Example of how to do a very simple reverse proxy (HAProxy) with JIRA on the backend?

I've got a clean JIRA 7.5.2 install running on CentOS.  It uses the default 8080 port for http requests, and I've also enabled an SSL certificate to enable https requests on port 8443. 

I want to run HAProxy in front as a reverse proxy server, to redirect http:80 -->8080 and https:443 --> 8443.

It looks as if using the very simple "listen" config setting in HAProxy is what I'll need, however I'm not sure bout how to:

a) Modify the JIRA server.xml file so that the Connector 8443 configuration is properly set to return the correct values for reverse proxy from https (443)
b) How to configure a 'listen' entry in the haproxy.cfg file that properly references the SSL certs on my server, to allow for proper forwarding of https requests to the backend server's SSL listener on 8443.

1 answer

1 accepted

0 votes
Josh Steckler Community Champion Jan 25, 2018

This would be easier if you used apache. But I found this doc for Bitbucket which you could adapt for Jira. https://confluence.atlassian.com/bitbucketserver0414/securing-bitbucket-server-behind-haproxy-using-ssl-895368117.html

One key thing is that you do not need the certificates/keystore to be referenced in your jira server.xml. All you need for a proxy other than defaults are:

secure="true"
scheme="https"
proxyName="jirahostname.yourdomain.com"
proxyPort="443"

 

 

 

Then in HAproxy (or in my case apache) would be the one to redirect 80 to 443. Users would access Jira on 443, so you need to set your base url to https://jirahostname.yourdomain.com

So as long as my front end proxy is listening on 443 for https and forwarding to the backend which is using 8080 for http, port 80, I only have to worry about:

a)  The proxy server's config to referfence the location of my .pem file for SSL

b)  Include the four lines above in my server.xml under the Connector 8080 section, so that that the Tomcat server knows to respond back with jirahostname.mydomain.com as the approriate responder for http requests

Am I understanding this correctly?

Josh Steckler Community Champion Jan 25, 2018

Yes, that, and the redirect from port 80 to 443 for the users who forget to use https: and setting the Jira Base URL (in administration --> system configuration) to https://jirahostname.yourdomain.com

 

This effectively terminates the SSL at the proxy, which is much more efficient than doing that at tomcat (jira). Communication between the proxy and Jira is http and the end user never hits Jira directly, always through the proxy. This is optimal for performance when using HTTPS.

Visualized: 

Should the proxyName entry in my JIRA server.cfg be set to just the domain (i.e. corp.mydomain.com) or should it be the full name of the jira server?

Current config looks like this:
    <Service name="Catalina">

        <Connector port="8080"

                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"
                   secure="true"
                   scheme="https"
                   proxyName="corp.mycompany.com"
                   proxyPort="443"
                   bindOnInit="false"/>

        <!--

I'm close because now I at least can see that requests to https://myjira.corp.mycompany.com are being returned with a secure connection but then the browser hangs in a loop, as if the JIRA server isn't returning the correct response to the proxy server. 

My HAProxy config, looks like this:

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
# Tells HAProxy to start listening for HTTPS requests. It uses the SSL key
# and certificate found within corp.mycompany.com.pem. All requests will be routed
# to the jira_http_backend.
#---------------------------------------------------------------------
frontend jira_http_frontend
bind *:443 ssl crt /etc/pki/tls/keystore/corp.xperi.com.pem
default_backend jira_http_backend

#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
# The jira_http_backend simply forwards all requests onto http://mycompany.com:8080/.
# It will only allow 1000 concurrent connections to the server at once.
#---------------------------------------------------------------------
backend jira_http_backend
mode http
option httplog
option forwardfor
option http-server-close
option httpchk
server jira01 myjira.corp.mycompany.com:8080 maxconn 1000

Josh Steckler Community Champion Jan 25, 2018

Your proxyName should be "myjira.corp.mycompany.com"

Yeah 5 seconds after I sent that the lightbulb went on.  ;-)

It's working.  Last question. 

Is there a way to set an auto-redirect in the proxy so that http requests to myjira.corp.mycompany.com get redirected to https?  I'm assuming there is, I just don't know the syntax.

All good.  Thanks for the assist!

Josh Steckler Community Champion Jan 25, 2018

You're welcome!

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,080 views 13 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot