Proxying Atlassian server applications with IIS and HTTPS

I'm trying to setup both Jira and Confluence to proxy through IIS. These are the different pieces I have in play.

Windows Server 2012 R2 running IIS 8.5

Jira running 7.2.6 via Tomcat on port 8080

Confluence  6.0.2 via Tomcat on port 8090

Sonic Wall TZ210

I have each product defined to run under a subdomain. My domains are setup as jira.example.com and wiki.example.com.

Both Jira and Confluence are running and can be accessed directly through their port number. 

I followed the following directions to proxy Jira and Confluence through IIS:

https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-microsoft-internet-information-services-iis-833931378.html

I'm using SSL certificates on IIS via Let's Encrypt with a unique certificate assigned to each unique site and the sites each have the proper host header defined in the site bindings.

My Jira site is working correctly. When I try to go to Confluence via the wiki.example.com address it is bringing up Jira? 

I currently have both of these sites subdomains pointing the same public IP address. My sonic wall passes the requests on to the internal server using the same internal LAN IP address of the server running both sites. It appears that the host header is missing or being ignored. I'm not sure how or why Jira is being displayed by the wiki.example.com URL. 

I feel like I'm close, but have put many hours into this so far. Any help or guidance would be greatly appreciated.

 

3 answers

This widget could not be displayed.

Hello John!

I think its really nice that you put some effort into securing JIRA and Confluence, and also giving the users simple urls to use. Nice!

I think what you are missing is some configuration to your applications letting them know they are behing a SSL proxy.

Try adding the following to the connector in server.xml (and restart the application)

proxyName="jira.example.com" proxyPort="443" scheme="https" secure="true"

The whole connector should look similar to this. 

<Connector port="8080"

maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"

enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"
proxyName="jira.example.com" proxyPort="443" scheme="https" secure="true"/>

 

Cheers,

Lars, Kantega Single Sign-on

Hi Lars,

Thanks for replying! I have Jira working correctly and have the setup you provided in my Jira server.xml. It is confluence that I'm having problems with. 

My original confluence server.xml looks like this:

<Connector
port="8090"
connectionTimeout="20000"
redirectPort="8443"
maxThreads="48"
minSpareThreads="10"
enableLookups="false"
acceptCount="10"
debug="0"
URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
/>
If I change my server.xml for Confluence to be like the following it ends up rendering Jira. 

<Connector port="8090"
connectionTimeout="20000"
redirectPort="8443"
maxThreads="48"
minSpareThreads="10"
enableLookups="false"
acceptCount="10"
debug="0"
URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
proxyName="wiki.example.org"
proxyPort="443"
scheme="https"
secure="true"
/>
I'm curious if this is a problem with the host headers being lost as IIS does not seem to be honoring the host header when the request is received.

This widget could not be displayed.

Hello again John!

I would look at the setup in IIS. Looks like you are hitting the jira site in IIS. Make sure site bindings (host name) is set correctly. If not, you will hit the wrong site. 

This can be confirmed by accessing e.g. jira and watching the log files.

I agree that it seems to be an issue with IIS. I have double checked my bindings and do have also removed the wildcard entries. It appears the host header is being lost along the way for Confluence, but so far I'm unable to determine why or how.

This widget could not be displayed.

Well, it`s hard to be more specific :) Here is the web.config from our Confuence IIS LAB config. Maybe you can import it or compare it to the one you have.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://127.0.0.1:8090/{R:1}" />
</rule>
</rules>
</rewrite>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
</system.webServer>
</configuration>

Thanks for sharing your web config. I'm going to investigate this further later today. I appreciate you taking the time to help!

Hi John, 

Did you ever resolve this?  I ran into the same issue.  My issue was the url rewrite.  I had 2 subdomains, 1 for jira and 1 for confluence, but the confluence subdomain always opened up jira.  So I changed the url rewrite rules for each website to include a condition where  it looked to see what the subdomain was.  Then I forwarded to the correct url.  

@Jason Howard I did get this resolved and it was also an issue with my rewrites. Thanks for checking in with me on it!

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Friday in Jira

New 5k User Limit and Other Cloud Updates

Hi all! Lauren here from the Enterprise Cloud marketing team.  I have some exciting Cloud updates from #AtlassianSummit that I wanted to share. We want everyone in your organization to be ab...

94 views 0 3
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you