Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Disable HTTP access for JIRA behind Apache reverse-proxy using SSL

Deleted user August 18, 2018

I've just installed JIRA on a server at home, and have set up SSL/HTTPS with an Apache reverse-proxy (as per https://confluence.atlassian.com/adminjiraserver073/integrating-jira-with-apache-using-ssl-861253896.html)

The HTTPS access works as intended (I can access JIRA by visiting https://myserver/jira), and I have my base URL in JIRA set to "https://myserver", however I can still access the site by visiting http://myserver:8080/jira.

Here are the relevant parts of my server.xml for JIRA:

<!-- Apache Proxy Connector with values for scheme, proxyName and proxyPort -->
<Connector acceptCount="100" connectionTimeout="20000" 
           disableUploadTimeout="true" enableLookups="false" 
           maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" 
           port="8080" protocol="HTTP/1.1" redirectPort="8443" 
           useBodyEncodingForURI="true" scheme="https" proxyName="<server_hostname>" 
           proxyPort="443"/>

[...]

<!-- I HAVE COMMENTED OUT THE STANDARD HTTP CONNECTOR -->

[...]

<Engine name="Catalina" defaultHost="localhost">
  <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
    <Context path="/jira" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
      <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
      <Manager pathname=""/>
      <JarScanner scanManifest="false"/>
    </Context>
  </Host>
  <Valve className="org.apache.catalina.valves.AccessLogValve" pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""/>
</Engine>

Here are the additions to the standard /etc/apache2/sites-available/default-ssl.xml config:

        SSLEngine on
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTPS_HOST}%{REQUEST_URL}

        SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        
        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>

        SSLProxyEngine      On
        ProxyRequests       Off
        ProxyPreserveHost   On
        ProxyPass           /jira   http://<server_hostname>:8080/jira
        ProxyPassReverse    /jira   http://<server_hostname>:8080/jira

Any idea how I can remove the possibility of accessing the site via HTTP? This obviously poses a security concern since users can still access the server and authenticate over HTTP (defeating the purpose of proxying requests over HTTPS).

Answer
Watch
Like Be the first to like this
2193 views

1 answer

0 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 20, 2018

Hi Ronan!

Jira should still listen on 8080 - this is the best way for it to interact with Apache without causing unnecessary latency. So you will want to make sure that 8080 connector stays in place, but we can limit where the connections to come from so that only Apache talks to it! There's a couple ways to address this:

  1. At the network level you can simply drop requests to 8080 at your firewall. If you've got a networking team, ask them about how difficult it would be in your environment. Depending on your setup, this might be the fastest and easiest way to take care of it.
  2. On your local server you can also instruct Tomcat to only take connections to 8080 from localhost (Apache). There's documentation here if you'd like to read up. Thank you for posting the connector in your server.xml! You're going to add the address directive to yield this connector (remember to update the proxyName!): 
    <Connector acceptCount="100" connectionTimeout="20000" 
     disableUploadTimeout="true" enableLookups="false" 
     maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" 
     port="8080" protocol="HTTP/1.1" redirectPort="8443"
     address="127.0.0.1"
     useBodyEncodingForURI="true" scheme="https" proxyName="<server_hostname>" 
     proxyPort="443"/>
    If this gives you any trouble, also change your default-ssl.xml to use 127.0.0.1 instead of the server_hostname.

    Don't forget to restart Jira and Apache after making changes :)

Cheers,
Daniel

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security