How to integrate Jira, Confluence & Stash on the same Ubuntu server with Apache using SSL ?

Alexis Barta April 26, 2013

Hi everybody,

I installed Jira, Confluence and Stash on the same server (for money reason) with Apache behind the firewall.

We have a domain name (eg. www.my-domain.com) and I managed to configure the mod_proxy module of Apache to redirect :

- confluence.my-domain.com to http://192.168.0.1:8090

- stash.my-domaine.com to http://192.168.0.1:7990

- jira.my-domaine.com to http://192.168.0.1:8080

With 192.168.0.1 the local IP of our Ubuntu server.

The configuration was the following :

Client Browser -> http -> Apache Proxy -> http -> Tomcat (Jira, Confluence and Stash)

To do that, I wrote this in /etc/apache2/sites-available/default :

<VirtualHost *:80>
    ServerName confluence.my-domain.com
 	
 	ProxyRequests Off
	ProxyVia Block
	ProxyPreserveHost On
	
	<Proxy *>
		Order deny,allow
		Allow from All
	</Proxy>

    ProxyPass / http://localhost:8090/
    ProxyPassReverse / http://localhost:8090/
</VirtualHost>
<VirtualHost *:80>
    ServerName stash.my-domain.com
 	
 	ProxyRequests Off
	ProxyVia Block
	ProxyPreserveHost On
	
	<Proxy *>
		Order deny,allow
		Allow from All
	</Proxy>

    ProxyPass / http://localhost:7990/
    ProxyPassReverse / http://localhost:7990/
</VirtualHost>
<VirtualHost *:80>
    ServerName jira.my-domain.com
 	
 	ProxyRequests Off
	ProxyVia Block
	ProxyPreserveHost On
	
	<Proxy *>
		Order deny,allow
		Allow from All
	</Proxy>

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
</VirtualHost>

Everything, worked well, until I tried to use SSL.

Now, I don't know how to configure :

- /etc/apache2/sites-available/default

- /etc/apache2/sites-available/default-ssl

- Jira, Confluence and Stash server.xml to make it work with ssl.

I want this configuration :

Client Browser -> https -> Apache Proxy -> http -> Tomcat (Jira, Confluence and Stash)

To avoid Man in the middle attack.

FYI

I'm using a self-signed SSL Certificate, that I have created using the following tutorial : https://help.ubuntu.com/10.04/serverguide/certificates-and-security.html

And I already read https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL but I didn't succeed to operate the redirection with https, even if I tried it with Jira only.

Thank you for your help.

Alexis

6 answers

2 votes
Ryan Goodwin
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 26, 2013

Hi Alexis,

Have a look at the Confluence doc and see if it provides better steps for you to follow:

https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS

You'll need to make some changes to the server.xml and web.xml for each tomcat instance.

Alexis Barta April 26, 2013

Thanks for the quick answer.

I'm going to try this.

Alexis Barta April 26, 2013

I have read it, but this is not what I want.

I want this configuration :

Client Browser -> https -> Apache Proxy -> http -> Tomcat (Jira, Confluence and Stash)

To avoid Man in the middle attack.

Apache and Tomcat are on the same server, so I have no problem to let them communicate without encryption.

P.S: I have edited my question to make it more clear.

0 votes
Javier Molina August 12, 2014

Did you manage to get this configuration working?

0 votes
B_ Normann P_ Nielsen
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 9, 2014

a second point - after getting HTTPS to work, remember to redirect all http requests to https

0 votes
Radu Dumitriu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 9, 2014

See Norman's answer. The problem that you are facing is very simple, it's the old SSL chicken and the egg. To apply a virtual host config over a SSL it's pretty tricky: to see what virtual host it is, you need to decript the message, but to decript the message you need to know what certificate to use.

So, you really need to read carefully all the document here: http://wiki.apache.org/httpd/NameBasedSSLVHosts

You need a wildcard certificate, not the usual, host-bounded !

Radu Dumitriu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 9, 2014

Yeap, that's another solution, if this is acceptable.

B_ Normann P_ Nielsen
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 9, 2014

Regarding the wildcard issue - this SSL type is quite expensive , so move JIRA, Confluence and Stash from

jira.domain.dk to domain.dk/jira

confluence.domain.dk to domain.dk/confluence

0 votes
B_ Normann P_ Nielsen
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 9, 2014

Hi,

I think if You "double" all entries in the existing file pated above, and change

<VirtualHost *:80>

to

<VirtualHost *:433>

And add:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/www.domain.dk.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.domain.dk.key

for each -> You are pretty close :-)
0 votes
Anand Unadkat
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 9, 2014

Hi,

I am trying to do the same thing, but I can't get it to work the same way as you did. Did you register you domain somewhere? If so, could you please tell me where?

Thanks

Suggest an answer

Log in or Sign up to answer