Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to integrate f5 Load balancer with Jira

Nelson Jimenez Manio
Nelson Jimenez Manio March 25, 2013

I'm trying to utilize an F5 load balancer with a wildcard SSL certificate. Keep in mind I am not load balancing JIRA. It will be a single server behind a single VIP. I'm just trying to avoid installing an SSL cert directly on the server. if this is the configuration in my server.xml :

<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
connectionTimeout="20000"

enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
scheme="https"
proxyName="jirapd.sports.com"
proxyPort="443"

What will be my new config be ? What needs to be change in F5 load balancer ?

Answer
Watch
Like Be the first to like this
8002 views

3 answers

1 accepted

7 votes
Answer accepted
Dan Dan10
Dan Dan February 5, 2014

You need to make a few changes if you want to put it behind an F5 for SSL offload:

  1. First - turn off/shutdown Jira
  2. Go into your installation directory and open the conf directory. Default would be C:\Program Files\Atlassian\JIRA\conf
  3. Make a copy of the server.xml file to BACKUP-server.xml
  4. Edit the connector and add these three lines (I am assuming you have NOT made any adjustments here outside of the normal Jira Wizard installation): secure="true" proxyPort="443" scheme="https"
  5. On the F5 request a certificate and ensure the name is consistent with the domain name that you use, or is a SAN cert... whatever makes sense in your installation. For example jira.testdomain.com
  6. Sign the certificate with your installed CA and ensure that the chain or CA certificate is installed in the client browsers.
  7. Import the signed certificate and verify that you have a certificate/key pair.
  8. Create an F5 SSL client profile, inherit from the default client SSL profile and override the certificate and key settings. Add the certificate and key from the above two steps.
  9. Apply this certificate to your VIP - ensure the rest of you settings are sane (The VIP is on 443, you have the appropriate profiles). Do not include a Server SSL profile (unless you are encrypting back to the Jira web server.. and in that case this is probably not the solution you are looking for).
  10. Start the Jira server - give it time to boot and initialize.
  11. Connect to Jira via your VIP, you can also create a 80->443 redirect VIP to handle redirection on the F5. (Just create a vip on port 80 with the same IP address and ONLY add the default iRule _sys_https_redirect)
  12. Go into the settings or Jira and change the base url to https://<yourconfigured FQDN>

Hope that helps...

View More Comments
Scott Geertgens
Scott Geertgens May 8, 2014

This works great. You can go a step further and have tomcat behind apache, and still have SSL offloaded to the F5. The only additional change in this scenario is to add proxyName="<apache server>" to the Connector block above as per Dan.

Like
Bimal Patel
Bimal Patel September 24, 2014

Scott, did you get the Applinks to work between Confluence & JIRA after making the above changes ? Bimal.

Like
Scott Geertgens
Scott Geertgens September 24, 2014

We don't currently have any applinks established, so I'm unaware of any conflicts in setting it up in that scenario.

Like
Mike R
Mike R April 11, 2016

@Bimal Patel Did you figure out how to get this working with App Links by chance?

Like
Reply
1 vote
LucasA
LucasA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 26, 2013

Proceed configuring you F5 (Viprion/Big IP) as reverse proxy (http://www.f5.com/glossary/reverse-proxy/). I belive that you have to disable SSL on VIP, enabling only the external network to handle SSL requests.

View More Comments
Nelson Jimenez Manio
Nelson Jimenez Manio March 26, 2013

I want to offload SSL to F5 (BigIP). Client will be connecting via BigIP using HTTPS. BigIP will forward request to Jira using HTTP. Certificates are stored in F5 (BigIP).

Like
Srinivas Patrun
Srinivas Patruni November 26, 2013

hi Lucas,

We have enabled F5 proxy for JIRA and we see no issues in accesing but confluence gadgets not loading getting marshal exceptions. Could you please help?

Thanks,Srinivas

Like
Reply
0 votes
Sam Ferrise
Sam Ferrise August 30, 2013

I have the same scenario...when the F5 is in the picture it causes the dashboard and other things to not load due to an invalid scheme. When it's not, everything is fine.

Did you ever solve this?

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events