nginx and JIRA issue

having extreme issues using nginx with an SSL on it with a proxy pass to our JIRA instance on the same box.

Here is my current code following Atlassian's recommendations:

nginx.conf file:

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name test.domain.com;
return 301 https://$server_name$request_uri;
}

server {
listen 443;
server_name test.domain.com;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /var/SSL/bundle.crt;
ssl_certificate_key /var/SSL/domain.key;
# ssl_session_timeout 1d;
# ssl_session_cache shared:SSL:50m;
# ssl_session_tickets off;

ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
ssl_trusted_certificate /var/SSL/intermediate.cer;
location /jira {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://test.domain.com:8080/jira;
client_max_body_size 10M;
}
}

 server.xml file:

<Context path="/jira" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">


<Connector port="8080"

maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"
proxyName="test.domain.com"
proxyPort="443"
scheme="https"
secure="true"/>

 

With this method it won't even redirect. When browsing to the FQDN it simply shows me an nginx splash page. 

 

I got it working using another method, but JIRA shows that it can't resolve to itself when using this code:

nginx.conf:

server {
listen 80;
return 301 https://$host$request_uri;
}

server {
# The IP that you forwarded in your router (nginx proxy)
listen 443 default_server;

# Make site accessible from http://localhost/
server_name test.domain.com;

# The internal IP of the VM that hosts your Apache config
set $upstream2 127.0.0.1:8080;

ssl_certificate /var/SSL/bundle.crt;
ssl_certificate_key /var/SSL/domain.key;

ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;



location / {

proxy_pass_header Authorization;
proxy_pass http://$upstream2;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;

}
}

 

server.xml:

<Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">

  <Connector port="8080"

maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"
proxyName="test.domain.com"
proxyPort="443"
scheme="https"
secure="true"/>

 

Any assistance would be greatly appreciated as I cannot figure out what would be causing this problem. 

1 answer

1 accepted

1 votes
Daniel Eads Community Champion Dec 08, 2017

Hi Mike!

Sorry to hear you're having trouble. SSL at nginx is the best way to secure Jira in my opinion (and get some speed boost from nginx), so hopefully we're able to get this straightened out together!

I have a working configuration you can take a peek at here:

https://bitbucket.org/danieleads/nginx/src

 

A few things I noticed while looking at your second configuration:

  1. I'm not sure you need the secure="true" tag in your server.xml. Let's go ahead and take that out.
  2. Based on your comment, can you double-check that Jira's base URL (you can find this on the General Configuration page in Admin) has https:// in front of the address?
  3. I didn't see anything in the nginx configuration (again I'm looking at the second one you have listed) that jumped out as a dealbreaker. However, you could definitely take pieces from my configuration if you wanted to be sure! Note that the file points to port 8090 (for Confluence), so change that to port 8080 if you copy the whole thing.
  4. (or really 3.5) Note that if you copy the whole file, you should also download the dhparam.pem file (these are diffie-helman primes - it's a good idea to not use the default ones) or comment out that line if your Jira isn't internet accessible and you don't need the extra security. You can generate your own diffie-helman primes: sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096

Let me know if this helps and if you have more questions!

Cheers,
Daniel

Daniel Eads Community Champion Dec 10, 2017

P.S. I have a writeup to go with that repo: https://danieleads.com/turbo-charging-your-confluence-with-nginx/ - try reading through this if you would like walkthrough on setup!

Hello Daniel,

Thank you so much for responding! I'm going to take a peek at your config today and try to see if I can get things working. I'll report back shortly. Thanks again!

It looks like I'm having this issue: https://confluence.atlassian.com/jirakb/how-to-fix-gadget-titles-showing-as-__msg_gadget-813697086.html

 

I'm specifically having issues with Dashboard gadgets not showing up correctly and showing _MSG_gadget in the title field. I made sure that the root cert is trusted in the cacerts certstore and passed sslpoke, but still has issues.

Found out what the issue was. I was using a temporary self-signed cert in my test environment. Even though I imported the root cert to the cacerts truststore, it still gave me issues. I setup Let's Encrypt with a proper SSL cert and it's working just fine now. Thank you again for all of your help, Daniel!

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,156 views 13 19
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot