cancel
Showing results for 
Search instead for 
Did you mean: 

How to Open up Polarion to External Customers

Dreamer
Dreamer

The described scenario assumes you want to open Polarion ALM to external customers or suppliers

If you are just running a Polarion ALM instance that is directly accessible from the Internet you also expose your Subversion repository , confidential content is accessible from outside.

Actually the Subversion repository is already protected by the access file, but it is easy to expose content by mistake.

This blog describes an approach to open Polarion ALM to external customers and avoid the risk described above.

Internal users access Polarion ALM directly from inside the internal network. The change will be transparent for them.

External users access Polarion ALM via a proxy provided by Apache. This proxy will forward safe requests only which don’t reveal internal content of your repository, even if Subversion's access file is not configured to hide that information.

Polarion and Apache Proxy

Basic configuration of the proxy The basic configuration of the Apache running the proxy is quite simple.

Adding the following lines to the default configuration is sufficient (replace <polarion-server> with the URL of your Polarion server): LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so ProxyRequests Off ProxyPass /polarion <polarion-server>/polarion ProxyPassReverse /polarion <polarion-server>/polarion

With this configuration all requests to <external-server>/polarion will be passed to <internal-server>/polarion. Please make sure that the Firewall grants access from external-server to internal-server on port 80.

Securing the Proxy With this configuration an external user could still access files in the repository. Actually, it is not that bad, as the user has to know the exact path of the file he tries to access.

Following line closes this possibility: ProxyPass /polarion/webdav !

Unfortunately this configuration has a disadvantage: It will also disable access to LiveDocuments using Word and Excel for the external users.

Re-enabling access to Attachment Disabling all access to the repository also prevents users from downloading attachments.

To enable download of attachments, the /svnwebclient/fileDownload.jsp URL has to be forwarded to the internal server.

Add following lines to the configuration of your Apache acting as proxy: ProxyPass /svnwebclient/fileDownload.jsp <polarion-server>/svnwebclient/fileDownload.jsp ProxyPassReverse /svnwebclient/fileDownload.jsp <polarion-server>/svnwebclient/fileDownload.jsp

Doing that without any additional precautions is risky: Again, the access of the external user to files in the repository is only restricted by the access configuration.

An additional layer of security can be implemented by restricting the parameters of the URL to only allow download of files inside the project(s) the external user is able to access. This is achieved by using mod_rewrite to redirect every forbidden access to a nonexistent URL.

Add following lines to your configuration: LoadModule rewrite_module modules/mod_rewrite.so RewriteEngine On RewriteCond %{REQUEST_URI} ^/svnwebclient/fileDownload.jsp$ RewriteCond %{QUERY_STRING} !^.*&url=<project-location> RewriteRule .* /nonexistent

<project-location> has to be replaced with the location of the project in the repository, all slashes (/) in have to be replaced with %2F and a %2F should be appended at the end.

Example: Assuming you want to expose Library project from the Polarion demo-data and your internal Polarion server has the URL http://polarion.

You can get the location of the project from the Overview Topic of the project.

The location is Demo%20Projects/demolibrary, the string to use is Demo%20Projects%2Fdemolibrary%2F

The resulting configuration to use for the proxy is:

LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so ProxyRequests Off ProxyPass /polarion http://polarion/polarion ProxyPassReverse /polarion http://polarion/polarion ProxyPass /polarion/webdav ! ProxyPass /svnwebclient/fileDownload.jsp http://polarion/svnwebclient/fileDownload.jsp ProxyPassReverse /svnwebclient/fileDownload.jsp http://polarion/svnwebclient/fileDownload.jsp LoadModule rewrite_module modules/mod_rewrite.so RewriteEngine On RewriteCond %{REQUEST_URI} ^/svnwebclient/fileDownload.jsp$ RewriteCond %{QUERY_STRING} !^.*&url=Demo%20Projects%2Fdemolibrary%2F RewriteRule .* /nonexistent

Best Wishes Benjamin