CODEWITHSUNDEEP
apachetomcatsslproxyjira
Johnride
Johnride

Reputation: 8746

Jira behind Apache SSL proxy on CentOS

Like the title says, I try to get Jira running behind an Apache SSL proxy.

I was able to make it work without SSL but now I'm struggling with a 502. I get the same result when I try to access https://localhost/ localhost:8080 (which worked without encryption before I set the proxy in jira) https://127.0.0.1 and some others.

Here is the Jira connector config.

 <Connector port="8080"

               maxThreads="150"
               minSpareThreads="25"
               connectionTimeout="20000"

               enableLookups="false"
               maxHttpHeaderSize="8192"
               protocol="HTTP/1.1"
               useBodyEncodingForURI="true"
               redirectPort="8443"
               acceptCount="100"
               disableUploadTimeout="true"
               scheme="https"
               proxyName="localhost"
               proxyPort="443"
               />

   <!--

And now the Apache VHost config sorry for newbe-like config

ProxyRequests On
NameVirtualHost *:443

<VirtualHost *:443>
  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/ca.crt
  SSLCertificateKeyFile /etc/pki/tls/private/ca.key
      SSLProxyEngine on

  ServerName localhost
  ServerAlias jira.ecoledelexcellence.ca
  ServerAlias 192.168.0.116

  ProxyRequests Off
  ProxyPreserveHost On

#  <Proxy *>
#    Order deny,allow
#    Allow from all
#  </Proxy>

  ProxyPass / https://127.0.0.1:8080/ retry=0
  ProxyPassReverse / https://127.0.0.1:8080/ retry=0

    <Location />
        Order allow,deny
        Allow from all
    </Location>

        #HTTP => HTTPS rewrite
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

Thanks for any hint

Upvotes: 0

Views: 2186

Answers (1)

Koshinae
Koshinae

Reputation: 2330

into the Tomcat, you should add into the Connector config that it is a secure channel: 

secure="true"

This tells Tomcat that even if the SSL engine is not initalized on this Connector, the incoming connections are qualified to be "secure". The proxyName should be the externally visible name of the machine, this helps if the webapp is using scheme, proxyName, and proxyPort variables to construct an URL, see: Tomcat Proxy Support

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html

Set this attribute to true if you wish to have calls to request.isSecure() to return true for requests received by this Connector. You would want this on an SSL Connector or a non SSL connector that is receiving data from a SSL accelerator, like a crypto card, a SSL appliance or even a webserver.

(Also applies to AJP Connectors)

HTTP:

For the ProxyPass* you don't need the "s" in the https. Also you don't need the Rewrite at the end, it will force all incoming connections to plain http.

Upvotes: 1

Related Questions