How to Open up Polarion to External Customers

The described scenario assumes you want to open Polarion ALM to external customers or suppliers


If you are just running a Polarion ALM instance that is directly accessible from the Internet you also expose your Subversion repository , confidential content is accessible from outside.


Actually the Subversion repository is already protected by the access file, but it is easy to expose content by mistake.


This blog describes an approach to open Polarion ALM to external customers and avoid the risk described above.


Internal users access Polarion ALM directly from inside the internal network. The change will be transparent for them.


External users access Polarion ALM via a proxy provided by Apache. This proxy will forward safe requests only which don’t reveal internal content of your repository, even if Subversion’s access file is not configured to hide that information.


Polarion and Apache Proxy


Basic configuration of the proxy
The basic configuration of the Apache running the proxy is quite simple.


Adding the following lines to the default configuration is sufficient (replace <polarion-server> with the URL of your Polarion server):
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
ProxyRequests Off
ProxyPass /polarion <polarion-server>/polarion
ProxyPassReverse /polarion <polarion-server>/polarion


With this configuration all requests to <external-server>/polarion will be passed to <internal-server>/polarion. Please make sure that the Firewall grants access from external-server to internal-server on port 80.


Securing the Proxy
With this configuration an external user could still access files in the repository. Actually, it is not that bad, as the user has to know the exact path of the file he tries to access.


Following line closes this possibility:
ProxyPass /polarion/webdav !


Unfortunately this configuration has a disadvantage: It will also disable access to LiveDocuments using Word and Excel for the external users.


Re-enabling access to Attachment
Disabling all access to the repository also prevents users from downloading attachments.


To enable download of attachments, the /svnwebclient/fileDownload.jsp URL has to be forwarded to the internal server.


Add following lines to the configuration of your Apache acting as proxy:
ProxyPass /svnwebclient/fileDownload.jsp <polarion-server>/svnwebclient/fileDownload.jsp
ProxyPassReverse /svnwebclient/fileDownload.jsp <polarion-server>/svnwebclient/fileDownload.jsp


Doing that without any additional precautions is risky: Again, the access of the external user to files in the repository is only restricted by the access configuration.


An additional layer of security can be implemented by restricting the parameters of the URL to only allow download of files inside the project(s) the external user is able to access. This is achieved by using mod_rewrite to redirect every forbidden access to a nonexistent URL.


Add following lines to your configuration:
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/svnwebclient/fileDownload.jsp$
RewriteCond %{QUERY_STRING} !^.*&url=<project-location>
RewriteRule .* /nonexistent


<project-location> has to be replaced with the location of the project in the repository, all slashes (/) in have to be replaced with %2F and a %2F should be appended at the end.


Example:
Assuming you want to expose Library project from the Polarion demo-data and your internal Polarion server has the URL http://polarion.


You can get the location of the project from the Overview Topic of the project.



The location is Demo%20Projects/demolibrary, the string to use is Demo%20Projects%2Fdemolibrary%2F


The resulting configuration to use for the proxy is:


LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
ProxyRequests Off
ProxyPass /polarion http://polarion/polarion
ProxyPassReverse /polarion http://polarion/polarion
ProxyPass /polarion/webdav !
ProxyPass /svnwebclient/fileDownload.jsp http://polarion/svnwebclient/fileDownload.jsp
ProxyPassReverse /svnwebclient/fileDownload.jsp http://polarion/svnwebclient/fileDownload.jsp
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/svnwebclient/fileDownload.jsp$
RewriteCond %{QUERY_STRING} !^.*&url=Demo%20Projects%2Fdemolibrary%2F
RewriteRule .* /nonexistent


Best Wishes
Benjamin

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at https://blogs.sw.siemens.com/polarion/how-to-open-up-polarion-to-external-customers/