Can't adjust Application links between Confluence & Jira with separate Nginx proxy server.
Hello Colleagues.
- I have Confluence & Jira application installed on one single virtual machine
with Centos 7 OS (Virtual machine - next it'll be just abbreviation VM). - Also for HTTPS proxy (let's encrypt ssl certs) created another one single VM with Nginx. All FQDN requests will be handling on this machine.
Take a look on this schema below:
POINT №1
=> Edit file Hosts, just because I want use domain names in NginX configuration instead of ip addresses:
root@proxy1:/# cat /etc/hosts
127.0.0.1 localhost
192.168.1.2 confluence.mydomain.com
192.168.1.2 jira.mydomain.com
=> Nginx Virtual Host configuration, here is listed config for Jira, for Conflunce it's same configuration:
server {
server_name jira.mydomain.com;
location / {
proxy_pass http://jira.mydomain:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/jira.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/jira.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = jira.mydomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name jira.mydomain.com;
return 404; # managed by Certbot
}
POINT №2 => Tomcat
- Tomcat for Confluence:
Tomcat adjusted like “HTTPS - Proxying Confluence & JIRA via Apache or Nginx over HTTPS”
nano /opt/atlassian/confluence/conf/server.xml<Connector port="8090" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>"maxThreads="150"
minSpareThreads="25" connectionTimeout="20000" enableLookups="false"maxHttpHeaderSize="8192" protocol="HTTP/1.1"
useBodyEncodingForURI="true" redirectPort="8443"acceptCount="100" disableUploadTimeout="true" bindOnInit="false"
secure="true" scheme="https"proxyName="confluence.mydomain.com" proxyPort="443"/> - Tomcat for JIRA:
Tomcat adjusted like “HTTPS - Proxying Confluence & JIRA via Apache or Nginx over HTTPS”
nano /opt/atlassian/jira/conf/server.xml<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
proxyName="jira.mydomain.com" proxyPort="443"/>
PONT 3 => Internal traffic interaction
- For Confluence. Also for internal traffic interaction, without NginX handling, I have made additional connector for this application connection:
Confluence works on http://192.168.1.2:8081<Connector port="8081" connectionTimeout="20000" maxThreads="200" minSpareThreads="10"
protocol="org.apache.coyote.http11.Http11NioProtocol"
relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>"
enableLookups="false" acceptCount="10" URIEncoding="UTF-8" />
For JIRA internal traffic interaction made Tomcat connector:
Jira works on http://192.168.1.2:8082
<Connector port="8082" connectionTimeout="20000" maxThreads="200" minSpareThreads="10"
protocol="org.apache.coyote.http11.Http11NioProtocol"
relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>"
enableLookups="false" acceptCount="10" URIEncoding="UTF-8" />
! Also on this VM for Atlassian Applications I did open ports:
firewall-cmd --permanent --zone=public --add-port=5432/tcp
firewall-cmd --permanent --zone=public --add-port=8090/tcp
firewall-cmd --permanent --zone=public --add-port=8000/tcp
firewall-cmd --permanent --zone=public --add-port=8005/tcp
firewall-cmd --permanent --zone=public --add-port=8091/tcp
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --permanent --zone=public --add-port=8081/tcp
firewall-cmd --permanent --zone=public --add-port=8082/tcp
firewall-cmd --reload
In additionally, I did edit host file, I don't like use IP addresses in configuration files for the avoidance difficulties with reconfiguration if I will be need change IP addresses of my VMs.
[root@atl1 /]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 atl1.mydomain.com atl1
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 atl1.mydomain.com atl1
192.168.1.3 db1.mydomain.com # Remote DB PostgreSQL
I did add Jira Application in Confluence panel Administration -> Application Links:
I did add Confluence Application in Jira panel administration System -> Applications -> Application Links:
I faced up with an issue with interaction of this two application!
ISSUE №1 => When I am logged in, this switching between applications works well
But when I'm log out from Confluence, Confluence tell me Something went wrong, please try again. But when I'm log out from Jira, button switch in Jira works well.
ISSUE №2 => When I'm log in Conflunce, link on Jira opening in modal window, but when I click on the ticket, confluence tell me:
The provided url is not included in the whitelist!
Any idea? What went wrong, where is mistake in both this issues?
If you wanna help, pls, lets talking according this case.
3 answers
2 accepted
Thank you Daniel,
- I did reconfiguration this applications before get your answer. Probably somewhere I made mistake in previous configuration, now it's works fine. This addresses were added automatically to white list. But your recommendations sounds good, I think this is workable resolution and guess it would been help me.
- I still have an issue with button switcher. Navigator button doesn't work if the user is not authenticated. I see message "Something went wrong, please try again." I have find Trouble Ticket CONFSERVER-58238 here describing this issue, but I can see Affects Version/s: 6.13.0, 6.14.0, 6.15.2, but in my case, version is 6.15.7.
Somebody has any idea how to fix this issue?
Hey Mikhail,
First of all, thank you for the very detailed writeup! I found it very easy to follow and determine the problem you're facing and have all the necessary information to recommend a fix.
So the short story seems to be that Confluence got confused with the different URLs in use and only added part of what you need to its internal CORS whitelist. Confluence and Jira try to manage this automatically when you add application links, so in most circumstances you wouldn't need to fiddle with the whitelist.
The application URL (localhost:8082) configured for the link in Confluence is different than what Jira's base URL is configured for (https://jira.mydomain.com). When Confluence went to add the application URL to the whitelist, it likely used the localhost value. This is mostly good because it's the proxy bypass you set up, but it's also not matching how Jira is trying to write its URLs. That's causing the problem you're seeing when it complains the URL isn't in the whitelist - Jira is using its base URL but Confluence doesn't trust that separate non-localhost URL.
So, the fix is that you'll want to add Jira's base URL to the whitelist in Confluence. We've got a KB article about how to do this here, but for your convenience I've copied over the steps:
- Go to
> General Configuration > Whitelist. - Enter the URL or expression you want to allow (https://jira.mydomain.com).
- Choose the Type of expression (for you it will be Domain name).
- Choose Allow Incoming if you need to allow CORS requests.
- Choose Add.
Have a run at that and see if the errors clear up! Newer versions of Confluence also have a test section on the Whitelist page that can help diagnose problems with particular URLs.
Cheers,
Daniel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.