Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Session expired and XSRF errors when deploying Jira with two replicas on AKS with ILB

MD NISHAD HUSSAIN
MD NISHAD HUSSAIN
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 13, 2025

Hello Atlassian Support,

I have deployed Jira Data Center on Azure Kubernetes Service (AKS) using an Internal Load Balancer (ILB) and mapped it with a DNS entry.

When I deploy Jira with only one replica, everything works fine — I can log in to the system admin page and navigate to all settings without any issues.

However, when I deploy Jira with two replicas, I face persistent issues where the system throws session expired errors and shows XSRF token validation errors on almost every page.

This makes Jira unusable in a multi-replica deployment scenario.

I am sharing our NGINX site configuration and Jira server.xml file for review to help troubleshoot the session expired / XSRF token issue when Jira is deployed with two replicas.

Please note: These files have been sanitized to remove sensitive information. The following placeholders have been used:

<JIRA_SERVER_FQDN> → Actual Jira server DNS name

<JIRA_BACKEND_IP> → Internal IP of Jira backend service in AKS

<CERTIFICATE_FILE> → SSL certificate file name/path

<PRIVATE_KEY_FILE> → SSL private key file name/path

The file structure, directives, and settings are otherwise unchanged to ensure accurate troubleshooting.

Let me know if you need any more details, the original (secure) values can be provided privately if absolutely necessary.

Below are the file config :

nginx.conf / Jira site config (sanitized)

server {
listen 443 ssl;
server_name <JIRA_SERVER_FQDN>; # Masked hostname

# SSL configuration
ssl_certificate /etc/nginx/ssl/<CERTIFICATE_FILE>;
ssl_certificate_key /etc/nginx/ssl/<PRIVATE_KEY_FILE>;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:...'; # Truncated for brevity
ssl_prefer_server_ciphers on;

# Security headers (Optional but recommended)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";

client_max_body_size 100M;

location / {
# app_protect_enable on;
proxy_pass http://<JIRA_BACKEND_IP>:8080; # Masked internal IP
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
}

server {
listen 80;
server_name <JIRA_SERVER_FQDN>; # Masked hostname
return 301 https://$host$request_uri;
}

Screenshot 2025-08-13 224938.pngScreenshot 2025-08-13 224831.pngserver.xml (sanitized)

<?xml version="1.0" encoding="utf-8"?>

<Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>

<Service name="Catalina">

<Connector port="8080"
maxThreads="100"
minSpareThreads="10"
connectionTimeout="20000"
enableLookups="false"
protocol="HTTP/1.1"
redirectPort="8443"
acceptCount="10"
secure="true"
scheme="https"
proxyName="<JIRA_SERVER_FQDN>" <!-- Masked hostname -->
proxyPort="443"
relaxedPathChars="[]|"
relaxedQueryChars="[]|{}^`\&quot;&lt;&gt;"
bindOnInit="false"
maxHttpHeaderSize="8192"
useBodyEncodingForURI="true"
disableUploadTimeout="true" />

<Engine name="Catalina" defaultHost="localhost">

<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">

<Context path="" docBase="${catalina.home}/atlassian-jira"
reloadable="false" useHttpOnly="true">
<Resource name="UserTransaction"
auth="Container"
type="javax.transaction.UserTransaction"
factory="org.objectweb.jotm.UserTransactionFactory"
jotm.timeout="60"/>
<Manager pathname=""/>
<JarScanner scanManifest="false"/>
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="120" />
</Context>

</Host>

<Valve className="org.apache.catalina.valves.AccessLogValve"
pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"
requestAttributesEnabled="false"
maxDays="-1"/>

</Engine>

</Service>

</Server>

I have also attached the screenshot for your reference.

Could you please help me resolve this issue?

Thank you for your help.

Answer
Watch
Like Be the first to like this
20 views

0 answers

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security