Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Running jira and confluence over https

Shib Saha
Shib Saha January 8, 2020

Hi All,

We have Jira and Confluence hosted on the same server at different port(Jira:8080 and Confluence:8090) and currently accessible through servername and port.

 

Now the business requirement is to run both the applications over https, at atlassian site a basic document is available but it is mentioned in the doc that "It is by no means a definitive or comprehensive guide to configuring HTTPS and may not apply to your environment."

I would request you all if anyone have completed this activity with same setup, please guide me.

Even your little help would be appreciated.

Thanks for your help in advance.

Regards,

Shib Saha 

Answer
Watch
Like Be the first to like this
596 views

1 answer

2 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 8, 2020

There are a lot of possibilities here, however you do it, and there's probably an entire book that could be written.  To avoid that, could you give us an idea of your broader goal?

Https, yes, good, you should be doing that for any system that people might write to.  Http is, nowadays, only for static read-only sites where security is not needed.

I'm thinking more of structure and https.  My personal preference is "one url, with different areas", so you end up with https://somewhere.com , https://somewhere.com/confluence , https://somewhere.com/jira , https://somewhere.com/otherstuff , and so-on.

I mostly use a proxy server to do that sort of stuff though.  And I offload SSL to the proxy, to get better performance on the back-end. 

As you can tell, this could be quite a long discussion, but let's try to keep it simple.

  • SSL (https) is a given
  • What structure do you want for your sites?
  • Are you happy to use a proxy server (nginx, apache, lightppd, IIS, even a load-balancer, etc)?
View More Comments
Merve Nur Bas
Merve Nur Bas
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 9, 2020

Hi @Nic Brough -Adaptavist- 

so you set up the URLs for tools on the same server with a reverse proxy is that right?

My best

Merve

Like
Shib Saha
Shib Saha January 9, 2020

hi Nic,

 

Thanks for your help.

 

Considering our current setup, it would be fine If we can setup a structure where Jira and Confluence exists on separate URLs. Something like the following:

https://abcJira.com

https://abcConfluence.com

 

Now this is not a hard requirement and if having https://abcjira.com and https://abcjira.com/confluence is easier to implement, the business would be onboard with that as well.

 

I am exploring what the SSL costs would be if we chose different domains though so in that sense, the first option is more preferable.

 

We are working with NetScaler for some other applications so using a proxy server would be feasible.

 

What do you think would be a good starting point here?

 

Thanks a lot for your help.

 

Regards,

Shib Saha 

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 9, 2020

A reverse proxy is my personally preferred route, probably because it's what I'm most familiar with (it's also good to offload the SSL on to the proxy, is easier to integrate into larger web sites, and it's very similar to load balancers when you scale up to data-centre, and most of our clients are doing it, so it's good to practice)

Is that what you are aiming for?

Like
Shib Saha
Shib Saha January 9, 2020

Hi Nic,

I would like to to go with same flow(reverse proxy) for implementing this task.

Could you please guide me with the steps involved in implementing this.

Thanks a lot for your help!

Regards,

Shib 

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 9, 2020

Ok, I would break this task into two parts.  First, get a proxy working with http, then, second, add httpS to the proxy. 

So, first, see https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

There's a lot there, but if you follow each step, it will work fine.  Most of the text is really more about giving you a sample than actual instructions.  It comes down to making sure your web-server has the right modules to support it, then editing the "site" files for the web-server to add the proxy server settings and the Jira server's server.xml to match the context, and telling Jira what the new base url is.

The second step is confusing.  SSL is not simple (if it were, it probably wouldn't be secure enough).  Do NOT even start on this step until you have Jira working ok through a simple http proxy, that way lies madness.  But assuming you have that, your next steps are reading two docs:

These try too hard, imho, and could do with a summary (assuming you have an http proxy setup working ok)

  • You need a server certificate to put on the proxy.  Incoming connections will be measured against it.
  • You need a client certificate.  Browsers connecting to a well-configured server should negotiate one, but it is important to understand that your Jira server also needs one of these, and it cannot negotiate one for itself like a browser can.  You will have to install that yourself.  Jira will actually work, but not well, until you install it
  • Your http Jira will not work properly through a proxy that does not know that the other side of the proxy is ssl.  You need to tell it (this is adding three lines to your server.xml as per docs)
  • Once you've got that lot done, Jira will work, but complain about the base url until you change from http://something to httpS:something
Like
Shib Saha
Shib Saha January 20, 2020

Hey Nic,

Sorry for the late reply, I was on leave.

Now we have proxy enabled with expired cert as we are configuring QA environment first.

But getting Gadget error "MSG_gadget_name" and "gadget.common.error.500".

Do you know what could be the cause?

Installation of cert on jira server(this cert will be same cert that we will be using on proxy server or different cert), please share if there is any doc for installing cert on jira server.

 

Thanks a lot!

Regards,

Shib Saha 

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 20, 2020

It means you need to get a new, valid, certificate and install that, replacing the expired one.  See the links above for instructions on installing it.

Like
Shib Saha
Shib Saha January 22, 2020

Thanks nic for the info.

 

Regards,

Shib Saha 

Like
Shib Saha
Shib Saha January 30, 2020

Hey Nic,

We have configured the reverse proxy with netscaler at network end, but business did not agree to use this approach.

Now we are using apache as reverse proxy and with http both the application is working fine with apache as reverse proxy, but when we are enabling the SSLengine service(jira and Confluence) site is not reachable.

We have been struggling for two days but still not able to figure out the root cause.

 

Could you please help where we are missing something?

 

Thanks and Regards

Shib Saha 

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
February 1, 2020

It's impossible to say without a description of the problem.

You say the service is "unreachable" - that implies that the service is not resolving, which is a DNS problem.  I don't think that's the whole problem though, if it works without SSL, I suspect its reachable but firewalled or misconfigured.

Could you tell us what the browser errors are?

Like
Shib Saha
Shib Saha February 3, 2020

Hi Nic,

 

Above issue is resolved now, both the application is running over https.

Again we are getting errors of gadgets "__MSG_gadget.created.vs.resolved.title__", while configuring the applications with http this error was not occurring.

 

I read some of the Atlassian article  and found that we need to place certificate in JRE. My opinion is if we are offloading Certificate in Apache, do we need to place cert in JRE folder also?

Thanks for your help.

Regards,

Shib Saha 

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
February 4, 2020

Yes.  The certificates allow something to read an https secured site.

When your browsers visit SSL sites, they can negotiate certificates, but services like Jira and Confluence can't.  They need the certificates to be loaded into their key stores.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events