Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Nginx Proxy Reverse Redirection

Silviu VARODI
Silviu VARODI August 4, 2020

Hello Community,

I'm setting up a proxy reverse to Jira Service Desk with nginx on Ubuntu 20.04. I've followed the documentation provided by Jira, but something is not working or I'm making wrong. I'm clearly pulling out my hair from many days. I've also tryed many tutorials found on the web.

The desired result when a customer go to website is the flollowing :

http://www.subdomain.exemple.com => https://subdomain.exemple.com

https://www.subdomain.exemple.com => https://subdomain.exemple.com

http://subdomain.exemple.com => https://subdomain.exemple.com

https://subdomain.exemple.com => https://subdomain.exemple.com

Here is the part (215th version xD ) of my nginx.conf :

server {
listen 80;
server_name www.subdomain.exemple.com subdomain.exemple.com;
rewrite ^ https://subdomain.exemple.com$request_uri? permanent;
}
server {
listen 443 ssl;
server_name subdomain.exemple.com;
# NGINX usually only allows 1M per request. Increase this to JIRA's maximum attachment size (10M by default)
client_max_body_size 10M;
#ssl_dhparam /path/to/file/file.pem
ssl_certificate /path/to/file/file.crt;
ssl_certificate_key /path/to/file/file.key;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers '!DHE-DSS-AES256-GCM-SHA384:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA256:!DHE-DSS-AES256-SHA256>

location / {
client_max_body_size 100m;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://subdomain.exemple.com:8080;
}
}
}

Here is the connector in server.xml :

<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"
proxyName="subdomain.exemple.com"
proxyPort="443"
scheme="https"
secure="true"
relaxedPathChars="[]|"
relaxedQueryChars="[]|{}^\`&quot;&lt;&gt;"
/>

I have a wildcard certificate for *.exemple.com.

The hostname of server is :

root@localhost:~# hostname
localhost

Any help would be appreciated. If you need more informations, let me know.

Thanks.

S

Answer
Watch
Like Be the first to like this
990 views

1 answer

0 votes
Andrew Laden
Andrew Laden
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 4, 2020

What sort of issues are you having.

One important item. If you are running selinux, you have to do the following to allow nginx to connect over http to another local port.

 

setsebool -P httpd_can_network_connect 1

I use 301 redirects vs rewrites.

server {
listen 80;
server_name testjira testjira.example.com;
return 301 https://testjira.example.com$request_uri;
}

server {
listen 443 ssl;
server_name testjira;
ssl_certificate /etc/nginx/certs/mycert.pem;
ssl_certificate_key /etc/nginx/certs/mycert.key;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;

return 301 https://testjira.example.com$request_uri;
}

server {
listen 443 ssl;
server_name testjira.example.com;

ssl_certificate /etc/nginx/certs/mycert.pem;
ssl_certificate_key /etc/nginx/certs/mycert.key;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;

location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Jespa-Connection-Id $remote_addr:$remote_port;
proxy_pass http://testjira.example.com:8081;
client_max_body_size 20M;
}
client_header_buffer_size 8k;
large_client_header_buffers 4 32k;
client_max_body_size 20M;
}
View More Comments
Silviu VARODI
Silviu VARODI August 5, 2020

Hello,

Thank you for you answer.

When I try to pass this command :

setsebool -P httpd_can_network_connect 1

I got this message :

Cannot set persistent booleans without managed policy.

I saw that Ubuntu (I'm using 20.04 LTS) may not concerned with this comand, can you confirm ?

 

To answer your question, I got these issues wih my actual configuration :

 

http://www.subdomain.exemple.com Redirect to http://www.subdomain.exemple.com

https://www.subdomain.exemple.com Redirect to https://www.support.srmi45.fr/ with certificate warning.

 

http://subdomain.exemple.com Redirect to https://subdomain.exemple.com with certificate OK

https://subdomain.exemple.com Redirect to https://subdomain.exemple.com with certificate OK

 

An other question, how many connector(s) do you have in server.xml ?

Like
Andrew Laden
Andrew Laden
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 6, 2020

I'm not a Ubuntu user so I can't comment on that. Though it looks like you are not using SELinux, so that command would not be relevant then.

I have the default connector on 8080. and then I created a connector on 8081 specifically for the ssl proxy.

 <
Connector port="8081" 
relaxedPathChars="[]|" 
relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" 
minSpareThreads="25" 
connectionTimeout="20000" 
enableLookups="false"
maxHttpHeaderSize="16384" 
protocol="HTTP/1.1" 
useBodyEncodingForURI="true" 
redirectPort="8443"
acceptCount="100" 
disableUploadTimeout="true" 
bindOnInit="false" 
secure="true" 
scheme="https"
proxyName="testjira.example.com." 
proxyPort="443"
/>

 

As for your errors, all the certificate and redirection errors are handled by nginx, so the connector config shouldn't be involved.

Are you sure you are hitting your nginx? The fact that somewhere along the line you get redirected to a URL that isnt even in your config is odd.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events

    See all events