Application without port only with URL and SSL

Jones Magos November 26, 2017

Hello,

I have some questions and problems.
1) How can I configure my help desk system without port eg. Call 8080 or 7070 I have tried it but it does not work.
2) A technician has been trying for 7 days to connect the system help desk with an SSL certificate which can be called up with https.
It is not but I have received the feedback that it was not possible and that you would have to do it because it is much too complex and you would have to reprogram the whole system.
Could they do that for mcioh or say how it works and what I have to reprogram everything?
Jirra is a bit flawed when it comes to SSl and I need your help.
Thank you!

LG

7 answers

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
Vincent Roujas May 19, 2021

Great dose of patience here, kudos ;)

0 votes
Jeff Clay December 21, 2017

Use port forwarding in iptables and configure tomcat to use your ssl keystore. I have jira running this way and also using an mysql over ssl as well.

0 votes
Trey Harper December 1, 2017

One issue I ran into when setting up SSL was after applying the cert via config.sh, SSL would not work, regardless of using port 8443 or 443. I stumbled across this https://jira.atlassian.com/browse/JRASERVER-63734?src=confmacro. Essentially the config.sh never updated the connector in the .xml correctly. After adding org.apache.coyote.http11.Http11Nioprotocol to the xml file and restarting services I was able to hit the site via ssl. 

Christoph December 1, 2017

It was all right with me but I tried everything 1000x even my technician did not get it in 8 hours.

0 votes
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 27, 2017

If it helps you out, here is our nginx config for JIRA:

server {
listen 80;
server_name issues.example.com issues;
return 301 https://issues.example.com$request_uri;

}

server {
listen 443 ssl http2 default_server;
server_name issues.example.com;


client_max_body_size 40M;
large_client_header_buffers 4 4k;

#include conf.d/ssl.inc;

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

ssl_certificate /etc/pki/tls/certs/wildcard-example.com/wildcard.example.com.crt;
ssl_certificate_key /etc/pki/tls/certs/wildcard-example.com/wildcard.example.com.key;
ssl_session_timeout 5m;

location / {
proxy_pass http://127.0.0.1:8080/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr;
}
}

Christoph November 28, 2017

I work with Apache2 and I want to include a SSL / Https and not reprogram the whole system.

Vick December 18, 2023

I dont believe free nginx supports SAML

0 votes
Christoph November 26, 2017

I did everything again according to instructions I reach Jirra over the port 8080 and over a new proxy port aver if I try it over https the error comes ERR_CONNECTION_CLOSED.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 26, 2017

Ok, that's something we can work with. The error usually means that the proxy is misconfigured and refusing to talk to your browser.  In some cases, it might be trying to talk to the browser, but being told by your Jira's Tomcat that it should not.

Could you confirm that Jira was ok when running on http://<a.server>:8080 though?  No ssl, just the plain server and port?  If this is true, it means we can focus on where the error really is with the proxy and its connection back to Jira.

Christoph November 26, 2017

Yes I can reach Jira perfectly without SSL under 7070 and 8080.
I added that in the server.xml ...

 

<!-- Apache Proxy Connector with values for scheme, proxyName and proxyPort -->
<Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8443" protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true"
scheme="https" proxyName="system.meinedomain.com" proxyPort="443"/>

Christoph November 26, 2017

8843 is fail 8080 is ok.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 26, 2017

8843 is a control port, don't worry about it.  The best option for proxying is generally to stick to 8080

The next step is to get the proxy to work without SSL.  Two things to do here:

1.  Change back to http temporarily for getting the basics to work.  Change "scheme" to http, and proxyPort to 80 in the server.xml

2.  What do your Apache proxy settings say?

Christoph November 27, 2017

I do not work with Microsoft ?!

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 27, 2017

Ok, that's just silly, it has nothing to do with the question.

Christoph November 27, 2017

I do not work with Microsoft products but with Linux.
My Apache2 is running.

Christoph November 27, 2017

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =domain.tdl [OR]
RewriteCond %{SERVER_NAME} =domain.tdl [OR]
RewriteCond %{SERVER_NAME} =domain.tdl
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 27, 2017

There's no proxying set up in there.  You need to actually add the lines in the docs to proxy the system.

Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 27, 2017

Proxying Jira is done by leveraging existing technology stacks Tomcat and your web server of choice. This is not difficult and should not take longer than 10 minutes for someone who isn't familiar with Jira.

If you have no idea what you're doing with Tomcat and Apache, perhaps you should involve a consulting group or your team.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 28, 2017

There's a chunk of documentation that has not been followed.  The Apache config is only half done - it's not been configured to act as a proxy for Jira (unless we're missing a pile of further config which hasn't been mentioned here)

0 votes
Christoph November 26, 2017

I've tried all the tutorials on the internet using jirra with keystore.
There was no correct manual that was simple and working I've programmed half the system but it just does not work.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 26, 2017

"does not work" tells us nothing.

The fact is it does work (there's a fully SSL enabled Jira running in a tab right next to this one), but you've got something wrong.

The instructions are, I'd agree, not incredibly simple, but SSL itself is not simple.

The question becomes what are you doing differently to the standard docs, not "it doesn't work".  Because the docs do describe how to make it work.

Christoph November 26, 2017

I tried it 50x and did everything according to the instructions but it does not work that also says my friend the hat tried it too.
Also had a good guide.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 26, 2017

You don't tell us what you tried, or what guide you have used, or what you have done differently to the guides.

We can't help you with this without you telling us what you're doing differently. I could easily write a full guide, but there's no point, because it would be mostly a copy of the documentation.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 26, 2017

Which one of those methods do you want to use?  Proxy or Tomcat?

Which ever you choose, what did you do differently to the documentation?

Christoph November 26, 2017

I have a Ubuntu 17.10 Linux system and I want to do it with Apache2 so I think I should use proxy right?
Unfortunately I do not know exactly which instructions are correct.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 26, 2017

Ok, so you should follow the instructions in the second guide.

Broadly, the steps are:

  • Get Jira working on the default port
  • Install apache and make sure you get the default page from it when you visit the server
  • Create a new proxy setup in Apache, pointing back to Jira
  • Reconfigure Jira's Tomcat so that it knows its behind a proxy
  • Check this all works for plain http, then add in the SSL parts (there's basically a handful of lines to add to the configs once you have them running without ssl)
Christoph November 26, 2017

I have tried the second manual manual link everything often but without success, the instructions are incomprehensible and not executable as it refuses to other instructions.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 26, 2017

It's the doc I use to create SSL Atlassian applications.  What are you doing differently to what it says?

Christoph November 26, 2017

I have the SSL certificate created by letsencrypt.org and then I have all the .pem data and I want to embed it in Jiira and then call the portal without a port or https.
I follow only the instructions but I can not do it.

Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 26, 2017

Setting up Apache in front of jira should take 10 minutes, including a restart of jira. 

 

What are you seeing? 

Do you have any error messages? 

-Lars 

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 26, 2017

As Lars says, you need to tell us what "can not do" means.

What have you configured?  What errors do you get?

A good start on an explanation would be to describe how far down the list I gave earlier you get.  Does Jira run ok on an 8080 port?  Does Apache gives you a "Hi, I'm a clean apache" message when you visit the server in a browser?  Then it fails when you try to make it proxy through?  Or not until you try to add SSL?  Please tell us where you have got to!

0 votes
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 26, 2017

For the port, you either have to run it behind a proxy, or run the Tomcat on port 443 (that's for https, you'd want 80 if it's going to be http).  I recommend a proxy and SSL in most cases.

"It does not work" doesn't tell us what you have tried.

Jira is not at all hard to run over SSL, but you need to get the proxy or Tomcat working on a different port first.

Christoph November 26, 2017

I have also tried to let Jira run on port 443 and then point to the jira directory but that does not work.

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

TAGS
AUG Leaders

Atlassian Community Events