Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Jira Reverse Proxy Configuration

I have a standalone Jira Software environment where users are authenticated with SAML SSO plug in which has been working for a few years without issue.  I now have a requirement to allow some users access to this environment through Reverse Proxy.  I have been trying to set this up without success.  I get logged into Jira with username and password in the Reverse Proxy environment, but get returned back to the Reverse Proxy page instead of being presented the Jira dashboard.  The login does succeed though.

I have two connectors defined in the server.xml file - basically one using port 443 for the SAML SSO connection and another using port 8443, a proxyName  and proxyPort for the Reverse Proxy connection using username and password:

Is this possible with Jira to have these two paths to access Jira?

My Reverse Proxy folks are telling me that I need to add /proj-1 to the end of the URL in order for it to work. 

Would this be adding another Context within the Host of the server.xml file OR change the existing one to set the path=/proj-1 and then change the base URL?

 

2 answers

1 accepted

1 vote
Answer accepted

Your reverse proxy should only talk to one of those connectors.  You could get it to talk to both, but there's no point, as the one you expose on the url that is not the base url will not work properly.

I assume your proxy owners are expecting Jira to serve at something like https://ourdomain.org/proj-1

That's what you need to set the base url to, and in the server.xml, set the context to include path="/proj-1" and in the connector, proxyName="ourdomain.org"

I have a need to allow users to connect while on the network as well as users coming in through reverse proxy.  So, one of the connectors is for the non-Reverse Proxy users and the other connector is for Reverse Proxy. 

Is this configuration possible - meaning to serve users on the network and also through Reverse Proxy?

You can, but you need to do some of it on a network level, and it's a bit of a hack. 

Short description - you'll need to "poison" your internal network's DNS

First, start with a standard config that most of us use, to keep it simple (you could do this in other ways, but I'm aiming for the most simple to explain). That is Public URL -> Proxy -> Jira connector 1.

That's what I've described in my answer already - https://ourdomain.org/proj-1 lands on your proxy, which then goes and asks Jira to serve up the content, via (let's say) the 443 connector.

But for the internal network, you want to use a different connector. 

If you did this with a proxy, you have a massive problem:  It cannot serve up on https://ourdomain.org/proj-1 because that is already in use.  But you cannot serve it up on another proxied address because Jira only works properly when accessed over the base url of https://ourdomain.org/proj-1

So, the "poison DNS" trick.  When someone is "on your network", they are almost certainly using a DNS server.  If you're small and/or have no reason to have your own DNS, they will land on whatever the service provider uses, and this trick won't work.

But if you're using internal DNS, you have control.  And the poison trick is to simply add a record to your internal DNS that says "when someone tries to resolve ourdomain.org/proj-1 give them the internal IP address and port for the second internal Jira connector". 

This will make it look like https://ourdomain.org/proj-1 resolves to the same Jira service no matter where people are, despite there being two separate routes.

Like Joan Williamson likes this
0 votes
Pramodh Community Leader Jan 28, 2021

Hi @Joan Williamson

Change the existing context path and then change the base URL to see if it works!

May I know what proxy you have configured?

Please check the server.xml file if its correct (The recent thread is here https://community.atlassian.com/t5/Jira-questions/Jira-Software-8-10-1-behind-Reverse-Proxy-doesn-t-work/qaq-p/1587478#M463814)

Thanks,
Pramodh

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS
Community showcase
Posted in Jira Software

Presenting the "Best of 2020" Jira Software roundup!

Catch up with Atlassian Product Managers in our 2020 Demo Den round-up! From Advanced Roadmaps to Code in Jira to Next-Gen Workflows, check out the videos below to help up-level your work in the new ...

7,104 views 8 28
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you