Jira SSL on IIS Edited

I have Jira Software 7.3.1 running on Windows Server 2012.

First time I was using it at xxx.xxx.xxx.xxx:8080 and everything worked fine. 

Now I've to migrate it to a subdomain.

I've done everything according to this article https://confluence.atlassian.com/adminjiraserver071/integrating-jira-applications-with-iis-802593039.html and eveyrhing works good.

Now I have to use SSL certificate on this subdomain and I'm refering to https://confluence.atlassian.com/adminjiraserver071/running-jira-applications-over-ssl-or-https-802593051.html

 

When using system without HTTPS - it working. If I'm using with HTTPS, I see a lot of errors in browser console that requests were blocked because of asking http... from https...

 

Screenshot 

Screenshot_1.png

I suppose, it is because I have not installed redirect 

<security-constraint>
<web-resource-collection>
<web-resource-name>all-except-attachments</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspa</url-pattern>
<url-pattern>/browse/*</url-pattern>
<url-pattern>/issues/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

 

But when I'm installing this redirect suddenly port 8443 is added

https://sub.domain.com:8443/secure/Dashboard.jspa

 

Please, advice what to do in this situation. 

My server.xml

<?xml version="1.0" encoding="UTF-8"?>

<Connector acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxSpareThreads="75"
maxThreads="150"
minSpareThreads="25"
port="8080"
protocol="HTTP/1.1"
redirectPort="8443"
proxyName="sub.domain.com"
proxyPort="80"
useBodyEncodingForURI="true"/>

<Connector URIEncoding="UTF-8" enableLookups="false" port="8009" protocol="AJP/1.3" redirectPort="8443"/>

<Engine defaultHost="localhost" name="Catalina">
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">

<Context docBase="${catalina.home}/atlassian-jira" path="" reloadable="false" useHttpOnly="true">


<Resource auth="Container" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60" name="UserTransaction" type="javax.transaction.UserTransaction"/>
<Manager pathname=""/>
<JarScanner scanManifest="false"/>
</Context>

</Host>

<Valve className="org.apache.catalina.valves.AccessLogValve" pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
</Engine>

<Connector SSLEnabled="true"
acceptCount="100"
clientAuth="false"
connectionTimeout="20000"
disableUploadTimeout="true"
enableLookups="false"
keyAlias="my_alias"
keystoreFile="path_to_keystore.jks"
keystorePass="mypassword"
keystoreType="JKS"
maxHttpHeaderSize="8192"
maxSpareThreads="75"
maxThreads="150"
minSpareThreads="25"
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
sslProtocol="TLS"
proxyName="sub.domain.com"
proxyPort="443"
useBodyEncodingForURI="true"/>
</Service>
</Server>

 

Also important thing is that from config wizard I cannot select HTTP and HTTPS as it's not active for me. Just HTTP or HTTPS can be selected.

Screenshot_2.png

 

Please, help me to avoid adding 8443 port to URL. 

Thanks in advance!

2 answers

2 accepted

1 vote

Could you explain where you are trying to terminate the SSL connection?

In other words, is IIS supposed to be doing all the SSL work, or are you trying to make JIRA's Tomcat do it as well?

Hello Nic,

if I understand correctly, this is a solution?

I've googled a little and found article https://stackoverflow.com/questions/31922167/iis-how-to-simulate-ssl-termination-on-load-balancer

Have I to do the same as described there? 

This is IIS realization, is there any other way, less complex?

I haven't done any termination of ssl connection. I just followed articles (links above)

Not that I know of, that article doesn't seem to be about SSL proxies in IIS.

IIS is pretty horrid for doing this sort of work, a far less complex solution is running Apache or nginx as a proxy, but you should stick with IIS if your systems are all IIS based.

I'm sorry, I did not explain "termination of ssl" - you are doing it if you use https.  The phrase means "where does the encryption stop".  Imagine a standard proxy server setup of:

User -1> Internet -2> Your proxy -3> JIRA

Your user fires up an SSL connection over the internet.  You can "terminate the SSL" at -2> or at -3> here.  Whichever one you chose, the work of encryption is done on the server it lands on. 

JIRA's Tomcat is not a good place to do it - it loads the JIRA process, it's not particularly flexible, it doesn't fit in well with the reasons most people use proxies, and it means some fiddling with the proxy to make it work.  It is preferable to do it on the proxy server (IIS in your case).  The question I'm asking is where you want to do it?

Thanks Nic for you answer.

All websites are stored in IIS. It can be difficult to install Apache and make them both listent to 80 and 443 ports.

So, I've to look how to do this in IIS.

The solution was found:

1. Create on IIS website, add ssl certificate, bind app to 80 and 443 port

2. Using IIS URL rewrite module create 2 proxy rules rewriting to Https://jira_host:8443

3. Enable jira 8443 port according to the articles above.

And everything will work, there is no need to use tomcat IIS connector.

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Sarah Schuster
Posted Mar 28, 2018 in Jira Software

Can a company’s culture make or break agile adoption?

Can a new-to-agile team survive and thrive in a non-agile culture? If so, what advice would you give to those trying to be agile in a non-agile culture? What's the key(s) to success? Share your thoug...

11,811 views 13 13
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you