into unintentionally submitting malicious data. For more information see https://en.wikipedia.org/wiki/Cross-site_request_forgery

This article describes how to securely redirect HTTP requests to the correct HTTPS URL, and never allow plain HTTP access (or mixed HTTP/HTTPS access) to your Bitbucket Server instance.

You can configure your Bitbucket Server instance for HTTPS by following the instructions on the page Secure Bitbucket with Tomcat using SSL. You may also wish to listen to plain HTTP requests and redirect them instantly to the secure HTTPS URL. This allows users to navigate to http://bitbucket.mycompany.com/... (for example, by typing the URL directly in a browser) and still load the correct URL https://bitbucket.mycompany.com instead of receiving no content or a blank page.

Symptoms

If your Bitbucket Server instance has been misconfigured to allow HTTP or mixed HTTP/HTTPS access, then you may observe the following error being triggered by Bitbucket's XSRF protection.

How to redirect using Apache

1. Edit /etc/httpd/conf/httpd.conf

   1 2 3 RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]

2. You will need to restart Apache for your changes to take effect.

   1 apachectl -k graceful

3. Verify that request are being redirected, see the section below on verification.

How to redirect using Nginx

1. Edit /etc/nginx/nginx.conf and add the following section:

   1 2 3 4 5 server { listen 80; server_name mycompany.com; return 301 https://$server_name$request_uri; }

2. Run the following command to have Nginx reload it's configuration.

   1 nginx -s reload

3. Verify that request are being redirected, see the section below on verification.

How to redirect using HAProxy

1. The below snippet configures a frontend named bitbucket-frontend to redirect all http traffic to https.

   1 2 frontend bitbucket-frontend redirect scheme https code 301 if !{ ssl_fc }

2. Restart HAProxy

   1 /etc/init.d/haproxy restart

3. Verify that request are being redirected, see the section below on verification.

How to redirect using Amazon ELB or other proxy

Bitbucket Server 5.0+

If Bitbucket is configured behind a proxy/load balancer or other device that does not support redirection the following configuration can be used. In order for this configuration to work your device must be setup to direct http (port 80) and https (port 443) traffic to Bitbucket's port 7990. In this configuration, SSL terminates at load balancer (proxy). Note this configuration will redirect all http traffic to https except for requests for /status as some load balancers will mark a node as unavailable if they receive a redirect. This allows you to configure the load balancer to use /status as health check endpoint.

1. Within <Bitbucket Server home directory>/shared/bitbucket.properties, ensure the redirect-port exists in the insecure connector and is defined with the port of the secure connector.

   Here is an example of the correct configuration:

   Secure port

   1 2 3 4 5 server.proxy-name=bitbucket.company.com server.proxy-port=443 server.secure=true server.require-ssl=true server.redirect-port=443

2. Restart Bitbucket Server.

Up to Bitbucket Server 4.14

If Bitbucket is configured behind a proxy/load balancer or other device that does not support redirection the following configuration can be used. In order for this configuration to work your device must be setup to direct http (port 80) traffic to Bitbucket's port 7991 and https (port 443) to Bitbucket's port 7990. Note this configuration will redirect all http traffic to https except for requests for /status as some load balancers will mark a node as unavailable if they receive a redirect. This allows you to configure the load balancer to use /status as health check endpoint.

1. Within <Bitbucket Server home directory>/shared/server.xml, ensure the redirectPort exists in the insecure connector and is defined with the port of the secure connector.

   Here is an example of the correct configuration:

   Secure port

   1 2 3 4 5 6 7 8 9 10 11 <Connector port="7990" protocol="HTTP/1.1" maxHttpHeaderSize="65536" proxyName="bitbucket.company.com" proxyPort="443" URIEncoding="UTF-8" secure="true" scheme="https" connectionTimeout="20000" useBodyEncodingForURI="true" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript" />

   Insecure port

   1 2 3 4 5 6 7 8 <Connector port="7991" protocol="HTTP/1.1" maxHttpHeaderSize="65536" URIEncoding="UTF-8" connectionTimeout="20000" useBodyEncodingForURI="true" redirectPort="443" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript" />

2. Within <Bitbucket Server installation directory>/conf/web.xml add the following configuration before the closing </web-app> tag in the following file:

   <Bitbucket Server installation directory>/conf/web.xml

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <security-constraint> <web-resource-collection> <web-resource-name>HTTPSOrHTTP</web-resource-name> <url-pattern>/status*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>HTTPSOnly</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

3. Restart Bitbucket Server.

How to redirect without using proxy

Bitbucket Server 5.0+

If you do not use a proxy and your SSL is terminated on Bitbucket server, the following configuration should be used. It assumes that HTTP port is 7990, and HTTPS port is 8443

1. Within <Bitbucket Server home directory>/shared/bitbucket.properties, ensure the redirect-port exists in the insecure connector and is defined with the port of the secure connector.

   Here is an example of the correct configuration:

   1 2 3 4 5 6 7 8 9 10 server.additional-connector.1.port=8443 server.additional-connector.1.scheme=https server.additional-connector.1.ssl.enabled=true server.additional-connector.1.ssl.client-auth=want server.additional-connector.1.ssl.protocol=TLSv1.2 server.additional-connector.1.ssl.key-alias=tomcat server.additional-connector.1.ssl.key-store=/path/to/keystore/bitbucket.jks server.additional-connector.1.ssl.key-store-password=<password value> server.additional-connector.1.ssl.key-password=<password value>

   Insecure port

   1 2 3 server.port=7990 server.redirect-port=8443 server.require-ssl=true

2. Restart Bitbucket Server.

Up to Bitbucket Server 4.14

• Within <Bitbucket Server home directory>/shared/server.xml, ensure the redirectPort exists in the insecure connector and is defined with the port of the secure connector.

  Here is an example of the correct configuration.

  Secure port

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 <Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" useBodyEncodingForURI="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" />

  Insecure port

  1 2 3 4 5 6 7 <Connector port="7990" protocol="HTTP/1.1" connectionTimeout="20000" useBodyEncodingForURI="true" redirectPort="8443" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript" />

• Within <Bitbucket Server installation directory>/conf/web.xml add the following configuration before the closing </web-app> tag in the following file:

  <Bitbucket Server installation directory>/conf/web.xml

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <security-constraint> <web-resource-collection> <web-resource-name>HTTPSOrHTTP</web-resource-name> <url-pattern>/status*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>HTTPSOnly</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

• Restart Bitbucket Server.

Verification

There are a number of ways to verify that configuration has been setup correctly two of them are.

1. Using a browser once Bitbucket Server starts entirely, try navigating to any page within the application prefixed by "http," and you should be automatically redirected to the same address prefixed by "https."

2. Using curl run the following command

   1 curl -v http://bitbucket.mycompany.com/

   Verify that you get a response with a 301 or 302 header such as

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 * Connected to bitbucket.mycompany.com (172.x.x.x) port 80 (#0) > GET / HTTP/1.1 > Host: stash.atlassian.com > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Server: nginx < Date: Fri, 25 Sep 2015 02:35:29 GMT < Content-Type: text/html < Content-Length: 178 < Connection: keep-alive < Location: https://bitbucket.mycompany.com/