having extreme issues using nginx with an SSL on it with a proxy pass to our JIRA instance on the same box.
Here is my current code following Atlassian's recommendations:
nginx.conf file:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name test.domain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name test.domain.com;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /var/SSL/bundle.crt;
ssl_certificate_key /var/SSL/domain.key;
# ssl_session_timeout 1d;
# ssl_session_cache shared:SSL:50m;
# ssl_session_tickets off;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
ssl_trusted_certificate /var/SSL/intermediate.cer;
location /jira {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://test.domain.com:8080/jira;
client_max_body_size 10M;
}
}
server.xml file:
<Context path="/jira" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"
proxyName="test.domain.com"
proxyPort="443"
scheme="https"
secure="true"/>
With this method it won't even redirect. When browsing to the FQDN it simply shows me an nginx splash page.
I got it working using another method, but JIRA shows that it can't resolve to itself when using this code:
nginx.conf:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
# The IP that you forwarded in your router (nginx proxy)
listen 443 default_server;
# Make site accessible from http://localhost/
server_name test.domain.com;
# The internal IP of the VM that hosts your Apache config
set $upstream2 127.0.0.1:8080;
ssl_certificate /var/SSL/bundle.crt;
ssl_certificate_key /var/SSL/domain.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_pass_header Authorization;
proxy_pass http://$upstream2;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
}
}
server.xml:
<Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"
proxyName="test.domain.com"
proxyPort="443"
scheme="https"
secure="true"/>
Any assistance would be greatly appreciated as I cannot figure out what would be causing this problem.
Hi Mike!
Sorry to hear you're having trouble. SSL at nginx is the best way to secure Jira in my opinion (and get some speed boost from nginx), so hopefully we're able to get this straightened out together!
I have a working configuration you can take a peek at here:
https://bitbucket.org/danieleads/nginx/src
A few things I noticed while looking at your second configuration:
Let me know if this helps and if you have more questions!
Cheers,
Daniel
P.S. I have a writeup to go with that repo: https://danieleads.com/turbo-charging-your-confluence-with-nginx/ - try reading through this if you would like walkthrough on setup!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Daniel,
Thank you so much for responding! I'm going to take a peek at your config today and try to see if I can get things working. I'll report back shortly. Thanks again!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It looks like I'm having this issue: https://confluence.atlassian.com/jirakb/how-to-fix-gadget-titles-showing-as-__msg_gadget-813697086.html
I'm specifically having issues with Dashboard gadgets not showing up correctly and showing _MSG_gadget in the title field. I made sure that the root cert is trusted in the cacerts certstore and passed sslpoke, but still has issues.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Found out what the issue was. I was using a temporary self-signed cert in my test environment. Even though I imported the root cert to the cacerts truststore, it still gave me issues. I setup Let's Encrypt with a proper SSL cert and it's working just fine now. Thank you again for all of your help, Daniel!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.