How to integrate Jira, Confluence & Stash on the same Ubuntu server with Apache using SSL ?

Hi everybody,

I installed Jira, Confluence and Stash on the same server (for money reason) with Apache behind the firewall.

We have a domain name (eg. www.my-domain.com) and I managed to configure the mod_proxy module of Apache to redirect :

- confluence.my-domain.com to http://192.168.0.1:8090

- stash.my-domaine.com to http://192.168.0.1:7990

- jira.my-domaine.com to http://192.168.0.1:8080

With 192.168.0.1 the local IP of our Ubuntu server.

The configuration was the following :

Client Browser -> http -> Apache Proxy -> http -> Tomcat (Jira, Confluence and Stash)

To do that, I wrote this in /etc/apache2/sites-available/default :

<VirtualHost *:80>
    ServerName confluence.my-domain.com
 	
 	ProxyRequests Off
	ProxyVia Block
	ProxyPreserveHost On
	
	<Proxy *>
		Order deny,allow
		Allow from All
	</Proxy>

    ProxyPass / http://localhost:8090/
    ProxyPassReverse / http://localhost:8090/
</VirtualHost>
<VirtualHost *:80>
    ServerName stash.my-domain.com
 	
 	ProxyRequests Off
	ProxyVia Block
	ProxyPreserveHost On
	
	<Proxy *>
		Order deny,allow
		Allow from All
	</Proxy>

    ProxyPass / http://localhost:7990/
    ProxyPassReverse / http://localhost:7990/
</VirtualHost>
<VirtualHost *:80>
    ServerName jira.my-domain.com
 	
 	ProxyRequests Off
	ProxyVia Block
	ProxyPreserveHost On
	
	<Proxy *>
		Order deny,allow
		Allow from All
	</Proxy>

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
</VirtualHost>

Everything, worked well, until I tried to use SSL.

Now, I don't know how to configure :

- /etc/apache2/sites-available/default

- /etc/apache2/sites-available/default-ssl

- Jira, Confluence and Stash server.xml to make it work with ssl.

I want this configuration :

Client Browser -> https -> Apache Proxy -> http -> Tomcat (Jira, Confluence and Stash)

To avoid Man in the middle attack.

FYI

I'm using a self-signed SSL Certificate, that I have created using the following tutorial : https://help.ubuntu.com/10.04/serverguide/certificates-and-security.html

And I already read https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL but I didn't succeed to operate the redirection with https, even if I tried it with Jira only.

Thank you for your help.

Alexis

6 answers

Hi Alexis,

Have a look at the Confluence doc and see if it provides better steps for you to follow:

https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS

You'll need to make some changes to the server.xml and web.xml for each tomcat instance.

Thanks for the quick answer.

I'm going to try this.

I have read it, but this is not what I want.

I want this configuration :

Client Browser -> https -> Apache Proxy -> http -> Tomcat (Jira, Confluence and Stash)

To avoid Man in the middle attack.

Apache and Tomcat are on the same server, so I have no problem to let them communicate without encryption.

P.S: I have edited my question to make it more clear.

Hi,

I am trying to do the same thing, but I can't get it to work the same way as you did. Did you register you domain somewhere? If so, could you please tell me where?

Thanks

Hi,

I think if You "double" all entries in the existing file pated above, and change

<VirtualHost *:80>

to

<VirtualHost *:433>

And add:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/www.domain.dk.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.domain.dk.key

for each -> You are pretty close :-)

See Norman's answer. The problem that you are facing is very simple, it's the old SSL chicken and the egg. To apply a virtual host config over a SSL it's pretty tricky: to see what virtual host it is, you need to decript the message, but to decript the message you need to know what certificate to use.

So, you really need to read carefully all the document here: http://wiki.apache.org/httpd/NameBasedSSLVHosts

You need a wildcard certificate, not the usual, host-bounded !

Yeap, that's another solution, if this is acceptable.

Regarding the wildcard issue - this SSL type is quite expensive , so move JIRA, Confluence and Stash from

jira.domain.dk to domain.dk/jira

confluence.domain.dk to domain.dk/confluence

a second point - after getting HTTPS to work, remember to redirect all http requests to https

Did you manage to get this configuration working?

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 25, 2018 in Jira

Atlassian Research Workshop opportunity on Sep. 28th in Austin, TX

We're looking for participants for a workshop at Atlassian! We need Jira admins who have interesting custom workflows, issue views, or boards. Think you have a story to sha...

436 views 7 5
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you