How to integrate f5 Load balancer with Jira

I'm trying to utilize an F5 load balancer with a wildcard SSL certificate. Keep in mind I am not load balancing JIRA. It will be a single server behind a single VIP. I'm just trying to avoid installing an SSL cert directly on the server. if this is the configuration in my server.xml :

<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
connectionTimeout="20000"

enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
scheme="https"
proxyName="jirapd.sports.com"
proxyPort="443"

What will be my new config be ? What needs to be change in F5 load balancer ?

3 answers

1 accepted

You need to make a few changes if you want to put it behind an F5 for SSL offload:

  1. First - turn off/shutdown Jira
  2. Go into your installation directory and open the conf directory. Default would be C:\Program Files\Atlassian\JIRA\conf
  3. Make a copy of the server.xml file to BACKUP-server.xml
  4. Edit the connector and add these three lines (I am assuming you have NOT made any adjustments here outside of the normal Jira Wizard installation): secure="true" proxyPort="443" scheme="https"
  5. On the F5 request a certificate and ensure the name is consistent with the domain name that you use, or is a SAN cert... whatever makes sense in your installation. For example jira.testdomain.com
  6. Sign the certificate with your installed CA and ensure that the chain or CA certificate is installed in the client browsers.
  7. Import the signed certificate and verify that you have a certificate/key pair.
  8. Create an F5 SSL client profile, inherit from the default client SSL profile and override the certificate and key settings. Add the certificate and key from the above two steps.
  9. Apply this certificate to your VIP - ensure the rest of you settings are sane (The VIP is on 443, you have the appropriate profiles). Do not include a Server SSL profile (unless you are encrypting back to the Jira web server.. and in that case this is probably not the solution you are looking for).
  10. Start the Jira server - give it time to boot and initialize.
  11. Connect to Jira via your VIP, you can also create a 80->443 redirect VIP to handle redirection on the F5. (Just create a vip on port 80 with the same IP address and ONLY add the default iRule _sys_https_redirect)
  12. Go into the settings or Jira and change the base url to https://<yourconfigured FQDN>

Hope that helps...

This works great. You can go a step further and have tomcat behind apache, and still have SSL offloaded to the F5. The only additional change in this scenario is to add proxyName="<apache server>" to the Connector block above as per Dan.

Scott, did you get the Applinks to work between Confluence & JIRA after making the above changes ? Bimal.

We don't currently have any applinks established, so I'm unaware of any conflicts in setting it up in that scenario.

@Bimal Patel Did you figure out how to get this working with App Links by chance?

Proceed configuring you F5 (Viprion/Big IP) as reverse proxy (http://www.f5.com/glossary/reverse-proxy/). I belive that you have to disable SSL on VIP, enabling only the external network to handle SSL requests.

I want to offload SSL to F5 (BigIP). Client will be connecting via BigIP using HTTPS. BigIP will forward request to Jira using HTTP. Certificates are stored in F5 (BigIP).

hi Lucas,

We have enabled F5 proxy for JIRA and we see no issues in accesing but confluence gadgets not loading getting marshal exceptions. Could you please help?

Thanks,Srinivas

I have the same scenario...when the F5 is in the picture it causes the dashboard and other things to not load due to an invalid scheme. When it's not, everything is fine.

Did you ever solve this?

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,308 views 14 20
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot