Tuesday, July 6, 2010

Configure JIRA 4.0 with SSL/HTTPS and proxy with apache or nginx

When you do SSL and enabling https proxy together Its recommended to configure the SSL on proxy gateway. If not you may have seen JIRA gadgets are not loading and giving following error.

Error
-------------------------------------------------------------------------------------------------
We've detected a potential problem with JIRA's Dashboard configuration that your administrator can correct. Hide
Dashboard Diagnostics: Mismatched URL Scheme

JIRA is reporting that it is using the URL scheme 'https', which does not match the scheme used to run these diagnostics, 'http'. This is known to cause JIRA to construct URLs using an incorrect hostname, which will result in errors in the dashboard, among other issues.

The most common cause of this is the use of a reverse-proxy HTTP(S) server (often Apache or IIS) in front of the application server running JIRA. While this configuration is supported, some additional setup might be necessary in order to ensure that JIRA detects the correct scheme.

The following articles describe the issue and the steps you should take to ensure that your web server and app server are configured correctly:

* Gadgets do not display correctly after upgrade to JIRA 4.0
* Integrating JIRA with Apache
* Integrating JIRA with Apache using SSL

If you believe this diagnosis is in error, or you have any other questions, please contact Atlassian Support.
Detailed Error
Hide

com.atlassian.gadgets.dashboard.internal.diagnostics.UrlSchemeMismatchException: Detected URL scheme, 'https', does not match expected scheme 'http'
-------------------------------------------------------------------------------------------------

JIRA Configuration
===========================================
You only need to set the conf/server.xml file edit the Add scheme,proxyName and proxyPort to the Connector as follows.

  



< Connector port="8080" protocol="HTTP/1.1"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" useBodyEncodingForURI="true"
enableLookups="false" redirectPort="9443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"


scheme="https"
proxyName="example.com"
proxyPort="443"
/>



Now JIRA consider the example.com as his https proxy.
consider if you use the jira as example.com/jira on your domain.

NGINX Configuration
=======================================
Under listening port 80

# This is to Redirect all traffic comes to http into https.

server {
listen 80;
--------
--------
  
location /jira {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
rewrite ^ https://example.com/jira permanent;
}

-------
-------

Under listening port 443

#Since we have enable https proxy in connector in JIRA we need to publish it here as a https proxy service.

server {
listen 443;
------
------
  
# Please note to remove ="" notations from config file. Its shows due to code-highlight error.

location /jira {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://:8080/jira;
}

-----
-----

If its Apache
=======================================
  
# Please note to remove ="" notations from config file. Its shows due to code-highlight error.


ServerAdmin admin@example.com
ServerName jira.example.com


ErrorLog /var/log/apache2/ssl-error.log
LogLevel warn
CustomLog /var/log/apache2/ssl-access.log combined
ServerSignature On

SSLEngine On
SSLCertificateFile example.crt
SSLCertificateKeyFile example.key
SSLCertificateChainFile CA.crt

SSLProxyEngine on

Order deny,allow
Allow from all
#Allow from .your_domain.com


ProxyRequests Off
ProxyPreserveHost On


ProxyPass /jira http://localhost:8080/jira
ProxyPassReverse /jira http://localhost:8080/jira




If you use http proxy instead of https proxy you only need delete the scheme="https" and change proxyPort="443" into proxyPort="80".Then do the proxy under http on NGINX or apache.