Gadget titles show as _MSG_gadget only on port 443, but not 8443

Jason Freeman March 7, 2018

We have HTTPS enabled and have redirected port 80 to 8080 and port 443 to 8443:

  1. sudo firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8443
  2. sudo firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
  3. sudo firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 1 -p tcp -d XX.XX.XX.XX --dport 443 -j REDIRECT --to-ports 8443
  4. sudo firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 1 -p tcp -d XX.XX.XX.XX --dport 80 -j REDIRECT --to-ports 8080

Gadgets show correct names if visiting the site on 8443, but they show as "__MSG_gadget" on 443.

I saw some documentation saying that I needed to redirect for both local and external traffic:

https://confluence.atlassian.com/jirakb/how-to-fix-gadget-titles-showing-as-__msg_gadget-813697086.html

The sample commands in this documentation are using iptables, but we are using firewalld.

Are there similar firewalld commands that will fix this?

1 answer

0 votes
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 8, 2018

Hi Jason,

Please take a look at this related thread: https://community.atlassian.com/t5/Jira-questions/Firewalld-instructions-are-incorrect/qaq-p/97369

It appears that the user @SCM - Software Confgurations found a solution here and provided their syntax.  They also noted that they need to issue a --reload command before these changes took effect.  There is a possible concern to understand which interface your server is using to make this connection too.  The Jira application needs to be able to establish a connection to whatever address you have set as the base url.  As such, it looks like this is something that this other user came across as well as a possible problem here.

Please try those steps and let me know if this helps.

Andy

Jason Freeman March 8, 2018

Yes, this command seems to have fixed it:

sudo firewall-cmd --zone=trusted --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp -o lo --dport 443 -j REDIRECT --to-ports 8443

This may need to be added to the documentation because I suspect anyone redirecting ports will need this.

I'm honestly not exactly sure what the above command is doing that the other commands were not already doing, though.

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 8, 2018

Awesome, thanks for posting back and letting us know.  I think the difference here is the zone=trusted and/or the 'tcp -o lo' piece. 

Your server likely has multiple network interfaces, even if only one private IP address and the loopback interface (if not more).  I know that when we were first seeing customers with this problem that used iptables, we found that the PREROUTING directive was important because in some cases the Jira server was trying to use the loopback interface to try to reach a public facing address, something the server wasn't doing properly before those rules were added.

 

I will work with our documentation team to make sure this KB is updated correctly.  Thanks again,

Andy

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events