Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Running jira and confluence over https

Hi All,

We have Jira and Confluence hosted on the same server at different port(Jira:8080 and Confluence:8090) and currently accessible through servername and port.

 

Now the business requirement is to run both the applications over https, at atlassian site a basic document is available but it is mentioned in the doc that "It is by no means a definitive or comprehensive guide to configuring HTTPS and may not apply to your environment."

I would request you all if anyone have completed this activity with same setup, please guide me.

Even your little help would be appreciated.

Thanks for your help in advance.

Regards,

Shib Saha 

1 answer

2 votes

There are a lot of possibilities here, however you do it, and there's probably an entire book that could be written.  To avoid that, could you give us an idea of your broader goal?

Https, yes, good, you should be doing that for any system that people might write to.  Http is, nowadays, only for static read-only sites where security is not needed.

I'm thinking more of structure and https.  My personal preference is "one url, with different areas", so you end up with https://somewhere.com , https://somewhere.com/confluence , https://somewhere.com/jira , https://somewhere.com/otherstuff , and so-on.

I mostly use a proxy server to do that sort of stuff though.  And I offload SSL to the proxy, to get better performance on the back-end. 

As you can tell, this could be quite a long discussion, but let's try to keep it simple.

  • SSL (https) is a given
  • What structure do you want for your sites?
  • Are you happy to use a proxy server (nginx, apache, lightppd, IIS, even a load-balancer, etc)?

Hi @Nic Brough _Adaptavist_ 

so you set up the URLs for tools on the same server with a reverse proxy is that right?

My best

Merve

hi Nic,

 

Thanks for your help.

 

Considering our current setup, it would be fine If we can setup a structure where Jira and Confluence exists on separate URLs. Something like the following:

https://abcJira.com

https://abcConfluence.com

 

Now this is not a hard requirement and if having https://abcjira.com and https://abcjira.com/confluence is easier to implement, the business would be onboard with that as well.

 

I am exploring what the SSL costs would be if we chose different domains though so in that sense, the first option is more preferable.

 

We are working with NetScaler for some other applications so using a proxy server would be feasible.

 

What do you think would be a good starting point here?

 

Thanks a lot for your help.

 

Regards,

Shib Saha 

A reverse proxy is my personally preferred route, probably because it's what I'm most familiar with (it's also good to offload the SSL on to the proxy, is easier to integrate into larger web sites, and it's very similar to load balancers when you scale up to data-centre, and most of our clients are doing it, so it's good to practice)

Is that what you are aiming for?

Hi Nic,

I would like to to go with same flow(reverse proxy) for implementing this task.

Could you please guide me with the steps involved in implementing this.

Thanks a lot for your help!

Regards,

Shib 

Ok, I would break this task into two parts.  First, get a proxy working with http, then, second, add httpS to the proxy. 

So, first, see https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

There's a lot there, but if you follow each step, it will work fine.  Most of the text is really more about giving you a sample than actual instructions.  It comes down to making sure your web-server has the right modules to support it, then editing the "site" files for the web-server to add the proxy server settings and the Jira server's server.xml to match the context, and telling Jira what the new base url is.

The second step is confusing.  SSL is not simple (if it were, it probably wouldn't be secure enough).  Do NOT even start on this step until you have Jira working ok through a simple http proxy, that way lies madness.  But assuming you have that, your next steps are reading two docs:

These try too hard, imho, and could do with a summary (assuming you have an http proxy setup working ok)

  • You need a server certificate to put on the proxy.  Incoming connections will be measured against it.
  • You need a client certificate.  Browsers connecting to a well-configured server should negotiate one, but it is important to understand that your Jira server also needs one of these, and it cannot negotiate one for itself like a browser can.  You will have to install that yourself.  Jira will actually work, but not well, until you install it
  • Your http Jira will not work properly through a proxy that does not know that the other side of the proxy is ssl.  You need to tell it (this is adding three lines to your server.xml as per docs)
  • Once you've got that lot done, Jira will work, but complain about the base url until you change from http://something to httpS:something

Hey Nic,

Sorry for the late reply, I was on leave.

Now we have proxy enabled with expired cert as we are configuring QA environment first.

But getting Gadget error "MSG_gadget_name" and "gadget.common.error.500".

Do you know what could be the cause?

Installation of cert on jira server(this cert will be same cert that we will be using on proxy server or different cert), please share if there is any doc for installing cert on jira server.

 

Thanks a lot!

Regards,

Shib Saha 

It means you need to get a new, valid, certificate and install that, replacing the expired one.  See the links above for instructions on installing it.

Thanks nic for the info.

 

Regards,

Shib Saha 

Hey Nic,

We have configured the reverse proxy with netscaler at network end, but business did not agree to use this approach.

Now we are using apache as reverse proxy and with http both the application is working fine with apache as reverse proxy, but when we are enabling the SSLengine service(jira and Confluence) site is not reachable.

We have been struggling for two days but still not able to figure out the root cause.

 

Could you please help where we are missing something?

 

Thanks and Regards

Shib Saha 

It's impossible to say without a description of the problem.

You say the service is "unreachable" - that implies that the service is not resolving, which is a DNS problem.  I don't think that's the whole problem though, if it works without SSL, I suspect its reachable but firewalled or misconfigured.

Could you tell us what the browser errors are?

Hi Nic,

 

Above issue is resolved now, both the application is running over https.

Again we are getting errors of gadgets "__MSG_gadget.created.vs.resolved.title__", while configuring the applications with http this error was not occurring.

 

I read some of the Atlassian article  and found that we need to place certificate in JRE. My opinion is if we are offloading Certificate in Apache, do we need to place cert in JRE folder also?

Thanks for your help.

Regards,

Shib Saha 

Yes.  The certificates allow something to read an https secured site.

When your browsers visit SSL sites, they can negotiate certificates, but services like Jira and Confluence can't.  They need the certificates to be loaded into their key stores.

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you