Dear Team,
I am trying to create SSL for the Atlassian applications through apache.
I have followed all the steps which were mentioned in the KB article
still, it's not working.
when I use HTTPS to the URL its not loading.
Please advise me
Many Thanks
IT- Admin
For convenience I post a stripped down configuration of our server:
First two files are Apache HTTPD configuration with mod_ajp. Third file is server.xml. We terminate SSL at the Apache HTTPD.
Jira is run on two ports: 8080 &8009
### File conf/extra/httpd-jk.conf
# Worker config
JkWorkersFile conf/extra/workers.properties
# Logging
JkLogFile logs/mod_jk.log
JkLogLevel warn
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
#JkRequestLogFormat "%w %V %T"
# JkOptions indicates to send SSL KEY SIZE
JkOptions +ForwardKeySize +ForwardURICompatUnparsed -ForwardDirectories +RejectUnsafeURI
JkEnvVar httpd yourservername
# Mount on all vhost and ssl
JkMountCopy All
# redirect tomcat errors to apache httpd
JkMount /jira jira;use_server_errors=500
JkMount /jira/* jira;use_server_errors=500
# Modul (Admin)
JkMount /jk-manage/* jk-manage
JkMount /jk-manage jk-manage
# Enable the JK manager access from localhost only
<Location /jk-manage >
JkMount jk-manage
Require ip 192.168
Require ip 127
</Location>
### File conf/extra/workers.properties
# Global Settings
worker.maintain=30
# Default Settings
worker.basic.type=ajp13
worker.basic.socket_keepalive=true
worker.basic.ping_mode=A
worker.basic.ping_timeout=10000
worker.basic.connection_pool_timeout=120
worker.basic.recovery_options=7
worker.basic.lbfactor=1
worker.basic.max_packet_size=65536
worker.list=jira
worker.jira.host=ip.of.jira.server
worker.jira.port=8009
worker.jira.socket_timeout=300
worker.jira.socket_connect_timeout=300000
worker.jira.reference=worker.basic
# JK Manage Application
worker.list=jk-manage
worker.jk-manage.type=status
### server.xml
<?xml version="1.0" encoding="utf-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<Service name="Catalina">
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"/>
<Connector port="8009"
minSpareThreads="10"
maxThreads="200"
address="your.jira.server.ip"
protocol="AJP/1.3"
redirectPort="8444"
enableLookups="false"
URIEncoding="UTF-8"
maxPostSize="-1"
packetSize="65536"/>
<Engine name="Catalina" defaultHost="your.server.name" jvmRoute="jira">
<Host name="your.server.name" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Context path="/jira" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
<Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
<Manager pathname=""/>
<JarScanner scanManifest="false"/>
</Context>
</Host>
<Valve className="org.apache.catalina.valves.AccessLogValve" resolveHosts="false"
pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""/>
</Engine>
</Service>
</Server>
@Patrick Kyne The serverl.xml has a line on ajp connectivity and the specific ajp port - uncomment it to enable it.
And on your apache ssl config file - add your ajp configurations specifying ajp port as it is in server.xml.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I believe so and have my current configs here:
Do they appear correct to you, or am I missing something?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Patrick Kyne Have you tried ;
ProxyPass / ajp://127.0.0.1:8009/ instead ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have not tried that because I access Jira via a URL like https://myhost.mydomain.fqdn/jira
and believe the ProxyPass would need to be
ProxyPass /jira ajp://127.0.0.1:8009/jira
Are you suggesting I add an additional ProxyPass line?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You have to configure the connector to listen on the AJP port 8009. Are you using the mod_proxy or mod_ajp module on the Apache server?
I can asure you that Confluence, Jira, Bitbucket & Fisheye are working behind a single Apache server terminating SSL using AJP protocol.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I also am having issues with the ajp protocol using mod_ajp in Apache 2.4 connecting to Jira 7.8.1 on the same linux host as Apache.
Would you be so kind as to post the requisite sections of a working vhost.conf and your server.xml files (obfuscated as necessary).
Thank you,
Patrick
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I believe so and have my current configs here:
Do they appear correct to you, or am I missing something?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We‘re using mod_ajp not mod_proxy_ajp, so I can‘t give you any advice on that config.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shirish,
Just a thought... did you add the following to the Tomcat connector:
scheme="https" proxyName="xx.xxx.xxx" proxyPort="443"
What's the error your are getting upon accessing the HTTPS link?
Regards,
Kelly
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear @KellyW
Thanks for your reply
Please find the below screenshot
When I access HTTPS
I am getting
Please advise me
Many Thanks
IT-Admin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shirish,
JIRA application sits behind a reverse proxy may not know the URL scheme, hostname or port to connect to Tomcat.
Please ensure that the server can resolve the hostname 'ariadne.swiss'.
Regards,
Kelly
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Are your ProxyPass and ProxyPassReverse configured well to point to AJP Host and Port ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
These should be mentioned in your SSL Config file - corresponding to what is on your server.xml file.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.