Community
Products
Jira
Questions
Example of how to do a very simple reverse proxy (HAProxy) with JIRA on the backend?

Example of how to do a very simple reverse proxy (HAProxy) with JIRA on the backend?

I've got a clean JIRA 7.5.2 install running on CentOS. It uses the default 8080 port for http requests, and I've also enabled an SSL certificate to enable https requests on port 8443.

I want to run HAProxy in front as a reverse proxy server, to redirect http:80 -->8080 and https:443 --> 8443.

It looks as if using the very simple "listen" config setting in HAProxy is what I'll need, however I'm not sure bout how to:

a) Modify the JIRA server.xml file so that the Connector 8443 configuration is properly set to return the correct values for reverse proxy from https (443)
b) How to configure a 'listen' entry in the haproxy.cfg file that properly references the SSL certs on my server, to allow for proper forwarding of https requests to the backend server's SSL listener on 8443.

1 answer

1 accepted

1 vote

Answer accepted

This would be easier if you used apache. But I found this doc for Bitbucket which you could adapt for Jira. https://confluence.atlassian.com/bitbucketserver0414/securing-bitbucket-server-behind-haproxy-using-ssl-895368117.html

One key thing is that you do not need the certificates/keystore to be referenced in your jira server.xml. All you need for a proxy other than defaults are:

secure="true"
scheme="https"
proxyName="jirahostname.yourdomain.com"
proxyPort="443"

Then in HAproxy (or in my case apache) would be the one to redirect 80 to 443. Users would access Jira on 443, so you need to set your base url to https://jirahostname.yourdomain.com

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

So as long as my front end proxy is listening on 443 for https and forwarding to the backend which is using 8080 for http, port 80, I only have to worry about:

a) The proxy server's config to referfence the location of my .pem file for SSL

b) Include the four lines above in my server.xml under the Connector 8080 section, so that that the Tomcat server knows to respond back with jirahostname.mydomain.com as the approriate responder for http requests

Am I understanding this correctly?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Yes, that, and the redirect from port 80 to 443 for the users who forget to use https: and setting the Jira Base URL (in administration --> system configuration) to https://jirahostname.yourdomain.com

This effectively terminates the SSL at the proxy, which is much more efficient than doing that at tomcat (jira). Communication between the proxy and Jira is http and the end user never hits Jira directly, always through the proxy. This is optimal for performance when using HTTPS.

Visualized:

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Should the proxyName entry in my JIRA server.cfg be set to just the domain (i.e. corp.mydomain.com) or should it be the full name of the jira server?

Current config looks like this:
    <Service name="Catalina">

        <Connector port="8080"

                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"
                   secure="true"
                   scheme="https"
                   proxyName="corp.mycompany.com"
                   proxyPort="443"
                   bindOnInit="false"/>

        <!--

I'm close because now I at least can see that requests to https://myjira.corp.mycompany.com are being returned with a secure connection but then the browser hangs in a loop, as if the JIRA server isn't returning the correct response to the proxy server.

My HAProxy config, looks like this:

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
# Tells HAProxy to start listening for HTTPS requests. It uses the SSL key
# and certificate found within corp.mycompany.com.pem. All requests will be routed
# to the jira_http_backend.
#---------------------------------------------------------------------
frontend jira_http_frontend
bind *:443 ssl crt /etc/pki/tls/keystore/corp.xperi.com.pem
default_backend jira_http_backend

#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
# The jira_http_backend simply forwards all requests onto http://mycompany.com:8080/.
# It will only allow 1000 concurrent connections to the server at once.
#---------------------------------------------------------------------
backend jira_http_backend
mode http
option httplog
option forwardfor
option http-server-close
option httpchk
server jira01 myjira.corp.mycompany.com:8080 maxconn 1000

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Your proxyName should be "myjira.corp.mycompany.com"

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Yeah 5 seconds after I sent that the lightbulb went on. ;-)

It's working. Last question.

Is there a way to set an auto-redirect in the proxy so that http requests to myjira.corp.mycompany.com get redirected to https? I'm assuming there is, I just don't know the syntax.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Found this: https://www.haproxy.com/support/technical-notes/an-0010-en-redirecting-http-requests-to-https/

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

All good. Thanks for the assist!

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

You're welcome!

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Josh,

We just installed jira in linux. Currently I am accessing jira by using computer name/IP address and it's port 8080 through url http://10.20.3.121:8080.

Now we have decide URL to access jira with http://jira.trade.com.

What are steps/configuration need to be done, if i want access by using url http://jira.trade.com

Regards,

Suresh

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Example of how to do a very simple reverse proxy (HAProxy) with JIRA on the backend?

1 answer

1 accepted

Suggest an answer

Was this helpful?

Thanks!

TAGS

Community showcase

Atlassian Community Events

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Example of how to do a very simple reverse proxy (HAProxy) with JIRA on the backend?

1 answer

1 accepted

Suggest an answer

Was this helpful?

Thanks!

TAGS

Community showcase

Atlassian Community Events

Welcome to the new Atlassian Community