How to configure Jira an Confluence behind F5 Firewall/Proxy with SSL-Offload

Andre Eikermann November 3, 2016

We have a JIRA and a Confluence behind a F5 Firewall / Proxy. SSL is managed by the F5.

JIRA should be accessible through https://www.mydomain.com/jira

Confluence should be accessible through https://www.mydomain.com/confluence

Contextpath in server.xml is set on both Servers.

We added the following Parameters in the connector:

  • proxyName="www.mydomain.com"
  • proxyPort="443"
  • scheme="https"
  • secure="true"

When we now access JIRA or Confluence we get lots of errors:

Jira:

2016-11-02 16:11:58,494 http-nio-8080-exec-6 WARN mad 971x467x1 1uf2vh9 193.174.118.227 /rest/analytics/1.0/publish/bulk [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://www.mydomain.com/jira/rest/analytics/1.0/publish/bulk , origin: null , referrer: http://www.mydomain.com/jira/plugins/servlet/whitelist , credentials in request: true , allowed via CORS: false

 

Confluence:

2016-11-02 15:57:20,071 WARN [http-nio-8090-exec-10] [common.security.jersey.XsrfResourceFilter] passesAdditionalBrowserChecks Additional XSRF checks failed for request: https://www.mydomain.com/confluence/rest/analytics/1.0/publish/bulk , origin: null , referrer: http://www.mydomain.com/confluence/login.action , credentials in request: true , allowed via CORS: false
 -- referer: http://www.mydomain.com/confluence/login.action?os_destination=%2Findex.action&permissionViolation=true | url: /cf/rest/analytics/1.0/publish/bulk | traceId: aeee4a16b71b21e9 | userName: anonymous

Something seems to be wrong with the configuration.

The Request is HTTPS the referrer is only HTTP.

 

Any idea how to solve this?

3 answers

0 votes
Paul Stallworth
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 5, 2016

Are you running them on their own virtual servers?  If not you can get some weird errors if you run them both off a single VS.

If you are terminating SSL at the F5, you may not need the "secure=true" parameter on the HTTP connector.  You may also need to do HTTP to HTTPS redirection on the F5, we do it via an iRule but a Policy would probably work.

We have run ours at varying times in both configurations: SSL terminating at the F5 as well as SSL all the way through to Tomcat.  Here's a sample of our server.xml from our dev environment:

<Connector port="8082" connectionTimeout="20000" redirectPort="8443"
                maxThreads="200" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" 
				proxyName="hdsdevconfluence.colorado.edu" proxyPort="443" scheme="https"
				/>
 
<Connector port="8443" maxHttpHeaderSize="8192"
                   maxThreads="75" minSpareThreads="25"
                   protocol="org.apache.coyote.http11.Http11NioProtocol"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
                   URIEncoding="UTF-8" keyAlias="hdsdevconfluence" keystoreFile="C:\path\to\keystore.jks"
keystorePass="keystorepass" keystoreType="JKS"/>
0 votes
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 4, 2016

Looks more like you have configured your base URLs to http://... 

And add automatic redirection to https on your webserver (if the F5 does not support this)

 

Andre Eikermann November 4, 2016

base URL is set to httpS://

Panagiotis Karampis November 4, 2016

base url should be set to http:// not S, as the "S" part is handled by the proxy

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 4, 2016

No.  The base url should be set to whatever the users are going to use to connect to it.  Https in this case.

Also, make sure that each server can reach itself via that base url.  They like to talk to themselves!

Panos
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 4, 2016

Thats true. I got confused with the proxy pass param of nginx. I'll update my comment

0 votes
Panos
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 4, 2016

I don't know much about F5, but i post you part of my nginx config hoping it can help you as you need to have proxy settings set

location / {
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_read_timeout 3600;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:8090;
        }

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events