Proxying Atlassian server applications with IIS and HTTPS

jsieber_aca April 24, 2017

I'm trying to setup both Jira and Confluence to proxy through IIS. These are the different pieces I have in play.

Windows Server 2012 R2 running IIS 8.5

Jira running 7.2.6 via Tomcat on port 8080

Confluence  6.0.2 via Tomcat on port 8090

Sonic Wall TZ210

I have each product defined to run under a subdomain. My domains are setup as jira.example.com and wiki.example.com.

Both Jira and Confluence are running and can be accessed directly through their port number. 

I followed the following directions to proxy Jira and Confluence through IIS:

https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-microsoft-internet-information-services-iis-833931378.html

I'm using SSL certificates on IIS via Let's Encrypt with a unique certificate assigned to each unique site and the sites each have the proper host header defined in the site bindings.

My Jira site is working correctly. When I try to go to Confluence via the wiki.example.com address it is bringing up Jira? 

I currently have both of these sites subdomains pointing the same public IP address. My sonic wall passes the requests on to the internal server using the same internal LAN IP address of the server running both sites. It appears that the host header is missing or being ignored. I'm not sure how or why Jira is being displayed by the wiki.example.com URL. 

I feel like I'm close, but have put many hours into this so far. Any help or guidance would be greatly appreciated.

 

3 answers

1 vote
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 25, 2017

Well, it`s hard to be more specific :) Here is the web.config from our Confuence IIS LAB config. Maybe you can import it or compare it to the one you have.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://127.0.0.1:8090/{R:1}" />
</rule>
</rules>
</rewrite>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
</system.webServer>
</configuration>

jsieber_aca April 25, 2017

Thanks for sharing your web config. I'm going to investigate this further later today. I appreciate you taking the time to help!

Jason Howard March 20, 2018

Hi John, 

Did you ever resolve this?  I ran into the same issue.  My issue was the url rewrite.  I had 2 subdomains, 1 for jira and 1 for confluence, but the confluence subdomain always opened up jira.  So I changed the url rewrite rules for each website to include a condition where  it looked to see what the subdomain was.  Then I forwarded to the correct url.  

jsieber_aca March 20, 2018

@Jason Howard I did get this resolved and it was also an issue with my rewrites. Thanks for checking in with me on it!

0 votes
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 25, 2017

Hello again John!

I would look at the setup in IIS. Looks like you are hitting the jira site in IIS. Make sure site bindings (host name) is set correctly. If not, you will hit the wrong site. 

This can be confirmed by accessing e.g. jira and watching the log files.

jsieber_aca April 25, 2017

I agree that it seems to be an issue with IIS. I have double checked my bindings and do have also removed the wildcard entries. It appears the host header is being lost along the way for Confluence, but so far I'm unable to determine why or how.

0 votes
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 25, 2017

Hello John!

I think its really nice that you put some effort into securing JIRA and Confluence, and also giving the users simple urls to use. Nice!

I think what you are missing is some configuration to your applications letting them know they are behing a SSL proxy.

Try adding the following to the connector in server.xml (and restart the application)

proxyName="jira.example.com" proxyPort="443" scheme="https" secure="true"

The whole connector should look similar to this. 

<Connector port="8080"

maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"

enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"
proxyName="jira.example.com" proxyPort="443" scheme="https" secure="true"/>

 

Cheers,

Lars, Kantega Single Sign-on

jsieber_aca April 25, 2017

Hi Lars,

Thanks for replying! I have Jira working correctly and have the setup you provided in my Jira server.xml. It is confluence that I'm having problems with. 

My original confluence server.xml looks like this:

<Connector
port="8090"
connectionTimeout="20000"
redirectPort="8443"
maxThreads="48"
minSpareThreads="10"
enableLookups="false"
acceptCount="10"
debug="0"
URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
/>
If I change my server.xml for Confluence to be like the following it ends up rendering Jira. 

<Connector port="8090"
connectionTimeout="20000"
redirectPort="8443"
maxThreads="48"
minSpareThreads="10"
enableLookups="false"
acceptCount="10"
debug="0"
URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
proxyName="wiki.example.org"
proxyPort="443"
scheme="https"
secure="true"
/>
I'm curious if this is a problem with the host headers being lost as IIS does not seem to be honoring the host header when the request is received.

Suggest an answer

Log in or Sign up to answer