Set up HTTPS on the mirror

Hi @[deleted] ,

The mirror uses a local installation of Bitbucket Server, so that's where you should apply the SSL certificate.

For more info on how to obtain it, you can read Securing Bitbucket Server with tomcat using SSL. In that document you'll find the steps in detail.

If after reading that article you still have questions, please let us know and we'll be happy to continue helping you.

Best regards,

Ana

Hi Prathamesh,

Please allow me to jump in and provide some steps.

It sounds like you have already completed Step 1 from the guide at "Set up Bitbucket Smart Mirroring". The next step of "2. Set up HTTPS on the mirror" requires you to set up SSL on a reverse proxy (as discussed in "Proxying and securing Bitbucket Server") like Nginx, or Apache, or, you can set up SSL on Bitbucket itself (as discussed in "Securing Bitbucket Server with Tomcat"). Either option will work, however, using a proxy is more performant and less complicated.

The first step is to get an SSL certificate, This can be done by creating a self-signed certificate (this is the most complicated option and requires the most work), or by having an SSL certificate issued to you from a "Certification Authority" (CA) such as VeriSign, DigiCert, Thawte or Let'sEncrypt.

Once you have the certificate, you can set up the proxy to be prepared to listen for requests. For the below example, I will go ahead and use Nginx.

server { listen 80; server_name bitbucket.example.com; return 301 https://bitbucket.example.com$request_uri; }
server {
    listen 443 ssl;
    server_name bitbucket.example.com;
    client_max_body_size 0;
    ssl on;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
    ssl_certificate /<path>/<to>/fullchain.pem;
    ssl_certificate_key /<path>/<to>/privkey.pem;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    location / {
        proxy_pass http://<private-IP-of-bitbucket>:7990;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

The First line will accept port 80 (standard HTTP) traffic and redirect it to the secured port 443 (standard HTTPS). The second line starts the listen block for port 443, specifically for the "server_name". You will need to replace the string "bitbucket.example.com" with the desired URL of your Bitbucket server instance. (Note that this will need to match your SSL certificate).

You will also need to update the path to your certificate as well as the key for the SSL cert on your local filesystem. For improved security, feel free to add a dhparam file. Lastly, you will need to adjust the "proxy_pass" line to the private IP of Bitbucket itself (or to "localhost" if the proxy is running on the same machine as bitbucket).

Once the Proxy is up and listening for secure traffic you will need to configure your Bitbucket Smart Mirror so that it knows that the traffic is secured on Bitbucket's behalf by your proxy. To do this, you will need to edit the "bitbucket.properties" file located within your $BITBUCKET_HOME/shared/bitbucket.properties path, as mentioned in the "Configure the Embedded Tomcat Connector" step.

server.mode=mirror
server.port=7990
server.secure=true
server.scheme=https
server.proxy-port=443
server.proxy-name=bitbucket.example.com

The "proxy-name" will need to be adjusted to match the "server_name" in your proxy config.

At this point, you should be able to restart your Smart Mirror for the changes to take effect and you will be able to access the mirror via HTTPS through your proxy. Feel free to continue with step 3 of "Set up a Bitbucket Smart Mirror".

Best Regards,

Michael
Atlassian DevTools Support Engineer