Ok I searched and searched but couldn't find a simple answer anywhere so dug in and I'm posting my findings hoping this will help someone else. We're running Jira in AWS VPC behind a ELB offloading SSL to the ELB (backend VPC traffic is http to port 8080). Everything I could find wanted additional software installed which we didn't want to do if possible.
Below is what worked for us (may work for other Atlassian products or anything running tomcat as a web server).
Customization If running behind a AWS ELB with SSL offloading (http between ELB and server)
1. "vi /opt/atlassian/jira/conf/server.xml"
#Add the below in the http connector section replacing the % variable with the appropriate information
URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
proxyName="%external_fqdn%"
proxyPort="443"
scheme="https"
<change from>
redirectPort="8443"
<to>
redirectPort="443"
<remove>
useBodyEncodingForURI="true"
2. vi /opt/atlassian/jira/atlassian-jira/WEB-INF/web.xml
#add the below inside of the <web-app> </web-app> section (pasted above <!-- General -->)
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you require authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
3. vi /opt/atlassian/jira/conf/server.xml
#add the below just above the </Host> closing argument
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" protocolHeaderHttpsValue="https" />
4. service jira restart
#3 is important (ok could have put that as part of #1) as without it you'll get stuck in an infinite redirect loop as ELB is sending http requests.
Also as the ELB won't be able to route internal traffic back in (jira server calling the ELB DNS) from the external ip address we added a hosts file entry on the Jira machines pointing to the internal ELB address.
12/7/2017 update - the AWS ELB (ALB actually) can route traffic back in if you have a NAT gateway configured to allow the Jira server to access the internet. We have strict egress ACL's so our Jira instance can't access the internet directly so that's why we had to use the internal ALB IP address.
Enjoy I hope this helps someone
*** Update 7/31/2018 ***
AWS finally support redirects at their ALB (ELB) so can redirect the traffic at the load balancer to https and it's a much simpler solution I don't believe you'll need any of the rewrite rules
john morrissey
13 comments