We are facing a security issue where the security audit team has complained about the use of basic authentication is the cause.
We tried with SSL certs and we got a response from Atlassian team stating that this might lead to performance degradation and might even get the server to a hung state.
Can anyone share any other suggestion for this
It's unlikely that you'll hang Bitbucket Server by implementing SSL at Tomcat. There are some performance considerations - namely it will take more CPU cycles to serve requests over HTTPS from Tomcat directly, which is why most customers choose to use a reverse proxy to terminate HTTPS. Apache/nginx/F5/etc are a bit more efficient about serving HTTPS than Tomcat is.
However, if your security team is concerned about end-to-end encryption, I would suggest that ensuring you are compliant with your organization's security policies takes priority. The small amount of overhead that serving HTTPS directly from Tomcat incurs is not a show-stopper for the application. Depending on your environment, you will likely see added milliseconds on your page render times, but it should not be significant enough to prevent people from doing their work.
Information about performance related to HTTPS (and SSH) is available in Scaling Bitbucket Server. You might be interested in looking at Securing Bitbucket Server with Tomcat using SSL for information about encrypting the traffic between Bitbucket and your reverse proxy.
I would not be concerned about the extra CPU cycles if your security team is telling you that traffic needs to be encrypted between Bitbucket and an existing reverse proxy (where I would assume external traffic is already encrypted).
Cheers,
Daniel
Online forums and learning are now in one easy-to-use experience.
By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.