We’ve been rather aggressive in our adoption of BeyondCorp,with the help of Duo and their epic Network Gateway, and for the most part, it all just works as you’d expect. However, Confluence is being a bit weird and I’ve a sneaky feeling it has to do with too many moving parts and DNG and hoping someone else here has solved this, or possibly knows how.
- Duo Network Gateway (DNG)
- Microsoft ADFS
- Duo Mobile
- Ubuntu box running Atlassian Confluence 6.2
- Apache24 with modproxy
For most things, it works. User visits https://conf.whee.com and they get redirected to our ADFS, where they use their corp domain creds, then have to deal with duo mfa for the final step. If all is good, their device is healthy and in a set geographic location, they are presented with the login page for Confluence.
Once auth’d, they can do most things confluence, except some bits like removing spaces and pages. Here is where I think the numerous proxies are actually causing issues. When you try and do any of those commands, you get a spinning wheel of death and a 403
10.0.0.6 - - [17/Jan/2018:16:15:05 +0000] “POST /rest/webResources/1.0/resources HTTP/1.1” 403 3712 “https://conf.whee.com/display/chicken/This+should+work” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0”
for everything else, it functions as i’d expect it to. So usual fault finding approach has seen me:
1: ensure the traffic is being proxied as it should do. In this case, yes as i can create content and do what one does when using confluence.
2: are the required ports listening? yes, all is there and redirected where needed.
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 9085/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 1565/postgres
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 28265/master
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1380/mysqld
tcp6 0 0 :::22 :::* LISTEN 9085/sshd
tcp6 0 0 ::1:25 :::* LISTEN 28265/master
tcp6 0 0 :::8090 :::* LISTEN 108254/java
tcp6 0 0 :::8091 :::* LISTEN 108586/java
tcp6 0 0 :::8443 :::* LISTEN 108254/java
tcp6 0 0 :::443 :::* LISTEN 36262/apache2
tcp6 0 0 127.0.0.1:8000 :::* LISTEN 108254/java
tcp6 0 0 :::80 :::* LISTEN 36262/apache2
So is the REST issue being hit by DNG not forwarding right from the browser, or is it something closer to the source? Has anyone else deployed Confluence this way?
I’ve hit a brick wall here, so any help in putting me out of my misery would be so amazing right now.