Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Example of how to do a very simple reverse proxy (HAProxy) with JIRA on the backend?

OneTech IT
OneTech IT January 24, 2018

I've got a clean JIRA 7.5.2 install running on CentOS.  It uses the default 8080 port for http requests, and I've also enabled an SSL certificate to enable https requests on port 8443. 

I want to run HAProxy in front as a reverse proxy server, to redirect http:80 -->8080 and https:443 --> 8443.

It looks as if using the very simple "listen" config setting in HAProxy is what I'll need, however I'm not sure bout how to:

a) Modify the JIRA server.xml file so that the Connector 8443 configuration is properly set to return the correct values for reverse proxy from https (443)
b) How to configure a 'listen' entry in the haproxy.cfg file that properly references the SSL certs on my server, to allow for proper forwarding of https requests to the backend server's SSL listener on 8443.

Answer
Watch
Like Be the first to like this
19477 views

1 answer

1 accepted

1 vote
Answer accepted
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 25, 2018

This would be easier if you used apache. But I found this doc for Bitbucket which you could adapt for Jira. https://confluence.atlassian.com/bitbucketserver0414/securing-bitbucket-server-behind-haproxy-using-ssl-895368117.html

One key thing is that you do not need the certificates/keystore to be referenced in your jira server.xml. All you need for a proxy other than defaults are:

secure="true"
scheme="https"
proxyName="jirahostname.yourdomain.com"
proxyPort="443"

 

 

 

Then in HAproxy (or in my case apache) would be the one to redirect 80 to 443. Users would access Jira on 443, so you need to set your base url to https://jirahostname.yourdomain.com

View More Comments
OneTech IT
OneTech IT January 25, 2018

So as long as my front end proxy is listening on 443 for https and forwarding to the backend which is using 8080 for http, port 80, I only have to worry about:

a)  The proxy server's config to referfence the location of my .pem file for SSL

b)  Include the four lines above in my server.xml under the Connector 8080 section, so that that the Tomcat server knows to respond back with jirahostname.mydomain.com as the approriate responder for http requests

Am I understanding this correctly?

Like
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 25, 2018

Yes, that, and the redirect from port 80 to 443 for the users who forget to use https: and setting the Jira Base URL (in administration --> system configuration) to https://jirahostname.yourdomain.com

 

This effectively terminates the SSL at the proxy, which is much more efficient than doing that at tomcat (jira). Communication between the proxy and Jira is http and the end user never hits Jira directly, always through the proxy. This is optimal for performance when using HTTPS.

Visualized: 

Like
OneTech IT
OneTech IT January 25, 2018

Should the proxyName entry in my JIRA server.cfg be set to just the domain (i.e. corp.mydomain.com) or should it be the full name of the jira server?

Current config looks like this:
    <Service name="Catalina">

        <Connector port="8080"

                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"
                   secure="true"
                   scheme="https"
                   proxyName="corp.mycompany.com"
                   proxyPort="443"
                   bindOnInit="false"/>

        <!--

I'm close because now I at least can see that requests to https://myjira.corp.mycompany.com are being returned with a secure connection but then the browser hangs in a loop, as if the JIRA server isn't returning the correct response to the proxy server. 

My HAProxy config, looks like this:

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
# Tells HAProxy to start listening for HTTPS requests. It uses the SSL key
# and certificate found within corp.mycompany.com.pem. All requests will be routed
# to the jira_http_backend.
#---------------------------------------------------------------------
frontend jira_http_frontend
bind *:443 ssl crt /etc/pki/tls/keystore/corp.xperi.com.pem
default_backend jira_http_backend

#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
# The jira_http_backend simply forwards all requests onto http://mycompany.com:8080/.
# It will only allow 1000 concurrent connections to the server at once.
#---------------------------------------------------------------------
backend jira_http_backend
mode http
option httplog
option forwardfor
option http-server-close
option httpchk
server jira01 myjira.corp.mycompany.com:8080 maxconn 1000

Like
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 25, 2018

Your proxyName should be "myjira.corp.mycompany.com"

Like
OneTech IT
OneTech IT January 25, 2018

Yeah 5 seconds after I sent that the lightbulb went on.  ;-)

It's working.  Last question. 

Is there a way to set an auto-redirect in the proxy so that http requests to myjira.corp.mycompany.com get redirected to https?  I'm assuming there is, I just don't know the syntax.

Like
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 25, 2018

Found this: https://www.haproxy.com/support/technical-notes/an-0010-en-redirecting-http-requests-to-https/

Like
OneTech IT
OneTech IT January 25, 2018

All good.  Thanks for the assist!

Like
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 25, 2018

You're welcome!

Like
Suresh
Suresh April 17, 2018

Hi Josh,

We just installed jira in linux. Currently I am accessing jira by using computer name/IP address and it's port 8080 through url http://10.20.3.121:8080.

Now we have decide URL to access jira with http://jira.trade.com.

What are steps/configuration need to be done, if i want access by using url http://jira.trade.com

 

Regards,

Suresh

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events