Configuration using two proxys - http and https

Hy all

I'm stuck with the proxy config since we want our JIRA accessable inside another network zone.

The setup for internal use

JIRA /Tomcat <-http-> apache proxy <-http-> client

Now we configured an nginx reverse proxy for access from an unsecure zone over ssl:

JIRA /Tomcat <-http-> apache proxy <-http-> nginx reverse proxy <-https-> client

nginx terminates ssl. I now receive the url missmatch error because of the https inside the url.

I then added this to the server.xml and restarted JIRA

scheme="https"

proxyName="<nginx ip>"

proxyPort="443"

without success, same error. The problem is there are docs for the case "apache terminates ssl then => tomcat" but none for this "two-proxy" setup.
any hints or ideas?
thanks
sandro

2 answers

1 accepted

Hi Sandro,

Is there any reason to not use the outer proxy (nginx) for all communications? If there isn't a reason, you can just use the standard doc: https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL

If you must have a 2 proxy setup, you could still follow the above, but set up nginx to use a the first type of connector described in the document:

<!-- Apache Proxy Connector -->
<Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8080" protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true" scheme="https" proxyName="external.proxy.atlassian.com" proxyPort="443"/>
And use the http proxy to use the 2nd connector:
<ConnectoracceptCount="100"connectionTimeout="20000"disableUploadTimeout="true"enableLookups="false"maxHttpHeaderSize="8192"maxThreads="150"minSpareThreads="25"port="8081"protocol="HTTP/1.1"redirectPort="8443"useBodyEncodingForURI="true" proxyname = "internalproxy.com" proxyPort="80"/>
The above is untested... Normal warnings apply.
The only issue would be the base server url: I'd arbitrarily choose the external interface for most compatability.
But really.. I wouldn't set up two proxies. KISS.
Tim

Hi Tim

First of all, thanks for the answer. There are some things I don't understand yet.

I now configured this second connector in tomcats server.xml. The nginx now connects to port 8090 (as defined in connector 1) and apache goes to 8080 (defined in connector 2). JIRA runs fine over apache and port 8080.

The reverse proxy thing however is still a bit of misery for me. So here how I think:

Unsecure_client => over https and firewall to the nginx (eth6 for example), then through the reverse proxy config. Through eth1 it calls jiras tomcat on port 8090.
Tomcats server.xml defines a proxy_port and proxy_name, here I send him to eth1 from nginx and port 8090.

Right now it redirects me to the nginx proxy ip and /secure/MyJiraHome.jspa (absolutly don't know where this comes from).

My configs are attached since there aren't any characters left for this comment (ip's and domains replaced).

(jira.example.config.txt) (tomcat.txt)

I really need help, thanks for any.

An update: co-worker had took a quick look at it, and now we went back to find the actual problem.

Right now I can access the dashboard, somehow, receiving the known error:

Dashboard Diagnostics: Mismatched URL Scheme
com.atlassian.gadgets.dashboard.internal.diagnostics.UrlSchemeMismatchException: Detected URL scheme, 'http', does not match expected scheme 'https'

The config is nothing special, only one connector for tomcat (port 8090) and nginx upstream pointing there.

&lt;Connector port="8090"

                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"

                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"/&gt;

and the nginx location directives (guess this is the important part, see previously attached files for complete config)

location / {
    proxy_pass http://public-jira;
   # proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  # proxy_set_header X-Forwarded-Host $host;
  # proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-Proto http;
  }

I guess I'm missing something here or have to rewrite the url in a way that JIRA can deal with it.

If anyone knows something about it, I would appreciate. I'll post the solution here as soon as I go it.

Update: I am able to log in!

The URL Scheme missmatch isn't solved yet, and so isn't the baseurl problem (jira seems to make intensiv use of it, unlike confluence)

I also added

proxy_set_header X-Forwarded-Server $host;

proxy_set_header X-Forwarded-Host $host;

to nginx config. The task now is to pretend the correct url, right now JIRA cannot display anything properly...

Hi Sandro,

I'm going off of what you told me in the last comment: 1 connector, 8090, nginx goes there.

You also said that you're terminating ssl there at the nginx.

If that is true, you should set scheme='https' in the 8090 connector.

Tim


Hi Tim

This morning I've done exactly what you described in your first answer. Can't be easier:

Two connectors:

&lt;!--- Internal access --&gt;
        &lt;Connector port="8080"

                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"/&gt;

&lt;!-- With Web Proxy--&gt;
        &lt;Connector port="8090"
                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   scheme='https'
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"
                   proxyName="jira.external.com"
                   proxyPort="443"

                   /&gt;

And all works fine. URL isn't matching the baseurl, but activity stream for example works anyway.
Only the user-avatars don't show up.

Next time, I better read exactly and do what atlassian people say. I'm now gonna play around with the nginx config for performance or security improvements.

So, many thanks Tim!

hi sandro.

i never used nginx but maybe you find some hint here

https://answers.atlassian.com/questions/16218/jira-behind-nginx-proxy-hostname-and-url-problems

setting "proxy_redirect off" may help?

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Julia Dillon
Posted Tuesday in Jira

Tell us how your team runs on Jira!

Hey Atlassian Community! Today we are launching a bunch of customer stories about the amazing work teams, like Dropbox and Twilio, are doing with Jira. You can check out the stories here. The thi...

546 views 1 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you