Comments on: JIRA Standalone – Major Vulnerability

By: Michael Fox

Michael Fox — Fri, 20 Mar 2009 10:38:58 +0000

If you dig around, you should be able to find some documentation to make it so that your several instances of Jira on a single host can be accessed via your normal webserver.

ie. I installed 2 instances of Jira onto a single host, and bound them to 8080 and 8081.

I then installed apache, and some suitable modules. Then configured apache so that http://host.domain.com/jira-one/ would serve the contents of jira instance one from 8080, then then http://host.domain.com/jira-two/ would serve the contents of jira instance two from 8081.

So all the user has to remember is http://site…/jira-one/ or http://site…/jira-two/

Had hoped to use vhosts to do it, but I will give that another go soon enough, but for the moment. I am happy with the current arrangement.

By: Karl Katzke

Karl Katzke — Fri, 14 Mar 2008 01:31:00 +0000

Tim – There’s two ways to handle this. One is to use the jsvc extension, which would run one thread as Root to open the port, and one thread as TOMCAT_USER (an unprivileged user) to actually handle the requests. I can’t figure out in the tangle of configuration files; they do seem to be using jsvc but passing the –user option in the catalina start shell script does not seem to work.

How *we* handle it is by putting squid in front of it with a port redirect…. but we have a load balancing setup that allows us to do that. You could use Apache for this, you could use your box’s firewall to forward all requests from port 80 to port 8080, etc. so on so forth. It depends on your environment and how detailed you’re willing to get with configuration.

The point still remains — don’t run JIRA standalone as root. You really, really don’t want Tomcat running with root permissions.

By: Tim Kientzle

Tim Kientzle — Fri, 14 Mar 2008 00:26:57 +0000

But then you can’t run Jira on port 80, can you?