Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira Apache ajp proxy redirect to https

Jared O'Brien
Jared O'Brien May 4, 2017

Hi,

I have just finished configuring the apache AJP with an ssl certificate. I would now like to use Apache's rewrite/redirect engine to redirect our landing page to https. I have tried using the following:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

and also

Redirect permanent / https://help.example.org/

I've set my Jira base URL to https://help.example.org

My virtual hosts look like this

<VirtualHost *:80>

ServerName help.example.org
ProxyRequests Off
ProxyVia Off

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / ajp://help.example.org:8009/ retry=0
ProxyPassReverse / http://help.example.org:8009/

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Redirect permanent / https://help.example.org/


<VirtualHost _default_:443>

	ServerName help.example.org
 	ProxyRequests Off	
	ProxyVia Off
	
	 <Proxy *>
      Order deny,allow
       Allow from all
  </Proxy>
	SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:+SSLv3
	SSLCertificateFile "conf/ssl.crt/jira3.crt"
	#SSLCertificateFile "conf/ssl.crt/intermed.crt"
	SSLCertificateKeyFile "conf/ssl.key/jira.key"
	SSLCertificateChainFile "conf/ssl.crt/example_.pem"
	SSLProtocol all -SSLv2 
	SSLEngine on
        SSLProxyEngine on
	SSLVerifyClient optional
	SSLVerifyDepth 2
   	ProxyPreserveHost on	
	ProxyRequests           Off
	ProxyPreserveHost       On
	ProxyPass               /       ajp://help.example:8009/ retry=0
	ProxyPassReverse        /       http://help.exampleorg:8009/
	


</VirtualHost>

I have noticed that upon browsing to http://help.example.org automatically redierects to http://help.example.org/secure/dashboard.jspa . I think this is my problem, because my rewrite code is targeting a landing page of .org/ instead of secure/dashboard.jspa

I have tried a number of possible Rewrite Engine solutions and have not had any luck. Has anyone successfully set up a login page redirect?

 Thanks,

Jared

Answer
Watch
Like Be the first to like this
7108 views

2 answers

1 accepted

1 vote
Answer accepted
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 4, 2017

Hi Jared,

You should only use your Port 80 VirtualHost to forward requests to HTTPS. This way it forces all users to use HTTPS, and your JIRA base url must also be set to your HTTPS url.  I also added a port 8080 virtualhost to make sure old links are preserved and forwarded to the new URL when I moved from HTTP to HTTPS.

Here's some examples that worked for me:

httpd.conf (port 80 and 8080)

<VirtualHost *:80>

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://jirahostname.domain.com%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:8080>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://jirahostname.domain.com%{REQUEST_URI}
</VirtualHost>

ssl.conf (port 443)

<VirtualHost _default_:443>
ServerName jirahostname.domain.com:443

SSLCertificateFile /path/to/certfile
SSLCertificateKeyFile /path/to/keyfile
SSLCertificateChainFile /path/to/chainfile

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / ajp://127.0.0.1:8009/
ProxyPassReverse / ajp://127.0.0.1:8009/
ProxyTimeout 600
RemoteIPHeader X-Forwarded-For

</VirtualHost>

 

View More Comments
Jared O'Brien
Jared O'Brien May 4, 2017

Hi Josh,

Thanks so much for the response! I've just adjusted my vhost config and rebooted apache but still no luck. Thank you for the suggestion on using the *80 vhost just to forward, it makes sense.  

would you be able to show me what your tomcat connectors look like? Also, when I run config.bat the profile is set to https only, and the https port is listed as 8080, what should my config.bat's fields look like?

Having just (partially) sucessfully set this config up, I am still a bit undereducated on the subject, and still not fully confident that ive done it correctly. Thank you for any assistance you can provide.

Like
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 4, 2017

Hi Jared,

I think you mean to look for /installdir/conf/server.xml? This is where the tomcat connectors are set up.

All I did for AJP was to uncomment the example listed there. I also have another connector where I use port 8081 as a back-door where I can get to JIRA bypassing the proxy if the need should arise.

Make sure your connector tags are not surrounded by <!-- and -->

 

server.xml:

        <Connector port="8081"

                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"

                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"
                   bindOnInit="false"/>

              <Connector port="8009" redirectPort="8443" enableLookups="false" protocol="AJP/1.3" URIEncoding="UTF-8"/>

 

Like
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 4, 2017

Also, I copied only some parts of my apache ssl.conf vhost, you should still use the SSLProtocol and SSLCipherSuite directives that I omitted.

Like
Reply
0 votes
Lars Olav Velle
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 4, 2017

Jared, I think this is standard behavior. It`s tomcat that redirects you to /secure/dashboard.jspa. 

Lars

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events