Expose JIRA to external network

Priyank May 23, 2018

Intro: I am a part time linux admin with relatively less experience. Recently I have been assigned the task of making JIRA available to users outside our network. 

I understand that this task involves multiple aspects and tasks to do. So far I have not had much luck finding assistance in other posts. Hence I am making this post here.

It is my understanding so far that I need to:

1. Link a second IP address to my JIRA installation. First one is used for internal only. I create a second one with the intention of opening up that port to the external network.

2. JIRA installation is currently set up to port 8099. I need to edit the server.xml file to port 80 for internal and external traffic

3. Update the JIRA base URL.

4. Setup SSL certificates for HTTPS.

Is this accurate? or am I missing some steps?

Note: this is running on a Centos machine. Also the IT department is working on DMZ firewall and ASA rules so routing will work both inside and out. 

Any advice?

 

2 answers

0 votes
Marcos PS [DEISER] May 23, 2018

Agree with Danyal, if possible try to do not use different IPs for LAN and WAN access and if you have no other choice, make sure you use the same FQDN for accessing Jira service and the use of HTTPS are forced for any access, remember that only one base URL can be defined at once if you do not want to face problems in the future, make sure all your users use the same URL for accessing Jira.

Take a look to this doc...

Priyank May 25, 2018

Hi Marcos,

I am in the process but facing a roadblock. Please advice.

Objective:

OS: Centos 7

Current jira instance: <Server IP addr>:8099

Need to go to hostname: jira.companyname.com

Things I did: According to link: https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

A. For atlassian application:

1. Stopped JIRA

2. Not using context path so ignored

3. For connector directive, In server.xml, added

proxyName="jira.companyname.com"
proxyPort="8099"
scheme="http"/>

B. For Apache HTTP server

1. mod_proxy enabled by default in Centos.

2. Configure virtual host using mod_proxy, 

Since includeOptional statement present in httpd.conf, In conf.d folder created an jira-vm.conf file with following. 

<VirtualHost *:80>
    ServerName jira.companyname.com
     
    ProxyRequests Off
    ProxyVia Off
ProxyPreserveHost On <Proxy *> Require all granted </Proxy> ProxyPass / http://<ip addr>:8099 ProxyPassReverse / http://<ip addr>:8099 </VirtualHost>

 3. Restart apache

systemctl restart httpd.service

4.  Modify CentOS SELinux policy

$ sudo /usr/sbin/setsebool -P httpd_can_network_connect 1

 C. Restart JIRA.

Result:

I dont see any response on jira.company.com

On ipaddr:8099 I see my jira instance with error:

"

Dashboard Diagnostics: Mismatched URL Hostname

JIRA is reporting that it is running on the hostname 'jira.clarionus.com', which does not match the hostname used to run these diagnostics, '<ip addr>'. This is known to cause JIRA to construct URLs using the incorrect hostname, which will result in errors in the dashboard, among other issues."

 

Thank you for your time

Marcos PS [DEISER] May 25, 2018

Hi Priyank,

ProxyPass and ProxyPassReverse must point to Tomcat connector port, not instead of the Apache proxy port. If you do not changed it, the default one for Jira is 8080... hope it helps!

Regards,

Priyank May 25, 2018

Marcos,

Thank you for the reply.

I did change the port on Jira from 8080 to 8099 during installation some time back. I checked now and the Tomcat connector port is indeed set to 8099. 

Any other ideas? 

I appreciate your assistance.

Marcos PS [DEISER] May 25, 2018

Set proxyPort="80" in the Tomcat intead

Priyank May 25, 2018

Marcos,

Here is my setting snippet.


<Connector port="8099"

maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"

enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"
proxyName="jira.company.com"
proxyPort="80"
scheme="http"/>

 

I have set proxy port to 80 and connector port is 8099.

0 votes
Danyal Iqbal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 23, 2018

I would install an apache reverse proxy in front of your internal jira and make it public, allow only apache to access your internal jira and external users to access the apche webserver. And thats the only way I would recommend for a production instance (read security concerns). I would not assign a 2nd ip and open ports on my production instance.

The rest should be business as usual, edit the server.xml, install the ssl certificates and restart the webserver.

Priyank May 25, 2018

Hi Danyal,

I am in the process but facing a roadblock. Please advice.

Objective:

OS: Centos 7

Current jira instance: <Server IP addr>:8099

Need to go to hostname: jira.companyname.com

Things I did: According to link: https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

A. For atlassian application:

1. Stopped JIRA

2. Not using context path so ignored

3. For connector directive, In server.xml, added

proxyName="jira.companyname.com"
proxyPort="8099"
scheme="http"/>

B. For Apache HTTP server

1. mod_proxy enabled by default in Centos.

2. Configure virtual host using mod_proxy, 

Since includeOptional statement present in httpd.conf, In conf.d folder created an jira-vm.conf file with following. 

<VirtualHost *:80>
    ServerName jira.companyname.com
     
    ProxyRequests Off
    ProxyVia Off
ProxyPreserveHost On <Proxy *> Require all granted </Proxy> ProxyPass / http://<ip addr>:8099 ProxyPassReverse / http://<ip addr>:8099 </VirtualHost>

 3. Restart apache

systemctl restart httpd.service

4.  Modify CentOS SELinux policy

$ sudo /usr/sbin/setsebool -P httpd_can_network_connect 1

 C. Restart JIRA.

Result:

I dont see any response on jira.company.com

On ipaddr:8099 I see my jira instance with error:

"

Dashboard Diagnostics: Mismatched URL Hostname

JIRA is reporting that it is running on the hostname 'jira.clarionus.com', which does not match the hostname used to run these diagnostics, '<ip addr>'. This is known to cause JIRA to construct URLs using the incorrect hostname, which will result in errors in the dashboard, among other issues."

 

Thank you for your time.

Like Jasper likes this
Priyank May 25, 2018

Danyal,

I am in the process but facing a roadblock. Please advice.

Objective:

OS: Centos 7

Current jira instance: <Server IP addr>:8099

Need to go to hostname: jira.companyname.com

Things I did: According to link: https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

A. For atlassian application:

1. Stopped JIRA

2. Not using context path so ignored

3. For connector directive, In server.xml, added

proxyName="jira.companyname.com"
proxyPort="8099"
scheme="http"/>

B. For Apache HTTP server

1. mod_proxy enabled by default in Centos.

2. Configure virtual host using mod_proxy, 

Since includeOptional statement present in httpd.conf, In conf.d folder created an jira-vm.conf file with following. 

<VirtualHost *:80>
    ServerName jira.companyname.com
     
    ProxyRequests Off
    ProxyVia Off
ProxyPreserveHost On <Proxy *> Require all granted </Proxy> ProxyPass / http://<ip addr>:8099 ProxyPassReverse / http://<ip addr>:8099 </VirtualHost>

 3. Restart apache

systemctl restart httpd.service

4.  Modify CentOS SELinux policy

$ sudo /usr/sbin/setsebool -P httpd_can_network_connect 1

 C. Restart JIRA.

Result:

I dont see any response on jira.company.com

On ipaddr:8099 I see my jira instance with error:

"

Dashboard Diagnostics: Mismatched URL Hostname

JIRA is reporting that it is running on the hostname 'jira.clarionus.com', which does not match the hostname used to run these diagnostics, '<ip addr>'. This is known to cause JIRA to construct URLs using the incorrect hostname, which will result in errors in the dashboard, among other issues."

 

If you can point me in the right direction, I will be grateful.

Thank you for your time. 

Suggest an answer

Log in or Sign up to answer