This is quite interesting. The acivity stream is blocked by the csp (content security policy), when accessing from the server via localhost. Any suggestions how to fix that?

Hey Christopher, 

What is your Jira Base URL set to?  If you connect through the Base URL, is it blank instead of displaying this error?

We have some information here:

https://confluence.atlassian.com/jirakb/security-headers-in-jira-939919914.html

Cheers, 

Keri

What is your Jira Base URL set to?

It is set to https://www."mydomain"/jira

If you connect through the Base URL, is it blank instead of displaying this error?

This is correct. From server it shows the above error. From Base URL it is simply blank.

We have some information here:

https://confluence.atlassian.com/jirakb/security-headers-in-jira-939919914.html

Thanks for the link. I tried to disable the security headers in setenv.bat by adding

"-Dcom.atlassian.jira.clickjacking.protection.disabled=true" to line set JVM_SUPPORT_RECOMMENDED_ARGS=

Then I restart the Jira service. It is still blank from URL and offers the above mentioned error via localhost. Just to confirm, is it correct to add the statement in setenv.bat when starting Jira as a service?

Some additional information:

Our Jira is installed on Windows Server 2016 and runs via IIS.

Just to confirm, is it correct to add the statement in setenv.bat when starting Jira as a service?

Got it: for configurations regarding Jira as service look here under "Windows service"

I tried 2 options for configuring the service (then shut down and restart the service):

1. added -Dcom.atlassian.jira.clickjacking.protection.disabled=true
Result: still not working

2. added -Dcom.atlassian.jira.clickjacking.protection.exclude=/rest/gadgets/1.0/g/com.atlassian.streams.streams-jira-plugin:activitystream-gadget/gadgets/activitystream-gadget.xml

(I put in the xml-Link from Gadget-Menue)
Result: still not working

Hi Christopher, 

To determine whether there is something happening at the proxy level, if you could temporarily set up an unproxied connector for the purposes of the test. At least then we can discount proxy issues here, it wouldn’t be instead of your proxied connection - so users would still be able to access Jira as normal, it would just be in addition for testing purposes.

See our KB article for more details: How to bypass a reverse proxy or SSL in Application Links

If you bypass IIS completely, do you still receive the same error?

Can you also check your IIS configuration against the following guide: Integrating Jira applications with IIS?

You may also wish to check this IIS setting:

1. Backup the Registry
2. With Regedit, browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters
3. Find the value for UrlSegmentMaxLength, or if it doesn't exist add a DWORD value with this name and change it to 00001000 (this is the hex for 4096)

Hello @Keri sorry for the delay..

If you bypass IIS completely, do you still receive the same error?

I added a connector to port 8081 and accessed Jira within the server on localhost:8081/jira. There the activity stream loaded successfully.

As mentioned in my first post, I already add the value for UrlSegmentMaxLength.

Maybe you can have a look on my server.xml:

<Service name="Catalina">
       
<Connector port="8080" maxThreads="150" minSpareThreads="25"   connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="false" scheme="https"
proxyName="###Domain-Name (example: google.de)###" proxyPort="443"/>
     
<Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />          

<Engine name="Catalina" defaultHost="localhost">

<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">

<Context path="/jira" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
<Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"                              factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
<Manager pathname=""/>
<JarScanner scanManifest="false"/>
</Context>

</Host>

<Valve className="org.apache.catalina.valves.AccessLogValve"
pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>

</Engine>

</Service>

Hello @Keri,

I discovered another thing:

when adding -Dcom.atlassian.jira.clickjacking.protection.disabled=true to the service java option, the activity string shows

when accessing via localhost 8080. 8081 works fine.

Accessing from Base-URL via Web shows nothing.