How to configure Jira an Confluence behind F5 Firewall/Proxy with SSL-Offload

We have a JIRA and a Confluence behind a F5 Firewall / Proxy. SSL is managed by the F5.

JIRA should be accessible through https://www.mydomain.com/jira

Confluence should be accessible through https://www.mydomain.com/confluence

Contextpath in server.xml is set on both Servers.

We added the following Parameters in the connector:

  • proxyName="www.mydomain.com"
  • proxyPort="443"
  • scheme="https"
  • secure="true"

When we now access JIRA or Confluence we get lots of errors:

Jira:

2016-11-02 16:11:58,494 http-nio-8080-exec-6 WARN mad 971x467x1 1uf2vh9 193.174.118.227 /rest/analytics/1.0/publish/bulk [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://www.mydomain.com/jira/rest/analytics/1.0/publish/bulk , origin: null , referrer: http://www.mydomain.com/jira/plugins/servlet/whitelist , credentials in request: true , allowed via CORS: false

 

Confluence:

2016-11-02 15:57:20,071 WARN [http-nio-8090-exec-10] [common.security.jersey.XsrfResourceFilter] passesAdditionalBrowserChecks Additional XSRF checks failed for request: https://www.mydomain.com/confluence/rest/analytics/1.0/publish/bulk , origin: null , referrer: http://www.mydomain.com/confluence/login.action , credentials in request: true , allowed via CORS: false
 -- referer: http://www.mydomain.com/confluence/login.action?os_destination=%2Findex.action&permissionViolation=true | url: /cf/rest/analytics/1.0/publish/bulk | traceId: aeee4a16b71b21e9 | userName: anonymous

Something seems to be wrong with the configuration.

The Request is HTTPS the referrer is only HTTP.

 

Any idea how to solve this?

3 answers

This widget could not be displayed.

I don't know much about F5, but i post you part of my nginx config hoping it can help you as you need to have proxy settings set

location / {
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_read_timeout 3600;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:8090;
        }
This widget could not be displayed.

Looks more like you have configured your base URLs to http://... 

And add automatic redirection to https on your webserver (if the F5 does not support this)

 

base URL is set to httpS://

base url should be set to http:// not S, as the "S" part is handled by the proxy

No.  The base url should be set to whatever the users are going to use to connect to it.  Https in this case.

Also, make sure that each server can reach itself via that base url.  They like to talk to themselves!

Thats true. I got confused with the proxy pass param of nginx. I'll update my comment

This widget could not be displayed.

Are you running them on their own virtual servers?  If not you can get some weird errors if you run them both off a single VS.

If you are terminating SSL at the F5, you may not need the "secure=true" parameter on the HTTP connector.  You may also need to do HTTP to HTTPS redirection on the F5, we do it via an iRule but a Policy would probably work.

We have run ours at varying times in both configurations: SSL terminating at the F5 as well as SSL all the way through to Tomcat.  Here's a sample of our server.xml from our dev environment:

<Connector port="8082" connectionTimeout="20000" redirectPort="8443"
                maxThreads="200" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" 
				proxyName="hdsdevconfluence.colorado.edu" proxyPort="443" scheme="https"
				/>
 
<Connector port="8443" maxHttpHeaderSize="8192"
                   maxThreads="75" minSpareThreads="25"
                   protocol="org.apache.coyote.http11.Http11NioProtocol"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
                   URIEncoding="UTF-8" keyAlias="hdsdevconfluence" keystoreFile="C:\path\to\keystore.jks"
keystorePass="keystorepass" keystoreType="JKS"/>

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Tuesday in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

203 views 1 3
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you