Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira Reverse Proxy Configuration

Joan Williamson
Joan Williamson January 28, 2021

I have a standalone Jira Software environment where users are authenticated with SAML SSO plug in which has been working for a few years without issue.  I now have a requirement to allow some users access to this environment through Reverse Proxy.  I have been trying to set this up without success.  I get logged into Jira with username and password in the Reverse Proxy environment, but get returned back to the Reverse Proxy page instead of being presented the Jira dashboard.  The login does succeed though.

I have two connectors defined in the server.xml file - basically one using port 443 for the SAML SSO connection and another using port 8443, a proxyName  and proxyPort for the Reverse Proxy connection using username and password:

Is this possible with Jira to have these two paths to access Jira?

My Reverse Proxy folks are telling me that I need to add /proj-1 to the end of the URL in order for it to work. 

Would this be adding another Context within the Host of the server.xml file OR change the existing one to set the path=/proj-1 and then change the base URL?

 

Answer
Watch
Like Be the first to like this
1226 views

2 answers

1 accepted

1 vote
Answer accepted
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 28, 2021

Your reverse proxy should only talk to one of those connectors.  You could get it to talk to both, but there's no point, as the one you expose on the url that is not the base url will not work properly.

I assume your proxy owners are expecting Jira to serve at something like https://ourdomain.org/proj-1

That's what you need to set the base url to, and in the server.xml, set the context to include path="/proj-1" and in the connector, proxyName="ourdomain.org"

View More Comments
Joan Williamson
Joan Williamson January 28, 2021

I have a need to allow users to connect while on the network as well as users coming in through reverse proxy.  So, one of the connectors is for the non-Reverse Proxy users and the other connector is for Reverse Proxy. 

Is this configuration possible - meaning to serve users on the network and also through Reverse Proxy?

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 28, 2021

You can, but you need to do some of it on a network level, and it's a bit of a hack. 

Short description - you'll need to "poison" your internal network's DNS

First, start with a standard config that most of us use, to keep it simple (you could do this in other ways, but I'm aiming for the most simple to explain). That is Public URL -> Proxy -> Jira connector 1.

That's what I've described in my answer already - https://ourdomain.org/proj-1 lands on your proxy, which then goes and asks Jira to serve up the content, via (let's say) the 443 connector.

But for the internal network, you want to use a different connector. 

If you did this with a proxy, you have a massive problem:  It cannot serve up on https://ourdomain.org/proj-1 because that is already in use.  But you cannot serve it up on another proxied address because Jira only works properly when accessed over the base url of https://ourdomain.org/proj-1

So, the "poison DNS" trick.  When someone is "on your network", they are almost certainly using a DNS server.  If you're small and/or have no reason to have your own DNS, they will land on whatever the service provider uses, and this trick won't work.

But if you're using internal DNS, you have control.  And the poison trick is to simply add a record to your internal DNS that says "when someone tries to resolve ourdomain.org/proj-1 give them the internal IP address and port for the second internal Jira connector". 

This will make it look like https://ourdomain.org/proj-1 resolves to the same Jira service no matter where people are, despite there being two separate routes.

Like Joan Williamson likes this
Reply
0 votes
Pramodh M
Pramodh M
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 28, 2021

Hi @Joan Williamson

Change the existing context path and then change the base URL to see if it works!

May I know what proxy you have configured?

Please check the server.xml file if its correct (The recent thread is here https://community.atlassian.com/t5/Jira-questions/Jira-Software-8-10-1-behind-Reverse-Proxy-doesn-t-work/qaq-p/1587478#M463814)

Thanks,
Pramodh

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events

    See all events