JIRA over https - preferred method?

Permabit DevOps August 13, 2013

I'm a new JIRA admin, starting off by migrating our somewhat neglected JIRA 4.3 installation to 6.0. I've installed JIRA 6 (6.04) on a fresh host, imported a backup of our database, and had our users bang on it some. Initially I've been testing the new server on our NAT, with the default port 8080. For the next phase of testing, I want to give it a routable IP address and use the canonical https port.

There are at least three ways of doing this documented on atlassian.com:

All three of which start with a use-at-your-own-risk disclaimer.

My question is: Is oneof these the preferred method of serving JIRA on port 443? Conversely, is one of them known to be problematic? My installation is dead simple: A stand-alone server, with JIRA the only web service it's running; no other network ports will be open to the Internet.

My intuition, just because I'm a long-time *nix admin to whom all this java web service stuff looks like Greek, is to go with the Apache proxy approach. It adds an extra layer of indirection --- but OTOH one that's pretty well understood, and one I'm certainly going to understand better than anything involving fiddling with tomcat internals. But before just heading down the route of least resistance, I figured I should get some idea of community opinion.

Thanks in advance!

1 answer

0 votes
LucasA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 13, 2013

Hi,

We always suggest you running JIRA without any other application in front of it. That said, I rather configure SSL in Tomcat than Apache (this doc). It will need you to import the SSL certificates into a keystore file, and it may be complex some times, even if you're an Unix administrator. If you're going to run JIRA as well on a Linux machine, you'll need to redirect the 8080 and 8443 port to the 80 and 443 port instead, since a common user is unable to bind ports lower than 1024 in Linux. And I believe you don't feel like running JIRA with the root user. :)

If you're planning to integrate JIRA with Apache, please use AJP as says the doc you linked. It won't cause you problems with application links, rest calls and gadgets. You could set the SSL on a virtual host redirecting it for JIRA via AJP, it usually works fine, but you'll still need to import the SSL certificates into a keystore. For that, you won't add the keystore file on Tomcat (since the SSL layer will be provided by Apahe), but will need to add it on JIRA via startup options.

My personal opinion: Keep it running on Tomcat without Apache.

Best regards,
Lucas Timm

John Ellis February 12, 2014

Lucas I have been trying unsucessfully to get SSL setup & working for our jira/confluence internal server. Let me say first that my background is in computer hardware; I had never even heard of jira or confluence until I took this position a little less than 2 yrs ago (after getting laid off w/ about 300 others) after almost 27 years with Vitera Healthcare/Sage Healthcare/WebMD. My new boss first gave me jira and confluence upgrade tasks and now this. I followed the link https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPSand obtained a cert. from Cacert.organd followed all the steps to get it setup. We got the popup window for the initial login saying this was an untrusted site when changing to https but not after that. I created a ticket w/ Atlassian but the support tech I worked with said the cert. from Cacert.orgwill not work and that we must purchase one. My boss does not believe that and has told me that I need to keep searching for an answer for this. if you could help me out that would be awesome. You can e-mail me directly at john.ellis@lsgsolutions.com.

Thanks in advance,

John Ellis

Suggest an answer

Log in or Sign up to answer