Best Practices for YouTrack/Hub External Access

Hi there,

I'm after some advice on configuring our local Hub to give external access to YouTrack. Our current setup is running YouTrack and TeamCity with a shared Hub authentication server. This all works great internally, but I need to give access to our external QA team. I've set up port forwarding for both YouTrack and Hub on our router.

(Note: I'm not a networking expert, so apologies if I'm asking some silly questions!)

The first problem is that both have been configured with internal IPs to point to each other. So, when I try to access YouTrack from outside the network, it tries to redirect to an internal IP, which doesn't work. Is there a way to make it use an internal IP for internal requests, and an external one for external requests (i.e, if the request comes from 192.168.1.XX, use the local address, otherwise use our external IP)? Otherwise, do I just need to go through all of the configs and replace the IPs with our static external one? I'd rather not do that, as ideally I'd like to only have those ports open while we're using external QA, and closed at all other times, but I don't want to reconfigure everything each time we switch.

In general, are there any other best practices I should be aware of when opening this up, other than making sure that guest accounts are all disabled and all passwords are strong?

Any advice would be much appreciated!

Rob.

1 comment
Comment actions Permalink
Official comment

Hi, Rob!

To the moment YouTrack doesn't support working with external Hub instance in both internal and external mode (using different Hub IP addresses at the same time) 

Replacing internal IPs with external ones should resolve the issue unless external IP is accessible from internal network.
Do not forget to reconfigure YouTrack and Hub instances accordingly.

- hub stop
- hub configure --base-url=<new_hub_url_here>
- hub start

- youtrack stop
- youtrack configure --base-url=<new_youtrack_url_here>
- youtrack start
- After YouTrack started, open the following page <new_youtrack_url_here>/bundle/admin
- Log in to administration UI and update external hub URL there.

Regarding best practices. We recommend you to setup SSL/TLS-terminating proxy in front of you services, so that end users could access the services by https URLs only.

See the following documentation pages for details:
https://www.jetbrains.com/help/youtrack/standalone/Reverse-Proxy-Configuration.html
https://www.jetbrains.com/help/hub/Proxy-Configuration.html

Also find a list of all recommended best practices by the following link:
https://www.jetbrains.com/help/youtrack/standalone/Secure-Your-Installation.html


Sincerely,
Alexey Barsov 
JetBrains Developer

Please sign in to leave a comment.