installation priority and ngnix conf for reverse proxy

thanks JP iwill try this approach , salutations from paris 

Hi

sorry JP but can i ask you if you have some example of apache proxy-mod config for jira application ,i have tried to build a apache proxy_mod and no succes , thanks 

Hi,

there are several solutions & I'm not sure if our approach will fit with your environment.

We use the Apache Tomcat AJP connector (A protocol between HTTP proxy & Tomcat server which allows for failover / load balacing & is faster as it keeps the connections between HTTP server & application server open). The Tomcat AJP connector uses port 8009. A solution with a HTTP proxy should also work.

Here's our config:

Confluence Tomcat server.xml

<Connector port="8009"
minSpareThreads="10"
maxThreads="250"
address="192.168.x.y" 
protocol="AJP/1.3"
redirectPort="8444" 
enableLookups="false"
URIEncoding="UTF-8"
maxPostSize="-1"
packetSize="65536"/>

Apache HTTPD

 Apache24/conf/extra/ssl.conf

<VirtualHost 192.168.x.y:443>
Protocols h2 http/1.1
DocumentRoot "..../htdocs"
ServerName our.server.domain
ServerAdmin admin@server.domain
ErrorLog ..../logs/ssl_error.log
TransferLog ..../logs/ssl_access.log
LogLevel warn
SSLEngine On
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK 

SSLCertificateFile ...../conf/ssl/wildcard.server.domain.crt
SSLCertificateKeyFile ....../conf/ssl/wildcard.server.domain.key
SSLCACertificateFile ....../conf/ssl/wildcard.intermediate.crt

Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown

RewriteEngine On
#LogLevel notice rewrite:trace8
RewriteCond %{REQUEST_URI} !^/confluence [NC]
RewriteCond %{REQUEST_URI} !^/confluence/.* [NC]
RewriteCond %{REQUEST_URI} !^/synchrony [NC]
RewriteCond %{REQUEST_URI} !^/synchrony/.* [NC] 
RewriteRule ^(.*)$ https://our.server.domain/confluence [R=301,L]

# Atlassian Proxy Configuration:
ProxyRequests Off
ProxyPreserveHost On


<Proxy *>
Require all granted
</Proxy>

ProxyPass /synchrony http://our.server.domain:8091/synchrony
<Location /synchrony> 
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://our.server.domain:8091%{REQUEST_URI} [P]
</Location> 

RemoteIPHeader X-Forwarded-For
</VirtualHost>

  Apache24/conf/extra/mod_jk-.conf

# Worker config

JkWorkersFile conf/extra/workers.properties

# Logging

JkLogFile logs/mod_jk.log

JkLogLevel warn

JkOptions +ForwardURICompatUnparsed

JkEnvVar httpd our.server

JkMountCopy All


# redirect tomcat errors to apache httpd

JkMount  /confluence confluence;use_server_errors=500

JkMount  /confluence/* confluence;use_server_errors=500

 Apache24/conf/extra/workers.properties

# Global Settings

worker.maintain=30
# Default Settings
worker.basic.type=ajp13

worker.basic.socket_keepalive=true

worker.basic.ping_mode=A

worker.basic.ping_timeout=10000

worker.basic.connection_pool_timeout=120

worker.basic.recovery_options=7

worker.basic.lbfactor=1

worker.basic.max_packet_size=65536


worker.list=confluence

worker.confluence.host=IP OF CONFLUENCE SERVER

worker.confluence.port=8009

worker.confluence.connection_pool_size=250

worker.confluence.socket_connect_timeout=3000

worker.confluence.reference=worker.basic

Remember, this is just an example..

Best

JP