JIRA Server with SSL Behind Apache Reverse Proxy Not Working

I'm trying to get JIRA setup behind an Apache reverse proxy where the connection to Apache is via SSL and then the connection between Apache and JIRA is http.

i.e. Internet/Network <=https=> Apache <=http=> JIRASERVER

I'm using a self certified certificate created as described here

Both Apache and JIRA are running on the same Windows 2008 R2 server.

I've followed the instructions from Atlassian but it just doesn't seem to work, I've been looking around all over the Internet and not found a solution for my issue.

I can setup Apache without SSL and that seems to work fine

Config 1

Internet/Network <=http=> Apache <=http=> JIRASERVER

JIRA Setup Files

server.xml

&lt;Service name="Catalina"&gt;
    	&lt;Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" 
        enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" 
        port="8080" protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true"
    	proxyName="JIRASERVERNAME" proxyPort="80"/&gt;

Apache Setup File

httpd.conf

LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule proxy_http_module modules/mod_proxy_http.so

    ServerName JIRASERVERNAME

    Include conf/extra/httpd-vhosts.conf

httpd-vhosts.conf

&lt;VirtualHost *&gt;
    	ServerName JIRASERVERNAME

    	ProxyRequests		Off
    	ProxyPreserveHost	On
    	&lt;Proxy *&gt;
    		Order deny,allow
    		Allow from all
    	&lt;/Proxy&gt;
    
    	ProxyPass		/	http://JIRASERVERNAME:8080/
    	ProxyPassReverse	/	http://JIRASERVERNAME:8080/
	
    &lt;/VirtualHost&gt;

Type JIRASERVERNAME in a browser URL directs to JIRASERVERNAME/secure/Dashboard.jspa and works fine.

Config 2

However when I try and enable the SSL by changing the files to be as shown below (i.e. remove the setup for non-SSL and just use SSL) I get no response and am confused as to what's wrong.

JIRA Setup Files

server.xml

&lt;Service name="Catalina"&gt;
        &lt;Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" 
    	maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8080"
        protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true"
    	scheme="https" proxyName="JIRASERVERNAME" proxyPort="443" secure="true"/&gt;

Apache Setup File

httpd.conf

LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule ssl_module modules/mod_ssl.so 

    ServerName JIRASERVERNAME
    
    Include conf/extra/httpd-vhosts.conf

httpd-vhosts.conf

&lt;VirtualHost *:443&gt;
    	ServerName JIRASERVERNAME
    
    	SSLEngine			On
    	SSLCertificateFile		"C:\Program Files\Atlassian\JIRA\jre\server.crt"
    	SSLCertificateKeyFile	"C:\Program Files\Atlassian\JIRA\jre\server.key"
    	SSLProxyEngine		On
    	
    	ProxyRequests		Off
    	ProxyPreserveHost	On

    	&lt;Proxy *&gt;
    		Order deny,allow
    		Allow from all
    	&lt;/Proxy&gt;
    
    	ProxyPass		/	http://JIRASERVERNAME:8080/
    	ProxyPassReverse	/	http://JIRASERVERNAME:8080/
    	
    &lt;/VirtualHost&gt;
    &lt;VirtualHost *:80&gt;
    	ServerName JIRASERVERNAME
    	Redirect		/	https://JIRASERVERNAME/
    &lt;/VirtualHost&gt;

Typing in JIRASERVERNAME redirects to the secure URL https://JIRASERVERNAME`

But I get the response in Chrome "This web page is not available"

Can anyone help point out what I've done wrong please, I'd be very grateful

3 answers

1 accepted

I got it working, it was mainly because Apache wasn't listening on port 443, and I fixed this by including httpd-ssl.conf and then defining my VirtualHost in there.

So this is what I've ended up with

JIRA Setup Files

server.xml

&lt;Service name="Catalina"&gt;
        &lt;Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" 
    	maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8080"
        protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true"
    	scheme="https" proxyName="JIRASERVERNAME" proxyPort="443" secure="true"/&gt;

Apache Setup File

httpd.conf

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so 

ServerName JIRASERVERNAME
    
Include conf/extra/httpd-vhosts.conf

Include conf/extra/httpd-ssl.conf

httpd-vhosts.conf

&lt;VirtualHost *:80&gt;
    	ServerName JIRASERVERNAME
    	Redirect		/	https://JIRASERVERNAME/
    &lt;/VirtualHost&gt;

httpd-ssl.conf

Listen 443 #This was already defined in here

&lt;VirtualHost *:443&gt;
    ServerName JIRASERVERNAME
    
    SSLEngine			On
    SSLCertificateFile		"C:\Program Files\Atlassian\JIRA\jre\server.crt"
    SSLCertificateKeyFile	"C:\Program Files\Atlassian\JIRA\jre\server.key"
    SSLProxyEngine		On
    	
    ProxyRequests		Off
    ProxyPreserveHost	On

    &lt;Proxy *&gt;
    	Order deny,allow
    	Allow from all
    &lt;/Proxy&gt;
    
    ProxyPass		/	http://JIRASERVERNAME:8080/
    ProxyPassReverse	/	http://JIRASERVERNAME:8080/
    	
&lt;/VirtualHost&gt;

I also commented out any lines that were superceded by my VirtualHost config.

Thanks again for your help, very much appreicated.

Try to set "SSLProxyEngine Off"

Iguess:

SSLProxyEngine On

is used for HTTPS->HTTPS setup, but you have HTTPS->HTTP

Also check if http://JIRASERVERNAME:8080/opens correctly from your apache server host.

And check if your apache server listens on port 443. There should be similar line somewhere in config "Listen 443". You can test if firewall does not block it by trying to connect to 443 port with telnet.

Thanks for the suggestion, I'll give it a go and get back with how I get on

why don't you use the AJP connector instead?

vhost config would look like this then:

&lt;VirtualHost yourHost:443&gt;

# /SSL Section

    ServerAdmin admin@yourhost.tld
    ServerName yourHost
    ServerAlias yourHost

    ProxyRequests Off
    ProxyPreserveHost On

&lt;Proxy *&gt;
Order deny,allow
Allow from all
&lt;/Proxy&gt;
SSLProxyEngine On
ProxyRequests           Off
ProxyPreserveHost       On
ProxyPass           /       ajp://localhost:yourPort/
ProxyPassReverse    /       ajp://localhost:yourPort/
&lt;Location /&gt;
    Order allow,deny
    Allow from all
    &lt;/Location&gt;

&lt;/VirtualHost&gt;

this is the only connector you need to be active in the server.xml then

&lt;Connector port="yourPort" redirectPort="8443" enableLookups="false" protocol="AJP/1.3" URIEncoding="UTF-8"/&gt;

Thanks for the suggestion, I'll give it a go and get back with how I get on

Thanks again for the suggestion, but I couldn't get this to work, but that was before I'd realised that I'd not included httpd-ssl.conf and had Apache listen on port 443. What advantage would AJP provide?

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,907 views 12 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot