It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Jira reverse proxy problem Edited

I am in the process of trying to upgrade a 6.4 to current.

The steps I have taken:

1.) Built and patched a new CentOS 7.x box and installed prereqs.

2.) Installed Jira 7.0 onto new box and validated that it is running and accepting connections

3.) Backed up Jira from old box and then imported it into the new Jira. Import went right, and all data was present. Logged into new 7.0 instance with creds from original and saw that all was ok.

4.) Followed instructions from https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html to get apache acting as reverse proxy for the system. Below are config files:

System.xml

<Service name="Catalina">

<!-- Apache Proxy Connector with values for scheme, proxyName and proxyPort -->
<Connector acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
port="8080"
protocol="HTTP/1.1"
redirectPort="8443"
scheme="https"
proxyname="my.cool.server.name"
proxyport="443"
useBodyEncodingForURI="true"/>

<!-- Standard HTTP Connector -->
<Connector acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
port="8081"
protocol="HTTP/1.1"
redirectPort="8443"
useBodyEncodingForURI="true"/>
<!--

<Engine defaultHost="localhost" name="Catalina">
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">

<Context path="/jira" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">


<!--
====================================================================================

Note, you no longer configure your database driver or connection parameters here.
These are configured through the UI during application setup.

====================================================================================
-->

<Resource auth="Container" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60" name="UserTransaction" type="javax.transaction.UserTransaction"/>
<Manager pathname=""/>
</Context>

</Host>

<!--

Httpd.conf

ServerRoot "/etc/httpd"

Listen 80

Include conf.modules.d/*.conf
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule remoteip_module modules/mod_remoteip.so

IncludeOptional conf.d/*.conf

Jira.conf (located in conf.d/

<VirtualHost *:443>
ServerName support.annex.northgrum.com
ServerAlias support.annex.northgrum.com jira
ErrorLog /var/log/httpd/support-ssl-error.log
CustomLog /var/log/httpd/support-ssl-access.log combined
SSLCertificateFile /certs/server.cer
SSLCertificateKeyFile /certs/server.key
SSLCertificateChainFile /certs/server-ca.cer
SSLEngine on
ProxyRequests off
ProxyPreserveHost on
ProxyPass /jira http://127.0.0.1:8080/jira
ProxyPassReverse /jira http://127.0.0.1:8080/jira

RemoteIPHeader X-Forwarded-For
</VirtualHost>


When I hit the server, the log shows the following:

[Tue Jan 14 11:14:50.661950 2020] [authz_core:debug] [pid 16097] mod_authz_core.c(835): [client 10.161.108.42:2556] AH01628: authorization result: granted (no directives)
[Tue Jan 14 11:14:50.662170 2020] [proxy:debug] [pid 16097] mod_proxy.c(1123): [client 10.161.108.42:2556] AH01143: Running scheme http handler (attempt 0)
[Tue Jan 14 11:14:50.662215 2020] [proxy_ajp:debug] [pid 16097] mod_proxy_ajp.c(722): [client 10.161.108.42:2556] AH00894: declining URL http://127.0.0.1:8080/jira
[Tue Jan 14 11:14:50.662237 2020] [proxy_fcgi:debug] [pid 16097] mod_proxy_fcgi.c(972): [client 10.161.108.42:2556] AH01076: url: http://127.0.0.1:8080/jira proxyname: (null) proxyport: 0
[Tue Jan 14 11:14:50.662253 2020] [proxy_fcgi:debug] [pid 16097] mod_proxy_fcgi.c(975): [client 10.161.108.42:2556] AH01077: declining URL http://127.0.0.1:8080/jira
[Tue Jan 14 11:14:50.662276 2020] [proxy:debug] [pid 16097] proxy_util.c(2203): AH00942: HTTP: has acquired connection for (127.0.0.1)
[Tue Jan 14 11:14:50.662296 2020] [proxy:debug] [pid 16097] proxy_util.c(2256): [client 10.161.108.42:2556] AH00944: connecting http://127.0.0.1:8080/jira to 127.0.0.1:8080
[Tue Jan 14 11:14:50.662499 2020] [proxy:debug] [pid 16097] proxy_util.c(2426): [client 10.161.108.42:2556] AH00947: connected /jira to 127.0.0.1:8080
[Tue Jan 14 11:14:50.662677 2020] [proxy:debug] [pid 16097] proxy_util.c(2802): AH02824: HTTP: connection established with 127.0.0.1:8080 (127.0.0.1)
[Tue Jan 14 11:14:50.662717 2020] [proxy:debug] [pid 16097] proxy_util.c(2942): AH00962: HTTP: connection complete to 127.0.0.1:8080 (127.0.0.1)
[Tue Jan 14 11:14:50.666396 2020] [proxy:debug] [pid 16097] proxy_util.c(2218): AH00943: http: has released connection for (127.0.0.1)
[Tue Jan 14 11:14:55.671766 2020] [ssl:info] [pid 16097] (70007)The timeout specified has expired: [client 10.161.108.42:2556] AH01991: SSL input filter read failed.
[Tue Jan 14 11:14:55.671906 2020] [ssl:debug] [pid 16097] ssl_engine_io.c(993): [client 10.161.108.42:2556] AH02001: Connection closed to child 4 with standard shutdown (server my.cool.server.name:443)

The browser gives me the following:

https://my.cool.server.name:80/jira/secure/Dashboard.jspa

If I remove the :80, the thing will iterate a couple times and then eventually display the login page with the error:

JIRA is reporting that it is running on the port '80', which does not match the hostname used to run these diagnostics, '443'.

I can then put my creds in and it will do the :80 thing for three more times and then give me my page.

I have looked at the following:

https://community.atlassian.com/t5/Jira-Core-questions/Using-a-reverse-proxy-with-Jira-mismatched-URL-Port/qaq-p/267416

    with this in mind, I added the following to my conf file:

<VirtualHost *:80>
ServerName my.cool.server.name.com
ServerAlias my.cool.server.name jira
<Directory />
AllowOverride None
Order allow,deny
allow from all
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://my.cool.server.name%{REQUEST_URI} [R,L]
</Directory>
</VirtualHost>

Still the same issue.

I would be grateful for some pointers.

Thanks,

    

 

2 answers

1 accepted

0 votes
Answer accepted

This is solved. I wound up restarting the process and then following again this process:

https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

And then ensured the the process worked for http.

I then followed:

https://confluence.atlassian.com/adminjiraserver073/integrating-jira-with-apache-using-ssl-861253896.html

which turned into the tricky part. Since I am an Apache noob, I didn't really understand where to put the directives for the SSL portion. I had been loading them into the same conf file as the http stuff, but that wasn't working when I originally did it. This time, I added the directives to the default ssl.conf file and the thing worked.

I *THINK* that I can just go straight SSL by putting the SSL stuff into the jira.conf file, but I am not sure how to exclude the default ssl file without breaking Apache. I'll play with that later.

0 votes

Hi,

#1 localhost is not always 127.0.0.1. Check is localhost is always resolved to 127.0.0.1

#2 Use support.annex.northgrum.com as the proxy name when setting up the connector.

Please reread

https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

as there are some more bugs in your configuration on the Apache side.

Make sure your SSL/TLS settings of the Apache work without proxying to Jira.

Best

JP

JP -

Thank you for the reply. It was my intention to replace my actual hostname/FQDN infor with my.cool.server.name but I guess that I didn't sanitize well enough.
I verified that 127.0.0.1 is localhost in the hosts file
support.annex.northgrum.com is set as the proxy name in the connector.

Now, one thing is that I didn't change any of the other parameters to <default>. I left them as they were from the install. Should I change them to match the guide? e.g.:

<Connector port=<default>
    maxThreads=<default>
    minSpareThreads=<default>
    connectionTimeout=<default>
    enableLookups=<default>
    maxHttpHeaderSize=<default>
    protocol=<default>
    useBodyEncodingForURI=<default>
    redirectPort=<default>
    acceptCount=<default>
    disableUploadTimeout=<default>
    proxyName="support.annex.northgrum.com"
    proxyPort="443"
    scheme="https"/>

WRT the Apache config, I am not sure what those bugs are - I am not Apache savvy. As near as I can tell I have it set exactly as it should be according to the guide.


I think that the SSL portion does work because when the page does come up, the page is properly secured with the SSL cert. Other than that, I am not sure how to test it.

Thank you again

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you