Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Managing URL with 8443 port with NginX reverse proxy over SSL

Dylan
Dylan July 7, 2021

Dear community,

Background

We were using Jira with Tomcat over SSL and decided to move on using an NginX reverse proxy over SSL.

Previously, with Tomcat, we were redirecting all requests from 443 to 8443 as mentioned in this Confluence page.

This means that most of the users were accessing Jira using the url: https://jira.mydomain.com:8443. There are still links, within Jira (or also Confluence), that are configured with this port.

Thus, we need to be sure these links are still accessible, even behind the reverse proxy.

Nginx Configuration

We configured NginX correctly and we can access https://jira.mydomain.com without any problem, it is working like a charm

When accessing https://jira.mydomain.com:8443, we are able to login and access Jira, but the gadgets are failing to load, most likely because the Base URL is set to https://jira.mydomain.com (without the port).

See picture below when accessing https://jira.mydomain.com:8443:

Untitled.png

 

What would be the best practice and configuration to also redirect the requests with port :8443 in the URL to the appropriate proxy connector in Jira ?

nginx.conf

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name jira.mydomain.com;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

access_log /var/log/nginx/jira.mydomain.com.access.log main;
error_log /var/log/nginx/jira.mydomain.com.error.log;

ssl_certificate /etc/nginx/ssl/mycert.crt;
ssl_certificate_key /etc/nginx/ssl/mycert.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

location /secure/ForgotLoginDetails.jspa {
return 301 https://jira.mydomain.com;
}

location / {
# NGINX usually only allows 1M per request. Increase this to JIRA's maximum attachment size (10M by default)
client_max_body_size 10m;

# set proxy headers for cloudflare/jira
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Authorization "";


# hand the request off to jira on non-ssl
proxy_pass http://localhost:8080;
}
}

 server.xml

<!-- Nginx Reverse Proxy Connector -->
<Connector port="8080" 
relaxedPathChars="[]|" 
relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" 
minSpareThreads="25" 
connectionTimeout="20000" 
enableLookups="false"
maxHttpHeaderSize="8192" 
protocol="HTTP/1.1" 
useBodyEncodingForURI="true" 
redirectPort="8443"
acceptCount="100" 
disableUploadTimeout="true" 
bindOnInit="false" 
secure="true" 
scheme="https"
proxyName="jira.mydomain.com" 
proxyPort="443"/>

 

Answer
Watch
Like Be the first to like this
12574 views

1 answer

1 accepted

Suggest an answer

Log in or Sign up to answer
0 votes
Answer accepted
JimmyVanAU
JimmyVanAU
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 7, 2021

Hi Dylan,

Solid question - well written with all the necessary code. Looks like you've done your homework, and you're so very close.

Readapting your first block of config, you should be able to use:

server {
  listen 8443 default_server;
  listen [::]:8443 default_server ipv6only=on;
  server_name jira.mydomain.com;
  return 301 https://$server_name$request_uri;
}

Note that it'll need to be a second server block (placed immediately below the first), as you can't simply use:

listen 80, 8443 default_server;

unfortunately.

Hope that helps!

View More Comments
Reply
Dylan
Dylan July 8, 2021

Hey @JimmyVanAU

Thanks for the comment and the answer which are great !

Adding this listener doesn't seem to work for me using Firefox or Safari.

  • Using Firefox: Loading fails and SSL_ERROR_RX_RECORD_TOO_LONG error is thrown by Firefox.
  • Using Safari: Fails with error "Safari can't open https://jira.mydomain.com:8443 - Can't establish secure connection to the server jira.mydomain.com"

I've simply added the server block as advised:

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name jira.mydomain.com;
return 301 https://$server_name$request_uri;
}

server {
listen 8443 default_server;
listen [::]:8443 default_server ipv6only=on;
server_name jira.mydomain.com;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

..........

}

 Any idea on the issue here ?

Thank you !

Dylan

Like
Dylan
Dylan July 27, 2021

Hi @JimmyVanAU ,

 

Any update on this topic and how I could resolve the issue with jira to work on port 8443 ?

 

Many thanks for your help.

Dylan

Like
Dylan
Dylan August 2, 2021

It was actually really close to what Jimmy suggested. The only difference was to specify to use SSL and set the certificates as for 443.

server {
  listen 8443 ssl;
  server_name jira.mydomain;
  ssl_certificate ...;
  return 301 https://$server_name$request_uri;
}
Like JimmyVanAU likes this
JimmyVanAU
JimmyVanAU
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 4, 2021

Hey Dylan,

Apologies, been super swamped, and yay for finally reaching a solution. I do want to send a public shoutout to you for a few reasons:

  • clearly, well written question with all the relevant information
  • demonstrated what you'd already tried and where you're stuck (incl. screenshots)
  • not getting angry when I didn't respond for a while
  • continuing to do your own research
  • documenting your solution for posterity and everyone else's benefit
  • accepting an answer on the portal once solved

All are awesome ways to interact on the community, so kudos to you. I'd send you kudos on the community if I could (can't find you 😅).

Cheers, Jimmy

Like

Recommended Learning For You

Level up your skills with Atlassian learning

Learning Path

Jira Service Management Fundamentals

Jira Service Desk

These short, self-paced courses will help you get up and running in Jira Service Management in just 90 minutes.

1.5h Beginner
Free

Learning Path

ITSM

Atlassian logo

Use this path to build your IT Service Management knowledge and earn an Atlassian certification.

2h Beginner
Path

Setting Up ITSM Projects in Jira Service Management

Jira Software

This training series helps you get started in Jira Service Management quickly with the new ITSM project template.

13m Beginner
Free
groups-icon
New to Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

    See all events