Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

nginx and JIRA issue

Mike W
Mike W December 8, 2017

having extreme issues using nginx with an SSL on it with a proxy pass to our JIRA instance on the same box.

Here is my current code following Atlassian's recommendations:

nginx.conf file:

server {
 listen 80 default_server;
 listen [::]:80 default_server ipv6only=on;
 server_name test.domain.com;
 return 301 https://$server_name$request_uri;
}

server {
 listen 443;
 server_name test.domain.com;
 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
 ssl_certificate /var/SSL/bundle.crt;
 ssl_certificate_key /var/SSL/domain.key;
# ssl_session_timeout 1d;
# ssl_session_cache shared:SSL:50m;
# ssl_session_tickets off;

 ssl on;
 ssl_session_cache builtin:1000 shared:SSL:10m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
 ssl_prefer_server_ciphers on;
 ssl_trusted_certificate /var/SSL/intermediate.cer;
 location /jira {
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_pass http://test.domain.com:8080/jira;
 client_max_body_size 10M;
 }
}

 server.xml file:

<Context path="/jira" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">


 <Connector port="8080"

 maxThreads="150"
 minSpareThreads="25"
 connectionTimeout="20000"
 enableLookups="false"
 maxHttpHeaderSize="8192"
 protocol="HTTP/1.1"
 useBodyEncodingForURI="true"
 redirectPort="8443"
 acceptCount="100"
 disableUploadTimeout="true"
 bindOnInit="false"
 proxyName="test.domain.com"
 proxyPort="443"
 scheme="https"
 secure="true"/>

 

With this method it won't even redirect. When browsing to the FQDN it simply shows me an nginx splash page. 

 

I got it working using another method, but JIRA shows that it can't resolve to itself when using this code:

nginx.conf:

server {
 listen 80;
 return 301 https://$host$request_uri;
}

server {
# The IP that you forwarded in your router (nginx proxy)
 listen 443 default_server;

# Make site accessible from http://localhost/
 server_name test.domain.com;

# The internal IP of the VM that hosts your Apache config
 set $upstream2 127.0.0.1:8080;

ssl_certificate /var/SSL/bundle.crt;
 ssl_certificate_key /var/SSL/domain.key;

 ssl on;
 ssl_session_cache builtin:1000 shared:SSL:10m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
 ssl_prefer_server_ciphers on;



 location / {

 proxy_pass_header Authorization;
 proxy_pass http://$upstream2;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_http_version 1.1;
 proxy_set_header Connection "";
 proxy_buffering off;
 client_max_body_size 0;
 proxy_read_timeout 36000s;
 proxy_redirect off;

 }
}

 

server.xml:

<Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">

  <Connector port="8080"

 maxThreads="150"
 minSpareThreads="25"
 connectionTimeout="20000"
 enableLookups="false"
 maxHttpHeaderSize="8192"
 protocol="HTTP/1.1"
 useBodyEncodingForURI="true"
 redirectPort="8443"
 acceptCount="100"
 disableUploadTimeout="true"
 bindOnInit="false"
 proxyName="test.domain.com"
 proxyPort="443"
 scheme="https"
 secure="true"/>

 

Any assistance would be greatly appreciated as I cannot figure out what would be causing this problem. 

Answer
Watch
Like Be the first to like this
3681 views

1 answer

1 accepted

1 vote
Answer accepted
Daniel Eads _unmonitored account_
Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 8, 2017

Hi Mike!

Sorry to hear you're having trouble. SSL at nginx is the best way to secure Jira in my opinion (and get some speed boost from nginx), so hopefully we're able to get this straightened out together!

I have a working configuration you can take a peek at here:

https://bitbucket.org/danieleads/nginx/src

 

A few things I noticed while looking at your second configuration:

  1. I'm not sure you need the secure="true" tag in your server.xml. Let's go ahead and take that out.
  2. Based on your comment, can you double-check that Jira's base URL (you can find this on the General Configuration page in Admin) has https:// in front of the address?
  3. I didn't see anything in the nginx configuration (again I'm looking at the second one you have listed) that jumped out as a dealbreaker. However, you could definitely take pieces from my configuration if you wanted to be sure! Note that the file points to port 8090 (for Confluence), so change that to port 8080 if you copy the whole thing.
  4. (or really 3.5) Note that if you copy the whole file, you should also download the dhparam.pem file (these are diffie-helman primes - it's a good idea to not use the default ones) or comment out that line if your Jira isn't internet accessible and you don't need the extra security. You can generate your own diffie-helman primes: sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096

Let me know if this helps and if you have more questions!

Cheers,
Daniel

View More Comments
Daniel Eads _unmonitored account_
Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 10, 2017

P.S. I have a writeup to go with that repo: https://danieleads.com/turbo-charging-your-confluence-with-nginx/ - try reading through this if you would like walkthrough on setup!

Like
Mike W
Mike W December 11, 2017

Hello Daniel,

Thank you so much for responding! I'm going to take a peek at your config today and try to see if I can get things working. I'll report back shortly. Thanks again!

Like
Mike W
Mike W December 11, 2017

It looks like I'm having this issue: https://confluence.atlassian.com/jirakb/how-to-fix-gadget-titles-showing-as-__msg_gadget-813697086.html

 

I'm specifically having issues with Dashboard gadgets not showing up correctly and showing _MSG_gadget in the title field. I made sure that the root cert is trusted in the cacerts certstore and passed sslpoke, but still has issues.

Like
Mike W
Mike W December 11, 2017

Found out what the issue was. I was using a temporary self-signed cert in my test environment. Even though I imported the root cert to the cacerts truststore, it still gave me issues. I setup Let's Encrypt with a proper SSL cert and it's working just fine now. Thank you again for all of your help, Daniel!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events