SSL(HTTPS) for Jira & Confluence

Hello -  We have recently enabled SSL for jira and confluence (test environment), through limited validation it looks like https site is working as expected. However we want to test thoroughly before it's rolled off to prod.

SSL is enabled at HAPROXY (SSL off-loading @ haproxy) and hence very limited changes are done at Jira and Conf side.

We have setup haproxy in a way all http connections are redirected to https and jira,confluence setup knows the proxy details. PFB details -

haproxy setup:

=========

frontend jira_uat
bind *:80 name http
bind *:443 ssl crt /root/certs/corp.pem
mode http
option socket-stats
redirect prefix https://testjira.corp.com code 301 if { hdr(host) -i testjira }
acl jira hdr_end(host) -i testjira.corp.com
acl homepath path /
redirect location /jira/secure/Dashboard.jspa if jira homepath
use_backend jiraapp if jira
redirect prefix https://testconflu.corp.com code 301 if { hdr(host) -i testconflu }
acl conflu hdr_end(host) -i testconflu.corp.com
acl homepath path /
redirect location /confluence/login.action?login.action if conflu homepath
use_backend confluapp if conflu

backend jiraapp
mode http
redirect scheme https code 301 if !{ ssl_fc }
server jira 192.1.1.1:8080 check

backend confluapp
mode http
redirect scheme https code 301 if !{ ssl_fc }
server conflu 192.1.1.1:8090 check

 

JIRA (Server.xml) Setup

===============

<Connector port="8080"

maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"

enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
secure="true"
scheme="https"
proxyName="haproxy.corp.com"
proxyPort="443"/>

 

Can you pl suggest on -

1. Does the above setup look good?

2. Is updating base URL to HTTPS necessary as HTTP TO HTTPS redirection is taken care of at haproxy level?

3. We have no. of custom plugins on both jira and confluence, do we need to test the functionality post https enablement? i.e is there any change of custom plugins braking post ssl

4. There numerous images having hard coded (http) link on jira and confluence database. Do we need to change them to https?

5. One minor issue observed is - post https enablement, after login - default dashborad page isn't loaded properly, we had to cliear cache or access in incognito to get proper dashbooard page rendered. Is there a method to clear cache at application level after ssl enablement?

 

Thanks in advance.

 

- Regards

Narayan

1 answer

Hi,

what Confluence / Jira version are you refering to?

I cant't tell you anything about haproxy, but with the supported proxys you should change the base URL to https, otherwise you will have certain image URLs (you already found that out) that will render with http protocol. This will lead to a security warning in variuos browsers (Insecure content).

Suggest an answer

Log in or Sign up to answer
Community showcase
Published yesterday in Jira Ops

Jira Ops Early Access Program Update #2: Let’s talk severity levels

Welcome to your weekly Jira Ops Early access program update, where we’re sharing news and updates on Jira Ops' progress as we work toward our 1.0 release. If you ever want to drop us feedback or idea...

25 views 0 0
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you