Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Configuration using two proxys - http and https

sandro gehrig
sandro gehrig January 30, 2013

Hy all

I'm stuck with the proxy config since we want our JIRA accessable inside another network zone.

The setup for internal use

JIRA /Tomcat <-http-> apache proxy <-http-> client

Now we configured an nginx reverse proxy for access from an unsecure zone over ssl:

JIRA /Tomcat <-http-> apache proxy <-http-> nginx reverse proxy <-https-> client

nginx terminates ssl. I now receive the url missmatch error because of the https inside the url.

I then added this to the server.xml and restarted JIRA

scheme="https"

proxyName="<nginx ip>"

proxyPort="443"

without success, same error. The problem is there are docs for the case "apache terminates ssl then => tomcat" but none for this "two-proxy" setup.
any hints or ideas?
thanks
sandro

Answer
Watch
Like Be the first to like this
5078 views

2 answers

1 accepted

1 vote
Answer accepted
twong_atlassian
twong_atlassian
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 31, 2013

Hi Sandro,

Is there any reason to not use the outer proxy (nginx) for all communications? If there isn't a reason, you can just use the standard doc: https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL

If you must have a 2 proxy setup, you could still follow the above, but set up nginx to use a the first type of connector described in the document:

<!-- Apache Proxy Connector -->
<Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8080" protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true" scheme="https" proxyName="external.proxy.atlassian.com" proxyPort="443"/>
And use the http proxy to use the 2nd connector:
<ConnectoracceptCount="100"connectionTimeout="20000"disableUploadTimeout="true"enableLookups="false"maxHttpHeaderSize="8192"maxThreads="150"minSpareThreads="25"port="8081"protocol="HTTP/1.1"redirectPort="8443"useBodyEncodingForURI="true" proxyname = "internalproxy.com" proxyPort="80"/>
The above is untested... Normal warnings apply.
The only issue would be the base server url: I'd arbitrarily choose the external interface for most compatability.
But really.. I wouldn't set up two proxies. KISS.
Tim
View More Comments
sandro gehrig
sandro gehrig February 3, 2013

Hi Tim

First of all, thanks for the answer. There are some things I don't understand yet.

I now configured this second connector in tomcats server.xml. The nginx now connects to port 8090 (as defined in connector 1) and apache goes to 8080 (defined in connector 2). JIRA runs fine over apache and port 8080.

The reverse proxy thing however is still a bit of misery for me. So here how I think:

Unsecure_client => over https and firewall to the nginx (eth6 for example), then through the reverse proxy config. Through eth1 it calls jiras tomcat on port 8090.
Tomcats server.xml defines a proxy_port and proxy_name, here I send him to eth1 from nginx and port 8090.

Right now it redirects me to the nginx proxy ip and /secure/MyJiraHome.jspa (absolutly don't know where this comes from).

My configs are attached since there aren't any characters left for this comment (ip's and domains replaced).

(jira.example.config.txt) (tomcat.txt)

I really need help, thanks for any.

Like
sandro gehrig
sandro gehrig February 3, 2013

An update: co-worker had took a quick look at it, and now we went back to find the actual problem.

Right now I can access the dashboard, somehow, receiving the known error:

Dashboard Diagnostics: Mismatched URL Scheme
com.atlassian.gadgets.dashboard.internal.diagnostics.UrlSchemeMismatchException: Detected URL scheme, 'http', does not match expected scheme 'https'

The config is nothing special, only one connector for tomcat (port 8090) and nginx upstream pointing there.

&lt;Connector port="8090"

                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"

                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"/&gt;

and the nginx location directives (guess this is the important part, see previously attached files for complete config)

location / {
    proxy_pass http://public-jira;
   # proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  # proxy_set_header X-Forwarded-Host $host;
  # proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-Proto http;
  }

I guess I'm missing something here or have to rewrite the url in a way that JIRA can deal with it.

If anyone knows something about it, I would appreciate. I'll post the solution here as soon as I go it.

Update: I am able to log in!

The URL Scheme missmatch isn't solved yet, and so isn't the baseurl problem (jira seems to make intensiv use of it, unlike confluence)

I also added

proxy_set_header X-Forwarded-Server $host;

proxy_set_header X-Forwarded-Host $host;

to nginx config. The task now is to pretend the correct url, right now JIRA cannot display anything properly...

Like
twong_atlassian
twong_atlassian
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 3, 2013

Hi Sandro,

I'm going off of what you told me in the last comment: 1 connector, 8090, nginx goes there.

You also said that you're terminating ssl there at the nginx.

If that is true, you should set scheme='https' in the 8090 connector.

Tim


Like
sandro gehrig
sandro gehrig February 4, 2013

Hi Tim

This morning I've done exactly what you described in your first answer. Can't be easier:

Two connectors:

&lt;!--- Internal access --&gt;
        &lt;Connector port="8080"

                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"/&gt;

&lt;!-- With Web Proxy--&gt;
        &lt;Connector port="8090"
                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   scheme='https'
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"
                   proxyName="jira.external.com"
                   proxyPort="443"

                   /&gt;

And all works fine. URL isn't matching the baseurl, but activity stream for example works anyway.
Only the user-avatars don't show up.

Next time, I better read exactly and do what atlassian people say. I'm now gonna play around with the nginx config for performance or security improvements.

So, many thanks Tim!

Like
Reply
0 votes
C_ Faysal
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 30, 2013

hi sandro.

i never used nginx but maybe you find some hint here

https://answers.atlassian.com/questions/16218/jira-behind-nginx-proxy-hostname-and-url-problems

setting "proxy_redirect off" may help?

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events