How to configure Jira an Confluence behind F5 Firewall/Proxy with SSL-Offload

We have a JIRA and a Confluence behind a F5 Firewall / Proxy. SSL is managed by the F5.

JIRA should be accessible through https://www.mydomain.com/jira

Confluence should be accessible through https://www.mydomain.com/confluence

Contextpath in server.xml is set on both Servers.

We added the following Parameters in the connector:

  • proxyName="www.mydomain.com"
  • proxyPort="443"
  • scheme="https"
  • secure="true"

When we now access JIRA or Confluence we get lots of errors:

Jira:

2016-11-02 16:11:58,494 http-nio-8080-exec-6 WARN mad 971x467x1 1uf2vh9 193.174.118.227 /rest/analytics/1.0/publish/bulk [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://www.mydomain.com/jira/rest/analytics/1.0/publish/bulk , origin: null , referrer: http://www.mydomain.com/jira/plugins/servlet/whitelist , credentials in request: true , allowed via CORS: false

 

Confluence:

2016-11-02 15:57:20,071 WARN [http-nio-8090-exec-10] [common.security.jersey.XsrfResourceFilter] passesAdditionalBrowserChecks Additional XSRF checks failed for request: https://www.mydomain.com/confluence/rest/analytics/1.0/publish/bulk , origin: null , referrer: http://www.mydomain.com/confluence/login.action , credentials in request: true , allowed via CORS: false
 -- referer: http://www.mydomain.com/confluence/login.action?os_destination=%2Findex.action&permissionViolation=true | url: /cf/rest/analytics/1.0/publish/bulk | traceId: aeee4a16b71b21e9 | userName: anonymous

Something seems to be wrong with the configuration.

The Request is HTTPS the referrer is only HTTP.

 

Any idea how to solve this?

3 answers

I don't know much about F5, but i post you part of my nginx config hoping it can help you as you need to have proxy settings set

location / {
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_read_timeout 3600;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:8090;
        }

Looks more like you have configured your base URLs to http://... 

And add automatic redirection to https on your webserver (if the F5 does not support this)

 

base URL is set to httpS://

base url should be set to http:// not S, as the "S" part is handled by the proxy

No.  The base url should be set to whatever the users are going to use to connect to it.  Https in this case.

Also, make sure that each server can reach itself via that base url.  They like to talk to themselves!

Thats true. I got confused with the proxy pass param of nginx. I'll update my comment

Are you running them on their own virtual servers?  If not you can get some weird errors if you run them both off a single VS.

If you are terminating SSL at the F5, you may not need the "secure=true" parameter on the HTTP connector.  You may also need to do HTTP to HTTPS redirection on the F5, we do it via an iRule but a Policy would probably work.

We have run ours at varying times in both configurations: SSL terminating at the F5 as well as SSL all the way through to Tomcat.  Here's a sample of our server.xml from our dev environment:

<Connector port="8082" connectionTimeout="20000" redirectPort="8443"
                maxThreads="200" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" 
				proxyName="hdsdevconfluence.colorado.edu" proxyPort="443" scheme="https"
				/>
 
<Connector port="8443" maxHttpHeaderSize="8192"
                   maxThreads="75" minSpareThreads="25"
                   protocol="org.apache.coyote.http11.Http11NioProtocol"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
                   URIEncoding="UTF-8" keyAlias="hdsdevconfluence" keystoreFile="C:\path\to\keystore.jks"
keystorePass="keystorepass" keystoreType="JKS"/>

Suggest an answer

Log in or Join to answer
Community showcase
Emilee Spencer
Published Friday in Marketplace Apps

Marketplace Spotlight: DeepAffects

Hello Atlassian Community! My name is Emilee, and I’m a Product Marketing Manager for the Marketplace team. Starting with this post, I'm kicking off a monthly series of Spotlights to highlight Ma...

50 views 0 3
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot