Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to config SSL certificate for Jira and Confluence by HAProxy?

Raw Main
Raw Main
Contributor
February 28, 2020

Using HAProxy version: 2.1.3

I did setting in the /etc/haproxy/haproxy.cfg file:

frontend jira
  # bind :::8080 v4v6
  bind :::443 v4v6 ssl crt /home/user/ssl/server.pem
  http-request redirect scheme https unless { ssl_fc }

  default_backend jira

frontend confluence
  # bind :::8090 v4v6
  bind :::443 v4v6 ssl crt /home/user/ssl/server.pem
  http-request redirect scheme https unless { ssl_fc }

  default_backend confluence

backend jira
  balance roundrobin
  cookie JIRASESSIONID prefix nocache
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  server jira1 [IPv6 IP]:8080 check cookie jira1
  server jira2 [IPv6 IP]:8080 check cookie jira2

backend confluence
  balance roundrobin
  cookie CONFSESSIONID prefix nocache
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  server confluence1 [IPv6 IP]:8090 check cookie confluence1
  server confluence2 [IPv6 IP]:8090 check cookie confluence2

Before I add 443 setting, 8080 and 8090 bind worked well.

But in this case, when restart haproxy, got this error:

Job for haproxy.service failed because the control process exited with error code. See "systemctl status haproxy.service" and "journalctl -xe" for details.

When use journalctl -xe to see detail, got:

...
Feb 28 17:44:21 server systemd[1]: haproxy.service: control process exited, code=exited status=1
Feb 28 17:44:21 server haproxy[30436]: Errors found in configuration file, check it with 'haproxy check'.
Feb 28 17:44:21 server systemd[1]: Failed to start SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high
-- Subject: Unit haproxy.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit haproxy.service has failed.
--
-- The result is failed.
Feb 28 17:44:21 server systemd[1]: Unit haproxy.service entered failed state.
Feb 28 17:44:21 server sudo[30429]: pam_unix(sudo:session): session closed for user root
Feb 28 17:44:21 server systemd[1]: haproxy.service failed.
Feb 28 17:44:21 server polkitd[2570]: Unregistered Authentication Agent for unix-process:30430:138824114 (system bus name :1.76278,

Why it failed to start SYSV?

Now using IPv6, how to config it correctly?

---

I did Jira(8.6.1) configuration setting for <JIRA_INSTALL>/conf/server.xml:

Comment out:

<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>

Uncomment:

<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
proxyName="<subdomain>.<domain>.com" proxyPort="443"/>

Maybe it will work if set real proxyName.

Answer
Watch
Like Be the first to like this
2496 views

1 answer

0 votes
Alexis Robert
Alexis Robert
Community Champion
February 28, 2020

Hi @Raw Main , 

 

I think you have an error because you're trying to bind port 443 for two different backends : HA Proxy can't know when it should send the requests to Jira or Confluence.

You should use the following condition in your frontend block for Confluence for example:

 acl url_confluence path_beg /confluence 

use_backend confluence if url_confluence

 and then do the same for Jira. You should then configure Jira and Confluence to use context path to add /jira or /confluence at the end of the URL, as described here : https://confluence.atlassian.com/jirakb/change-the-context-path-used-to-access-jira-server-225119408.html

 

You can have a look at this page where a solution is given at the end for Jira and Confluence using HA Proxy : https://discourse.haproxy.org/t/multiple-backend/4490/6

 

Let me know if this helps,

 

--Alexis

View More Comments
Raw Main
Raw Main
Contributor
February 28, 2020

@Alexis Robert 

Hi Alexis,

Thank you very much for your reply. It's very helpful.

One thing, I have to use subdomain as:

frontend jira.mysite.com
   ... 

frontend confluence.mysite.com 
   ...

 It's not

mysite.com/jira
mysite.com/confluence

How to config it in this case?

Like
Alexis Robert
Alexis Robert
Community Champion
February 29, 2020

Hi @Raw Main , 

 

you will have to use the following syntax to route based on your subdomain :

# Define hosts 

acl host_jira hdr(host) -i jira.mysite.com 
acl host_confluence hdr(host) -i confluence.mlysite.com 

## figure out which one to use 
use_backend jira_backend if host_jira 
use_backend confluence_backend if host_confluence

 

Let me know if this helps, 

 

--Alexis

Like
Raw Main
Raw Main
Contributor
February 29, 2020

Hi @Alexis Robert ,

I think you mean:

frontend http_https
  bind *:443 ssl crt /home/user/ssl/server.pem
  http-request redirect scheme https unless { ssl_fc }

  acl host_jira hdr(host) -i jira.mysite.com 
  acl host_confluence hdr(host) -I. confluence.mlysite.com

  use_backend jira if host_jira 
  use_backend confluence if host_confluence

backend jira
  balance roundrobin
  cookie JIRASESSIONID prefix nocache
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  server jira1 [IPv6 IP]:8080 check cookie jira1
  server jira2 [IPv6 IP]:8080 check cookie jira2

backend confluence
  balance roundrobin
  cookie CONFSESSIONID prefix nocache
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  server confluence1 [IPv6 IP]:8090 check cookie confluence1
  server confluence2 [IPv6 IP]:8090 check cookie confluence2

 But after I restart haproxy:

$ sudo systemctl restart haproxy

Again got error as:

Job for haproxy.service failed because the control process exited with error code. See "systemctl status haproxy.service" and "journalctl -xe" for details.

When check details use "journalctl -xe" , got:

...
-- The result is failed.
Mar 01 14:02:41 server systemd[1]: Unit haproxy.service entered failed state.
Mar 01 14:02:41 server systemd[1]: haproxy.service failed.
Mar 01 14:02:41 server polkitd[2570]: Unregistered Authentication Agent for unix-process:5802:154774153 (system bus name :1.85445,
Mar 01 14:02:41 server sudo[5801]: pam_unix(sudo:session): session closed for user root
Mar 01 14:02:48 server sudo[5822]: user : TTY=pts/0 ; PWD=/home/user/haproxy-2.1.3 ; USER=root ; COMMAND=/bin/vi /etc/h
Mar 01 14:02:48 server sudo[5822]: pam_unix(sudo:session): session opened for user root by user(uid=0)
Mar 01 14:02:56 server sudo[5822]: pam_unix(sudo:session): session closed for user root
Mar 01 14:02:58 server sudo[5831]: user : TTY=pts/0 ; PWD=/home/user/haproxy-2.1.3 ; USER=root ; COMMAND=/bin/systemctl
Mar 01 14:02:58 server sudo[5831]: pam_unix(sudo:session): session opened for user root by user(uid=0)
Mar 01 14:02:58 server polkitd[2570]: Registered Authentication Agent for unix-process:5833:154775818 (system bus name :1.85448 [/u
Mar 01 14:02:58 server systemd[1]: Starting SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availa
-- Subject: Unit haproxy.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit haproxy.service has begun starting up.
Mar 01 14:02:58 server haproxy[5839]: Enter PEM pass phrase:
Mar 01 14:02:58 server haproxy[5839]: [ALERT] 060/140258 (5843) : parsing [/etc/haproxy/haproxy.cfg:64] : 'bind *:443' : unable to
Mar 01 14:02:58 server haproxy[5839]: [ALERT] 060/140258 (5843) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Mar 01 14:02:58 server haproxy[5839]: [ALERT] 060/140258 (5843) : Fatal errors found in configuration.
Mar 01 14:02:58 server haproxy[5839]: Errors found in configuration file, check it with 'haproxy check'.
Mar 01 14:02:58 server systemd[1]: haproxy.service: control process exited, code=exited status=1
Mar 01 14:02:58 server systemd[1]: Failed to start SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high
-- Subject: Unit haproxy.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit haproxy.service has failed.
--
-- The result is failed.
Mar 01 14:02:58 server systemd[1]: Unit haproxy.service entered failed state.
Mar 01 14:02:58 server systemd[1]: haproxy.service failed.
Mar 01 14:02:58 server sudo[5831]: pam_unix(sudo:session): session closed for user root
Mar 01 14:02:58 server polkitd[2570]: Unregistered Authentication Agent for unix-process:5833:154775818 (system bus name :1.85448,

It shown:

parsing [/etc/haproxy/haproxy.cfg:64] : 'bind *:443' : unable to

Usually it because of install HAProxy without OpenSSH. So I tried to reinstall haproxy by source:

make TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1
sudo make install

Then I can find OpenSSL there:

$ haproxy -vv | grep OpenSSL
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

I run this check details follow https://discourse.haproxy.org/t/haproxy-not-starting-with-ssl-configuration/2330 :

haproxy -c -f haproxy.cfg

It let me input phrase:

Enter PEM pass phrase:

I only have a .csr file and a .pem file(Maybe they aren't created by OpenSSL). I don't know the phrase.
How to use it correctly?

Like
Adam Hagen
Adam Hagen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 22, 2024

If anyone runs across this post in the future I wanted to add the probable fix. I'd wager that selinux was blocking haproxy from binding to 443. I only post this because the changes Alexis pointed out and made to the haproxy.cfg definitely would've stopped haproxy from starting as well.

If your config checks out with 'haproxy -c -f /etc/haproxy/haproxy.cfg' but the service fails to start on a system with selinux, it's selinux.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.