Hi Alexis,

Thank you for the quick response. We are going to purchase the cert for 2 years. I have already setup the Apache Reverse Proxy via HTTP and it works well. 

I read through the documentation page and it was one of the articles I have already read. I was wondering if I should just create the CSR using openssl instead of using the Portecle application, which is referenced here.

Thank you in advance!

John

@John Chuma , 

I usually create the CSR with openssl on the command line, I'm sure your certificate provider should have a documentation available on how to proceed if you need help. 

There are only a few command needed, it's not very complex. For example, creating a CSR is done with one command:

openssl req -new -key certificate.key -out certificate.csr -sha256

Let me know if you have any questions, 

--Alexis

Alexis,

Thank you for the info. As of right now, I have my http reverse proxy working without any challenges. 

Within my reverse proxy Virtual host, I have setup the HTTPS virtual host (see below for the config, it's slightly redacted for privacy reasons. To get the http proxy to work again, I commented out the https virtual host).  

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName jira.domain.com

ProxyRequests off
ProxyVia off

<Proxy *>
Require all granted
</Proxy>

ProxyPass /jira http://X.X.X.X:8080/jira
ProxyPassReverse /jira http://X.X.X.X:8080/jira

#ServerAdmin webmaster@localhost
#DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

#<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
# ServerName jira.domain.com:443

#SSLEngine on
# SSLCertificateFile /path/to/cert/file/certName.crt
# SSLCertificateKeyFile /path/to/cert/file/jira.domain.com.key
# SSLCertificateChainFile /path/to/cert/file/certBundle.crt

GNU nano 2.9.3 /etc/apache2/sites-enabled/000-default.conf

# ProxyVia off

# <Proxy *>
# Require all granted
# </Proxy>

# ProxyPass /jira http://X.X.X.X:8443/jira
# ProxyPassReverse /jira http://X.X.X.X:8443/jira

#ServerAdmin webmaster@localhost
#DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

# ErrorLog ${APACHE_LOG_DIR}/error.log
# CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

#</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

When I attempt to light up the https tomcat connector, it doesn't load and jira doesn't start. I am sure it's something silly. I have included my connectors below.

<Service name="Catalina">
<!--
==============================================================================================================
DEFAULT - Direct connector with no proxy for unproxied access to Jira.

If using a http/https proxy, comment out this connector.
==============================================================================================================
-->

<!-- Relaxing chars because of JRASERVER-67974
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false"
proxyName="jira.domain.com" proxyPort="80" scheme="http"/>

-->
<!--
==============================================================================================================
HTTP - Proxying Jira via Apache or Nginx over HTTP

If you're proxying traffic to Jira over HTTP, uncomment the below connector and comment out the others.
Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.

See the following for more information:

Apache - https://confluence.atlassian.com/x/4xQLM
nginx - https://confluence.atlassian.com/x/DAFmGQ
==============================================================================================================
-->

<!-- -->
GNU nano 2.9.3 server.xml

<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false" scheme="http"
proxyName="jira.domain.com" proxyPort="80"/>

<!--
==============================================================================================================
HTTPS - Proxying Jira via Apache or Nginx over HTTPS

If you're proxying traffic to Jira over HTTPS, uncomment the below connector and comment out the others.
Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.

See the following for more information:

Apache - https://confluence.atlassian.com/x/PTT3MQ
nginx - https://confluence.atlassian.com/x/DAFmGQ
==============================================================================================================
-->

<!--
<Connector port="443" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
proxyName="jira.domain.com" proxyPort="443"/>
-->

<!--

Please let me know if you need any additional information.

Thank you for your help thus far, it is much appreciated.

John

Hi @John Chuma , 

I think on you server.xml you need to comment out the HTTP connector and uncomment the  "HTTPS - Proxying Jira via Apache or Nginx over HTTPS" connector block (that's the one at the very end of your server.xml file).

In Apache, your vhost should not mention 8443 port but simply use the default 443 port mentionned in the HTTPS connector.

You will have to change the following settings in server.xml:

proxyName="jira.domain.com" proxyPort="443"

Let me know how it goes.

--Alexis 

Alexis,

I made the changes and now I am receiving an error 404

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

I have commented out the default connector as well as the http reverse proxy connector. Here is what my HTTPS Reverse proxy connector looks like:

HTTPS - Proxying Jira via Apache or Nginx over HTTPS

If you're proxying traffic to Jira over HTTPS, uncomment the below connector and comment out the others.
Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.

See the following for more information:

Apache - https://confluence.atlassian.com/x/PTT3MQ
nginx - https://confluence.atlassian.com/x/DAFmGQ
==============================================================================================================
-->

<--
<Connector port="443" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
proxyName="jira.domain.com" proxyPort="443"/>
-->

Here is my updated vhost config:

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName JIRA.domain.com

ProxyRequests off
ProxyVia off

<Proxy *>
Require all granted
</Proxy>

ProxyPass /jira http://X.X.X.X:8080/jira
ProxyPassReverse /jira http://x.x.x.x:8080/jira

#ServerAdmin webmaster@localhost
#DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
GNU nano 2.9.3 /etc/apache2/sites-enabled/000-default.conf

#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName JIRA.DOMAIN.com:443

SSLEngine on
SSLCertificateFile /path/to/cert/loc/cert.crt
SSLCertificateKeyFile /path/to/cert/loc/jira.domain.com.key
SSLCertificateChainFile /path/to/cert/loc/bundle.crt

ProxyRequests off
ProxyVia off

<Proxy *>
Require all granted
</Proxy>

ProxyPass /jira http://x.x.x.x:443/jira
ProxyPassReverse /jira http://x.x.x.x:443/jira

#ServerAdmin webmaster@localhost
#DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Thank you in advance!

John

Hi @John Chuma , 

in server.xml, you need to change:

Connector port="443"

to 

Connector port="8080"

as this refers to your Jira instance port (should be 8080 if you haven't changed it).

In Apache, you need to change:

ProxyPass /jira http://x.x.x.x:443/jira
ProxyPassReverse /jira http://x.x.x.x:443/jira

to

ProxyPass /jira http://x.x.x.x:8080/jira
ProxyPassReverse /jira http://x.x.x.x:8080/jira

Let me know how it goes, 

--Alexis

Hi Alexis,

That worked after I fixed some issues with Jira not starting due to some extra code in the server.xml file. Currently, it's up and running and I am able to access it outside my network.

Thank you for your help in this, it is much appreciated. 

Have a great day and enjoy the weekend!

John