Hy all
I'm stuck with the proxy config since we want our JIRA accessable inside another network zone.
The setup for internal use
JIRA /Tomcat <-http-> apache proxy <-http-> client
Now we configured an nginx reverse proxy for access from an unsecure zone over ssl:
JIRA /Tomcat <-http-> apache proxy <-http-> nginx reverse proxy <-https-> client
nginx terminates ssl. I now receive the url missmatch error because of the https inside the url.
I then added this to the server.xml and restarted JIRA
scheme="https"
proxyName="<nginx ip>"
proxyPort="443"
Hi Sandro,
Is there any reason to not use the outer proxy (nginx) for all communications? If there isn't a reason, you can just use the standard doc: https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL
If you must have a 2 proxy setup, you could still follow the above, but set up nginx to use a the first type of connector described in the document:
<!-- Apache Proxy Connector -->
<
Connector
acceptCount
=
"100"
connectionTimeout
=
"20000"
disableUploadTimeout
=
"true"
enableLookups
=
"false"
maxHttpHeaderSize
=
"8192"
maxThreads
=
"150"
minSpareThreads
=
"25"
port
=
"8080"
protocol
=
"HTTP/1.1"
redirectPort
=
"8443"
useBodyEncodingForURI
=
"true"
scheme
=
"https"
proxyName
=
"external.proxy.atlassian.com"
proxyPort
=
"443"
/>
<
Connector
acceptCount
=
"100"
connectionTimeout
=
"20000"
disableUploadTimeout
=
"true"
enableLookups
=
"false"
maxHttpHeaderSize
=
"8192"
maxThreads
=
"150"
minSpareThreads
=
"25"
port
=
"8081"
protocol
=
"HTTP/1.1"
redirectPort
=
"8443"
useBodyEncodingForURI
=
"true" proxyname = "internalproxy.com" proxyPort="80"
/>
Hi Tim
First of all, thanks for the answer. There are some things I don't understand yet.
I now configured this second connector in tomcats server.xml. The nginx now connects to port 8090 (as defined in connector 1) and apache goes to 8080 (defined in connector 2). JIRA runs fine over apache and port 8080.
The reverse proxy thing however is still a bit of misery for me. So here how I think:
Unsecure_client => over https and firewall to the nginx (eth6 for example), then through the reverse proxy config. Through eth1 it calls jiras tomcat on port 8090.
Tomcats server.xml defines a proxy_port and proxy_name, here I send him to eth1 from nginx and port 8090.
Right now it redirects me to the nginx proxy ip and /secure/MyJiraHome.jspa (absolutly don't know where this comes from).
My configs are attached since there aren't any characters left for this comment (ip's and domains replaced).
(jira.example.config.txt) (tomcat.txt)
I really need help, thanks for any.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
An update: co-worker had took a quick look at it, and now we went back to find the actual problem.
Right now I can access the dashboard, somehow, receiving the known error:
Dashboard Diagnostics: Mismatched URL Scheme
com.atlassian.gadgets.dashboard.internal.diagnostics.UrlSchemeMismatchException: Detected URL scheme, 'http', does not match expected scheme 'https'
The config is nothing special, only one connector for tomcat (port 8090) and nginx upstream pointing there.
<Connector port="8090" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"/>
and the nginx location directives (guess this is the important part, see previously attached files for complete config)
location / { proxy_pass http://public-jira; # proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Host $host; # proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Proto http; }
I guess I'm missing something here or have to rewrite the url in a way that JIRA can deal with it.
If anyone knows something about it, I would appreciate. I'll post the solution here as soon as I go it.
Update: I am able to log in!
The URL Scheme missmatch isn't solved yet, and so isn't the baseurl problem (jira seems to make intensiv use of it, unlike confluence)
I also added
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host;
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sandro,
I'm going off of what you told me in the last comment: 1 connector, 8090, nginx goes there.
You also said that you're terminating ssl there at the nginx.
If that is true, you should set scheme='https' in the 8090 connector.
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tim
This morning I've done exactly what you described in your first answer. Can't be easier:
Two connectors:
<!--- Internal access --> <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"/> <!-- With Web Proxy--> <Connector port="8090" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" scheme='https' enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" proxyName="jira.external.com" proxyPort="443" />
And all works fine. URL isn't matching the baseurl, but activity stream for example works anyway.
Only the user-avatars don't show up.
Next time, I better read exactly and do what atlassian people say. I'm now gonna play around with the nginx config for performance or security improvements.
So, many thanks Tim!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hi sandro.
i never used nginx but maybe you find some hint here
https://answers.atlassian.com/questions/16218/jira-behind-nginx-proxy-hostname-and-url-problems
setting "proxy_redirect off" may help?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.