Jira behind AWS ELB with SSL offloading and http/https redirect Edited

Ok I searched and searched but couldn't find a simple answer anywhere so dug in and I'm posting my findings hoping this will help someone else.  We're running Jira in AWS VPC behind a ELB offloading SSL to the ELB (backend VPC traffic is http to port 8080).  Everything I could find wanted additional software installed which we didn't want to do if possible.  

Below is what worked for us (may work for other Atlassian products or anything running tomcat as a web server).

Customization If running behind a AWS ELB with SSL offloading (http between ELB and server)

1. "vi  /opt/atlassian/jira/conf/server.xml" 
#Add the below in the http connector section replacing the % variable with the appropriate information
URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
proxyName="%external_fqdn%"
proxyPort="443"
scheme="https"

<change from> 
redirectPort="8443"
<to>
redirectPort="443"

<remove>
useBodyEncodingForURI="true"

2. vi /opt/atlassian/jira/atlassian-jira/WEB-INF/web.xml

#add the below inside of the <web-app> </web-app> section (pasted above <!-- General -->)

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you require authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

3. vi /opt/atlassian/jira/conf/server.xml
#add the below just above the </Host> closing argument

<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" protocolHeaderHttpsValue="https" />

4. service jira restart

#3 is important (ok could have put that as part of #1) as without it you'll get stuck in an infinite redirect loop as ELB is sending http requests.

Also as the ELB won't be able to route internal traffic back in (jira server calling the ELB DNS) from the external ip address we added a hosts file entry on the Jira machines pointing to the internal ELB address.  

12/7/2017 update - the AWS ELB (ALB actually) can route traffic back in if you have a NAT gateway configured to allow the Jira server to access the internet.  We have strict egress ACL's so our Jira instance can't access the internet directly so that's why we had to use the internal ALB IP address.

Enjoy I hope this helps someone

5 comments

Good stuff, Thanks for posting this, John!

You are a wonderful human being. Thank you so much for posting this. You've saved me so much time.

Should we use ELB or ALB? I guess ELB for SSH connections?

Also what ports are the ELB listening on?

we use ALB for jira as we use a MFA jumpbox for ssh connections as for ports 80/443 as the above redirects 80 to 443

Hi @john morrissey,

Thank you for this!

Can you confirm that in Step #2 you added those lines _inside_ of the <web-app * section (between <web-app and the >?

For example, in here:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0"
metadata-complete="true"

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you require authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

>

This isn't correct, is it?

Thanks again!

Rick

@Rick Cariniyes that is incorrect you need to close the <web-app parameter with a > so in your example the > should be after the metadata-complete="true" like "metadata-complete="true">" to close out the opening <web-app

As an example all configurations need to open and close for the setting to take like the below 

<security-constraint>

All your settings and comments


</security-constraint>

Let me know if that helps

Thanks, @john morrissey - I definitely did what you suggested, because I wouldn't have expected it to work inside of the <web-app parameter.  But your instructions were slightly unclear for me, where you said "inside". 

Thank you for confirming for me!

Cheers!

Rick

ok I modified the original post let me know if it's clear now.

I would suggest the following (but I'm probably being too picky, most folks should understand this already)...

#add the following, below the <web-app> </web-app> section (pasted above <!-- General -->)

Oh, and thank you!

These changes have been working for us, both on JIRA and Confluence.

Rick

hum for "below the <web-app> </web-app>" technically it's between that as the </web-app> is at the very bottom of the file.  I modified the instructions a bit ago so I think that should work and if people comment I get notified and am happy to help out so we'll see how it goes.

Glad it's working for you and it helped you out

@john morrissey When you created your /etc/hosts entry for the ELB/ALB, how did you format that? I'm only curious because an AWS load balancer doesn't have an IP address

@SC DevOps they actually do have ip addresses though AWS support can't see them.   We found the exact ip addresses by looking at the tomcat access logs.

With that said they do change if they fail over (AWS support couldn't tell me what would cause a failover) so it's not really the best method.

In the end our issue is we didn't have a NAT gateway assigned so anything the didn't have an elastic IP address couldn't get to the internet.  Once we fixed that we removed the hosts file entries and all worked well.

Comment

Log in or Sign up to comment
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published May 21, 2018 in Jira Software

How large do you think Jira Software can grow?

Hi Atlassian Community! My name is Shana, and I’m on the Jira Software team. One of the many reasons this Community exists is to connect you to others on similar product journeys or with comparabl...

1,002 views 7 17
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you