Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira SSL on IIS

serhii_khoma
serhii_khoma July 31, 2017

I have Jira Software 7.3.1 running on Windows Server 2012.

First time I was using it at xxx.xxx.xxx.xxx:8080 and everything worked fine. 

Now I've to migrate it to a subdomain.

I've done everything according to this article https://confluence.atlassian.com/adminjiraserver071/integrating-jira-applications-with-iis-802593039.html and eveyrhing works good.

Now I have to use SSL certificate on this subdomain and I'm refering to https://confluence.atlassian.com/adminjiraserver071/running-jira-applications-over-ssl-or-https-802593051.html

 

When using system without HTTPS - it working. If I'm using with HTTPS, I see a lot of errors in browser console that requests were blocked because of asking http... from https...

 

Screenshot 

Screenshot_1.png

I suppose, it is because I have not installed redirect 

<security-constraint>
 <web-resource-collection>
 <web-resource-name>all-except-attachments</web-resource-name>
 <url-pattern>*.jsp</url-pattern>
 <url-pattern>*.jspa</url-pattern>
 <url-pattern>/browse/*</url-pattern>
 <url-pattern>/issues/*</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
</security-constraint>

 

But when I'm installing this redirect suddenly port 8443 is added

https://sub.domain.com:8443/secure/Dashboard.jspa

 

Please, advice what to do in this situation. 

My server.xml

<?xml version="1.0" encoding="UTF-8"?>

 <Connector acceptCount="100" 
 connectionTimeout="20000" 
 disableUploadTimeout="true" 
 enableLookups="false" 
 maxHttpHeaderSize="8192" 
 maxSpareThreads="75" 
 maxThreads="150" 
 minSpareThreads="25" 
 port="8080" 
 protocol="HTTP/1.1" 
 redirectPort="8443" 
 proxyName="sub.domain.com" 
 proxyPort="80" 
 useBodyEncodingForURI="true"/>

 <Connector URIEncoding="UTF-8" enableLookups="false" port="8009" protocol="AJP/1.3" redirectPort="8443"/>

 <Engine defaultHost="localhost" name="Catalina">
 <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">

 <Context docBase="${catalina.home}/atlassian-jira" path="" reloadable="false" useHttpOnly="true">


 <Resource auth="Container" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60" name="UserTransaction" type="javax.transaction.UserTransaction"/>
 <Manager pathname=""/>
 <JarScanner scanManifest="false"/>
 </Context>

 </Host>

 <Valve className="org.apache.catalina.valves.AccessLogValve" pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
 </Engine>

 <Connector SSLEnabled="true" 
 acceptCount="100" 
 clientAuth="false" 
 connectionTimeout="20000" 
 disableUploadTimeout="true" 
 enableLookups="false" 
 keyAlias="my_alias" 
 keystoreFile="path_to_keystore.jks" 
 keystorePass="mypassword" 
 keystoreType="JKS" 
 maxHttpHeaderSize="8192" 
 maxSpareThreads="75" 
 maxThreads="150" 
 minSpareThreads="25" 
 port="8443" 
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 scheme="https" 
 secure="true"
 sslProtocol="TLS" 
 proxyName="sub.domain.com" 
 proxyPort="443" 
 useBodyEncodingForURI="true"/>
 </Service>
</Server>

 

Also important thing is that from config wizard I cannot select HTTP and HTTPS as it's not active for me. Just HTTP or HTTPS can be selected.

Screenshot_2.png

 

Please, help me to avoid adding 8443 port to URL. 

Thanks in advance!

Answer
Watch
Like Be the first to like this
4807 views

2 answers

2 accepted

1 vote
Answer accepted
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 31, 2017

Could you explain where you are trying to terminate the SSL connection?

In other words, is IIS supposed to be doing all the SSL work, or are you trying to make JIRA's Tomcat do it as well?

View More Comments
serhii_khoma
serhii_khoma July 31, 2017

Hello Nic,

if I understand correctly, this is a solution?

I've googled a little and found article https://stackoverflow.com/questions/31922167/iis-how-to-simulate-ssl-termination-on-load-balancer

Have I to do the same as described there? 

This is IIS realization, is there any other way, less complex?

I haven't done any termination of ssl connection. I just followed articles (links above)

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 1, 2017

Not that I know of, that article doesn't seem to be about SSL proxies in IIS.

IIS is pretty horrid for doing this sort of work, a far less complex solution is running Apache or nginx as a proxy, but you should stick with IIS if your systems are all IIS based.

I'm sorry, I did not explain "termination of ssl" - you are doing it if you use https.  The phrase means "where does the encryption stop".  Imagine a standard proxy server setup of:

User -1> Internet -2> Your proxy -3> JIRA

Your user fires up an SSL connection over the internet.  You can "terminate the SSL" at -2> or at -3> here.  Whichever one you chose, the work of encryption is done on the server it lands on. 

JIRA's Tomcat is not a good place to do it - it loads the JIRA process, it's not particularly flexible, it doesn't fit in well with the reasons most people use proxies, and it means some fiddling with the proxy to make it work.  It is preferable to do it on the proxy server (IIS in your case).  The question I'm asking is where you want to do it?

Like
serhii_khoma
serhii_khoma August 2, 2017

Thanks Nic for you answer.

All websites are stored in IIS. It can be difficult to install Apache and make them both listent to 80 and 443 ports.

So, I've to look how to do this in IIS.

Like
Reply
0 votes
Answer accepted
serhii_khoma
serhii_khoma August 8, 2017

The solution was found:

1. Create on IIS website, add ssl certificate, bind app to 80 and 443 port

2. Using IIS URL rewrite module create 2 proxy rules rewriting to Https://jira_host:8443

3. Enable jira 8443 port according to the articles above.

And everything will work, there is no need to use tomcat IIS connector.

View More Comments
Jessica Torres
Jessica Torres August 7, 2018

Hi there, can you elaborate on this a bit? I tried creating the proxy rules but it makes me download and install ARR 3.0 and then says something about configuring a server farm which is not my intent at all. How exactly did you create those rules? Btw, I do have the IIS URL rewrite module installed.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.