The post Using NGINX as an Atlassian JIRA Reverse Proxy appeared first on Justin Silver.
]]>I use JIRA in a cloud infrastructure where it’s obviously desirable to serve the contents over SSL, therefore I set up an NGINX as a JIRA reverse proxy for unencrypted requests to the JIRA backend service and handle the SSL on the front end with Let’s Encrypt. We need to let JIRA know that we are proxying it over HTTPS however by setting some values in server.xml first.
Notice that my Let’s Encrypt SSL certificates are in the /etc/letsencrypt/live/jira.doublesharp.com directory, but yours will be specific to the hostname you create them for. The certs are created via the letsencrypt command and use Nginx to process the validation request. Once created the generated PEM files can be used in your Nginx config. Note that you will need to comment out this line in the SSL config if they don’t yet exist, start Nginx to create the certs, uncomment the lines to enable SSL, and then restart Nginx once again (whew!).
Configure JIRA to add proxyName
, proxyPort
, scheme
, and secure
parameters to the Tomcat Connector in server.xml
.
<Connector port="8081" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" bindOnInit="false" proxyName="jira.doublesharp.com" proxyPort="443" scheme="https" secure="true" />
Don’t forget to copy the database driver to $JIRA_INSTALL/lib
.
Note use of “jira.doublesharp.com” in config and change as needed. This configuration uses a subdomain specific certificate from Let’s Encrypt, but you could also use a Wildcard Certificate for your JIRA reverse proxy setup as well which can help to consolidate your key generation.
# Upstream JIRA server on port 8081. Use 127.0.0.1 and not localhost to force IPv4. upstream jira { server 127.0.0.1:8081 fail_timeout=0; } # listen on HTTP2/SSL server { listen 443 ssl http2; server_name jira.doublesharp.com; # ssl certs from letsencrypt ssl_certificate /etc/letsencrypt/live/jira.doublesharp.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/jira.doublesharp.com/privkey.pem; location / { # allow uploads up to 10MB client_max_body_size 10m; # set proxy headers for cloudflare/jira proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # hand the request off to jira on non-ssl proxy_pass http://jira; } } # redirect HTTP and handle let's encrypt requests server { listen 80; server_name jira.doublesharp.com; root /var/lib/jira; # handle letsencrypt domain validation location ~ /.well-known { allow all; } # send everything else to HTTPS location / { return 302 https://jira.doublesharp.com; } }
The post Using NGINX as an Atlassian JIRA Reverse Proxy appeared first on Justin Silver.
]]>