Community resources
Community resources
Community resources
- Community
- Products
- Confluence
- Questions
- Problems with securing Confluence, Jira, and Bitbucket behind NGINX
Problems with securing Confluence, Jira, and Bitbucket behind NGINX
New Atlassian Admin, just inherited a fairly wrecked Atlassian Suite that was built "all in one" on Windows (Jira, Confluence, Bitbucket, MS SQL - all crammed onto one tiny VM). I'm moving everything to a more sane layout - each product on its own VM with a separate database server (PostgreSQL 14) and a web proxy to secure the front-end. All hosts built on RHEL 8 with SELinux and fapolicyd told to mind their own business.
After significant effort (I'm more HAProxy than NGINIX, but I can learn) I've managed to get Jira set up and running: NGINX front-end takes https with cert, passes traffic via http to Jira back-end, users can log in and do stuff, winning!
So I have that going for me, which is nice.
Problem now is getting NGINX to do the same thing for Confluence. I've been struggling for a week with no success, reviewing docs for Atlassian and NGINX, checking into Community posts and running headlong into a continuing series of brick walls. Hopefully a wiser head than mine can give me a hint here. :)
Here's what I have set up:
atlassian.work.net (https) --- confluence.work.net (http)
|- jira.work.net (http)
|- bitbucket.work.net (http)
And here's how everyone's configured (typos are my own):
NGINX -(atlassian.work.net:/etc/nginx/nginx.conf)
# nginx.conf - webproxy for fun and profit
# Last Revised 07112023 -=[KWF]=-
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'$http_user_agent" "$http_x_forwarded_for" ';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Proxy front-end
server {
listen 80;
server_name atlassian.work.net;
root /usr/share/nginx/html;
location / {
return 301 https://$host$request_uri;
}
}
# Jira
server {
listen 443 ssl;
server_name jira.work.net;
ssl on;
ssl_certificate /etc/nginx/ssl/atlassian.pem;
ssl_certificate_key /etc/nginx/ssl/atlassian.key;
access_log "/var/log/nginx/proxy_access_confluence.log";
error_log "/var/log/nginx/proxy_error_confluence.log";
client_max_body_size 100M;
location /jira {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://jira.work.net:8080/jira;
}
}
# Confluence & Synchrony
server {
listen 443 ssl;
server_name confluence.work.net;
ssl on;
ssl_certificate /etc/nginx/ssl/atlassian.pem;
ssl_certificate_key /etc/nginx/ssl/atlassian.key;
access_log "/var/log/nginx/proxy_access_confluence.log";
error_log "/var/log/nginx/proxy_error_confluence.log";
client_max_body_size 100M;
location /confluence {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://confluence.work.net:8090/confluence;
}
location /synchrony {
client_max_body_size 100m;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://jira.work.net:8091/synchrony;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
proxy_connection_timeout 180s;
proxy_send_timeout 180s;
proxy_read_timeout 180s;
fastcgi_send_timeout 180s;
fastcgi_read_timeout 180s;
}
Jira (jira.work.net:/opt/atlassian/jira/conf/server.xml)
(Much XML)
...
<Connector port="8080"
connectionTimeout="20000"
redirectPort="8443"
maxThreads="48"
minSpareThreads="10"
enableLookups="false"
acceptCount="10"
debug="0"
URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
proxyName="atlassian.work.net"
proxyPort="443"/>
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Context path="/jira" docBase="${cataline.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
...
(etc.)
Confluence (confluence.work.net:/opt/atlassian/confluence/conf/server.xml)
(Much XML)
...
<Connector port="8090"
connectionTimeout="20000"
redirectPort="8443"
maxThreads="48"
minPostSIze="16777216"
minSpareThreads="10"
enableLookups="false"
acceptCount="10"
URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
proxyName="atlassian.work.net"
proxyPort="443"/>
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Context path="/confluence" docBase="../confluence" reloadable="false" useHttpOnly="true">
...
(etc.)
And More Confluence (/var/atlassian/application-data/confluence/confluence.cfg.xml)
...
<property name="confluence.webapp.context.path">/confluence</property>
Thanks in advance,
KeithF