How to configure Jira an Confluence behind F5 Firewall/Proxy with SSL-Offload

We have a JIRA and a Confluence behind a F5 Firewall / Proxy. SSL is managed by the F5.

JIRA should be accessible through https://www.mydomain.com/jira

Confluence should be accessible through https://www.mydomain.com/confluence

Contextpath in server.xml is set on both Servers.

We added the following Parameters in the connector:

  • proxyName="www.mydomain.com"
  • proxyPort="443"
  • scheme="https"
  • secure="true"

When we now access JIRA or Confluence we get lots of errors:

Jira:

2016-11-02 16:11:58,494 http-nio-8080-exec-6 WARN mad 971x467x1 1uf2vh9 193.174.118.227 /rest/analytics/1.0/publish/bulk [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://www.mydomain.com/jira/rest/analytics/1.0/publish/bulk , origin: null , referrer: http://www.mydomain.com/jira/plugins/servlet/whitelist , credentials in request: true , allowed via CORS: false

 

Confluence:

2016-11-02 15:57:20,071 WARN [http-nio-8090-exec-10] [common.security.jersey.XsrfResourceFilter] passesAdditionalBrowserChecks Additional XSRF checks failed for request: https://www.mydomain.com/confluence/rest/analytics/1.0/publish/bulk , origin: null , referrer: http://www.mydomain.com/confluence/login.action , credentials in request: true , allowed via CORS: false
 -- referer: http://www.mydomain.com/confluence/login.action?os_destination=%2Findex.action&permissionViolation=true | url: /cf/rest/analytics/1.0/publish/bulk | traceId: aeee4a16b71b21e9 | userName: anonymous

Something seems to be wrong with the configuration.

The Request is HTTPS the referrer is only HTTP.

 

Any idea how to solve this?

3 answers

I don't know much about F5, but i post you part of my nginx config hoping it can help you as you need to have proxy settings set

location / {
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_read_timeout 3600;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:8090;
        }

Looks more like you have configured your base URLs to http://... 

And add automatic redirection to https on your webserver (if the F5 does not support this)

 

base URL is set to httpS://

base url should be set to http:// not S, as the "S" part is handled by the proxy

No.  The base url should be set to whatever the users are going to use to connect to it.  Https in this case.

Also, make sure that each server can reach itself via that base url.  They like to talk to themselves!

Thats true. I got confused with the proxy pass param of nginx. I'll update my comment

Are you running them on their own virtual servers?  If not you can get some weird errors if you run them both off a single VS.

If you are terminating SSL at the F5, you may not need the "secure=true" parameter on the HTTP connector.  You may also need to do HTTP to HTTPS redirection on the F5, we do it via an iRule but a Policy would probably work.

We have run ours at varying times in both configurations: SSL terminating at the F5 as well as SSL all the way through to Tomcat.  Here's a sample of our server.xml from our dev environment:

<Connector port="8082" connectionTimeout="20000" redirectPort="8443"
                maxThreads="200" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" 
				proxyName="hdsdevconfluence.colorado.edu" proxyPort="443" scheme="https"
				/>
 
<Connector port="8443" maxHttpHeaderSize="8192"
                   maxThreads="75" minSpareThreads="25"
                   protocol="org.apache.coyote.http11.Http11NioProtocol"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
                   URIEncoding="UTF-8" keyAlias="hdsdevconfluence" keystoreFile="C:\path\to\keystore.jks"
keystorePass="keystorepass" keystoreType="JKS"/>

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published 21m ago in Jira

5 ways you can make the most of Jira Software and Bitbucket Cloud

As part of the Bitbucket product team I'm always interested in better understanding what kind of impact the use of our tools have on the way you work. In a recent study we conducted of software devel...

6 views 0 2
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you