Integrating JIRA and Confluence behind IIS ARR

I have a JIRA and a Confluence server behind an IIS ARR acting as a reverse proxy with SSL.

JIRA is accessible via https://projects.domain.comand Confluence is accessible via https://documents.domain.com.

When trying to integrate the JIRA and Confluence servers together, I have been having alot of issues - they are basically unable to see eachother.

If I revert the base URLs back to the local domain names, the Application Links work perfectly. However, when I change the links back, they stop working.

When I try to create a new issue in Confluence, I get either a 404 or 504 error. If I try to recreate the link with the actual external URL, it cannot see that the server exists.

What am I missing here?


Currently, my server.xml on my JIRA is as follows:

<?xml version="1.0" encoding="UTF-8"?>
    <Server port="8005" shutdown="SHUTDOWN">
    <Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
    <Listener className="org.apache.catalina.core.JasperListener"/>
    <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
    <Service name="Catalina">
        <Engine defaultHost="localhost" name="Catalina">
            <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
                <Context docBase="${catalina.home}/atlassian-jira" path="" reloadable="false" useHttpOnly="true">
                    <Resource auth="Container" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60" name="UserTransaction" type="javax.transaction.UserTransaction"/>
                    <Manager pathname=""/>
                </Context>
            </Host>
            <Valve className="org.apache.catalina.valves.AccessLogValve" pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r"" resolveHosts="false"/>

        </Engine>
          <Connector
            protocol="org.apache.coyote.http11.Http11Protocol"
            acceptCount="100"
            disableUploadTimeout="true"
            enableLookups="false"
            maxHttpHeaderSize="8192"
            maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

            port="443"
            SSLEnabled="true"
            sslProtocol="TLS"
            scheme="https"
            secure="true"
            clientAuth="false"
            useBodyEncodingForURI="true"

            connectionTimeout="20000"
            keyAlias="<key alias>"
            keystoreFile="C:\Program Files\Atlassian\JIRA\jre\lib\security\cacerts" keystorePass="changeit"
            keystoreType="JKS"
            proxyName="projects.<domain>.com"
            proxyPort="443"/>
          </Service>
    </Server>

The server.xml on my confluence is as follows:

<Server port="8000" shutdown="SHUTDOWN" debug="0">
    <Service name="Tomcat-Standalone">
        <Engine name="Standalone" defaultHost="localhost" debug="0">
            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <Manager pathname="" />
                </Context>
            </Host>
        </Engine>
        <Connector
            protocol="org.apache.coyote.http11.Http11Protocol"
            acceptCount="100"
            disableUploadTimeout="true"
            enableLookups="false"
            maxHttpHeaderSize="8192"
            maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

            port="443"
            SSLEnabled="true"
            sslProtocol="TLS"
            scheme="https"
            secure="true"
            clientAuth="false"
            URIEncoding="UTF-8"

            connectionTimeout="20000"
            keyAlias="le-0e9f6755-3182-4701-aa42-76478d411226"
            keystoreFile="C:\Program Files\Atlassian\Confluence\jre\lib\security\cacerts"
            keystorePass="changeit"
            keystoreType="JKS"
            proxyName="documents.<domain>.com"
proxyPort="443"/> </Service> </Server>

5 answers

1 accepted

I solved this issue - basically, I just had to go into portecle and tell it that the domain of the other server is safe -

Now it is setup with Application Request Routing. The steps for setting this up were gleaned from here:

https://confluence.atlassian.com/display/JIRAKB/Integrating+JIRA+with+IIS+using+ARR#

Those instructions seem to work, but they leave a few things glitchy and the Application Links you setup between JIRA and Confluence do not work at all (lots of errors about not having a link setup on the other end, not being a valid URL (and the url will have the 8080 or 8090 port in it, etc). Google and the comments on that article eventually led to the solution:

  1. Need to set preserveHostHeader proxy configuration to false

    C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true
  2. Allow HTTP_X_xxxx server variables for URL Rewriting configurations, and add those to the rewrite rules (see sample web.config file for conlfuence HERE: http://pastebin.com/wSwcrbSr)
  3. First, Allow server variables to be used so you don't get 500 Error about them not being permitted. See the "Allow Server Variables to be Changed" section on this page:
    http://www.iis.net/learn/extensions/url-rewrite-module/setting-http-request-headers-and-iis-server-variables
    1. Goto IIS root level in IIS Manager > URL Rewrite > View Server Variables
    2. Add the following
      1. HTTP_X_ORIGINAL_HOST
      2. HTTP_X_FORWARDED_HOST
      3. HTTP_X_FORWARDED_SERVER

  4. Next, add sections like this to your confluence or JIRA IIS website web.config files:

    &lt;rule name="reverseproxy" stopProcessing="true"&gt;
      &lt;match url="(.*)" /&gt;
      &lt;action type="Rewrite" url="http://confluence.domain.com:8090/{R:1}" /&gt;
      &lt;serverVariables&gt;
        &lt;set name="HTTP_X_ORIGINAL_HOST" value="confluence.domain.com" /&gt;
        &lt;set name="HTTP_X_FORWARDED_HOST" value="confluence.domain.com" /&gt;
        &lt;set name="HTTP_X_FORWARDED_SERVER" value="confluence.domain.com" /&gt;
      &lt;/serverVariables&gt;
    &lt;/rule&gt;

  5. In the Application Request Routing proxy setup screen that you go through in the Atlassian instructions, un-check the Reverse rewrite hose in response headers checkbox.
     

 

Could you expand on steps 2 and 3? Also, I don't see where you attached the sample Web.config.

Sorry, I had, but it wasn't obvious because the nesting of my steps was out of whack (3 and 4 were actually sub-points to 2) I also included a few links, one of them to the sample web.config on pastebin.

Now I am running into this issue on Jira when I try to add "Incoming Authentication" for the application link: Unable to retrieve the application's certificate: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Never saw that one... do you have https or SSL somewhere in your setup? Ours is all internal intranet and so there is zero SSL involved.

JIRA and Confluence are exposed to the internet via a reverse proxy. This proxy server uses SSL offloading to encrypt the traffic. Currently, I have fixed everything except for one issue: when I am in JIRA and I try to search for a Confluence page to link it finds all of the expected pages but then when I press add it says that the page does not exist. Any ideas?

  • Did you got the "application offline message" in the Application Links page?
  • What's the base url set for both application?
  • What's your internal URL?
  • Both application located in different servers?
  • Able to access JIRA from Confluence server using external URL and vice versa?
  • Any noticiable error message in JIRA and Confluence log when you establish the application link?
  • Did you whitelist proxy ip in JIRA and Confluence(assuming the external url go through the proxy)?

1) Yes

2) documents.yeack.comfor confluence and projects.yeack.comfor JIRA

3) Yes, different servers.

4) Yes

5) Yes, 404 and 504 errors

6) Yes

- I was getting the "Application Offline" message but then I made both servers 'trust' the certificate of the other one as described here: https://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services Ever since then, they can both see eachother. - The base URL for JIRA is "https://projects.yeack.com"; and the base url for Confluence is "https://documents.yeack.com";. - The internal URL for JIRA is "http://issueserver.yeack.local"; and Confluence is "http://documentserver.yeack.local";. - Both applications are on physically different servers. - Yes - both applications can access eachother from eachother's server. - No more error messages - They go through a reverse proxy - what whitelist are you referring to? Currently, the application links seem to be working correctly in every way except one; from JIRA, when I try to add a link to a confluence page by using the Confluence page lookup functionality, it finds the page but then when I click add it says that the page does not exist. Any ideas?

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,265 views 14 20
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot