Tuesday, July 6, 2010

Configure JIRA 4.0 with SSL/HTTPS and proxy with apache or nginx

When you do SSL and enabling https proxy together Its recommended to configure the SSL on proxy gateway. If not you may have seen JIRA gadgets are not loading and giving following error.

Error
-------------------------------------------------------------------------------------------------
We've detected a potential problem with JIRA's Dashboard configuration that your administrator can correct. Hide
Dashboard Diagnostics: Mismatched URL Scheme

JIRA is reporting that it is using the URL scheme 'https', which does not match the scheme used to run these diagnostics, 'http'. This is known to cause JIRA to construct URLs using an incorrect hostname, which will result in errors in the dashboard, among other issues.

The most common cause of this is the use of a reverse-proxy HTTP(S) server (often Apache or IIS) in front of the application server running JIRA. While this configuration is supported, some additional setup might be necessary in order to ensure that JIRA detects the correct scheme.

The following articles describe the issue and the steps you should take to ensure that your web server and app server are configured correctly:

* Gadgets do not display correctly after upgrade to JIRA 4.0
* Integrating JIRA with Apache
* Integrating JIRA with Apache using SSL

If you believe this diagnosis is in error, or you have any other questions, please contact Atlassian Support.
Detailed Error
Hide

com.atlassian.gadgets.dashboard.internal.diagnostics.UrlSchemeMismatchException: Detected URL scheme, 'https', does not match expected scheme 'http'
-------------------------------------------------------------------------------------------------

JIRA Configuration
===========================================
You only need to set the conf/server.xml file edit the Add scheme,proxyName and proxyPort to the Connector as follows.

  



< Connector port="8080" protocol="HTTP/1.1"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" useBodyEncodingForURI="true"
enableLookups="false" redirectPort="9443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"


scheme="https"
proxyName="example.com"
proxyPort="443"
/>



Now JIRA consider the example.com as his https proxy.
consider if you use the jira as example.com/jira on your domain.

NGINX Configuration
=======================================
Under listening port 80

# This is to Redirect all traffic comes to http into https.

server {
listen 80;
--------
--------
  
location /jira {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
rewrite ^ https://example.com/jira permanent;
}

-------
-------

Under listening port 443

#Since we have enable https proxy in connector in JIRA we need to publish it here as a https proxy service.

server {
listen 443;
------
------
  
# Please note to remove ="" notations from config file. Its shows due to code-highlight error.

location /jira {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://:8080/jira;
}

-----
-----

If its Apache
=======================================
  
# Please note to remove ="" notations from config file. Its shows due to code-highlight error.


ServerAdmin admin@example.com
ServerName jira.example.com


ErrorLog /var/log/apache2/ssl-error.log
LogLevel warn
CustomLog /var/log/apache2/ssl-access.log combined
ServerSignature On

SSLEngine On
SSLCertificateFile example.crt
SSLCertificateKeyFile example.key
SSLCertificateChainFile CA.crt

SSLProxyEngine on

Order deny,allow
Allow from all
#Allow from .your_domain.com


ProxyRequests Off
ProxyPreserveHost On


ProxyPass /jira http://localhost:8080/jira
ProxyPassReverse /jira http://localhost:8080/jira




If you use http proxy instead of https proxy you only need delete the scheme="https" and change proxyPort="443" into proxyPort="80".Then do the proxy under http on NGINX or apache.

10 comments:

  1. On your example above & snippet listed below, proxyName="example.com" should be "xxx.example.com"

    We wasted 2hrs trying to figure out what we were doing wrong and jira was looking for the complete domain name.

    #
    # scheme="https"
    # proxyName="example.com"
    # proxyPort="443"

    ReplyDelete
  2. Actually it depend on your requirement.
    If your jira domain like https://jira.example.com you have to use the proxyName="jira.example.com"

    If you are going to use the domain like https://example.com/jira you have to use the proxyName="example.com".

    ReplyDelete
  3. Hi,

    I tried to follow the steps mentioned above under Jboss and made the changes under server.xml file but after making the changes, jboss is not able to come up completely and Jira doesn't come up.

    After removing changes, this came up, I know that above mentioned steps are for Tomcat and I can understand this may be an issue.

    Can you please comment for enabling SSL proxy for jira where it's deployed under Jboss?

    Thanks,

    ReplyDelete
  4. Hi,

    This is resolved I was using the same port number for redirectPort="9443" and proxyPort="9443", same ports so that caused application not coming up.
    I have changed the proxyPort and now the applications are coming up.

    Note: I needed to add
    scheme="https" secure="false" proxyName="deepthought.guavus.com" proxyPort="8443"

    Notice secure="false", without using secure="false" access through proxy had gadget errors. Resource of this information is:
    http://confluence.atlassian.com/display/JIRAKB/Gadgets+do+not+Display+Correctly+when+Using+SSL+and+Proxy+Server

    ReplyDelete
  5. Hi Yasith,

    Many thanks for this hint!

    My standard Apache SSL reverse proxy + Tomcat6/Jira4 now works like it used to do with Jira3.

    Took me hours before I encountered your fix.

    Kind regards,
    John Donath
    Netherlands

    ReplyDelete
  6. hello

    nice doc!
    I have jira 4.2.2
    nginx frontend with https configured to acces tomcat jira with http.
    My conf is sligthly the same as yours.
    but I still have a problem with timesheet gadget.

    When I add the gadget I have no errors, but nothing appears except the border... (same screens as https://studio.plugins.atlassian.com/browse/TIME-99?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel#issue-tabs)

    I havent CAS nor SSO configured...

    Did you have this comportement ? How do you manage this ?

    ReplyDelete
  7. Thanks man! I've spent a ton of time on this issue and once I found your post
    I had it up in 2 minutes. I noticed for apache
    you don't have a rewrite for if it comes in as http. This is working for me.


    ServerName
    ServerAdmin

    ErrorLog
    CustomLog

    RewriteEngine On

    # forward all traffic from port 80 (http) to 443 (https)
    RewriteRule ^(.*)$ https://$1 [L,R]

    ReplyDelete
  8. apache conf script above was obliterated by html....sorry. Put your domain name between the https:// and $1 and you're good.

    ReplyDelete
  9. Hey man! Thank you very much for your instructions! You saved my day!

    ReplyDelete
  10. Great Thanks! Works for me!

    ReplyDelete