I recently wanted to serve JIRA over SSL using Apache to face the Internet instead of Tomcat. Here’s how I did it.
Basic JIRA setup was easy, even for someone who never touched the thing before – Atlassian did a good job with their standalone install package, and soon I had a server up at http://myserver:8080, and was able to log in and do the application setup normally. So far so good.
I next wanted to serve up JIRA over SSL. The official documentation gives a couple ways of doing that. One is to give Tomcat the ability to talk SSL itself - which I didn’t want to do for a couple of reasons: First, I find that seeing port numbers in the browser address bar confuses unsophisticated users; much better to just have them type a friendly name and go right to the site. Second, I don’t do that much with Tomcat; rather taking this opportunity to play around I wanted to just use that old faithful, the Apache http server (which was already configured and serving SSL on that box.)
The official Atlassian documentation has a page all about doing just this, using http/https to serve up JIRA, but I found it a bit too needlessly wordy. The information there is good, and I certainly encourage you to read it if you want, but lets cut to the chase. I ended up having to do exactly two things:
- In my atlassian/jira-4.4.4/conf /server.xml file at around line 58, there was a stanza:
enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"/>
enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" scheme="https" proxyName="myserver" proxyPort="443"/>
- Next, I had to modify the virtualhosts section of my apache2/conf/extra/httpd-ssl.conf file to include:
<Proxy *> Order deny,allow Allow from all </Proxy> ProxyRequests Off ProxyPreserveHost On ProxyPass / http://myserver:8080/ ProxyPassReverse / http://myserver:8080/
Now, if you want to try the above, keep in mind the following assumptions:
- My version of JIRA was 4.4.4; if you have another version, your mileage may vary.
- I’m serving up JIRA from the root of the box (i.e., https://myserver is enough to get me to the JIRA login page. Most of the docs seem to expect it at https://myserver/jira instead.)
- Apache was already set up to server SSL on my server. If you can’t put a static page at, say, /yourpage.html and hit https://yourserver/yourpage.html, these instructions won’t do you any good.
- The rest of your network (e.g., things like DNS) have to work as well (seems obvious, but…)
- Be a bit careful with the “Allow from all” bit of the apache proxy configuration. If you have ProxyRequests turned on (it’s off in the configuration above) or haven’t otherwise limited traffic to your server somehow, you might be running an open proxy that would allow anyone to issue http requests and make them seem like they’re coming from your server. This is a Bad Thing.
There you go, hope someone else finds this information useful!