Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to configure Jira an Confluence behind F5 Firewall/Proxy with SSL-Offload

Andre Eikermann
Andre Eikermann November 3, 2016

We have a JIRA and a Confluence behind a F5 Firewall / Proxy. SSL is managed by the F5.

JIRA should be accessible through https://www.mydomain.com/jira

Confluence should be accessible through https://www.mydomain.com/confluence

Contextpath in server.xml is set on both Servers.

We added the following Parameters in the connector:

  • proxyName="www.mydomain.com"
  • proxyPort="443"
  • scheme="https"
  • secure="true"

When we now access JIRA or Confluence we get lots of errors:

Jira:

2016-11-02 16:11:58,494 http-nio-8080-exec-6 WARN mad 971x467x1 1uf2vh9 193.174.118.227 /rest/analytics/1.0/publish/bulk [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://www.mydomain.com/jira/rest/analytics/1.0/publish/bulk , origin: null , referrer: http://www.mydomain.com/jira/plugins/servlet/whitelist , credentials in request: true , allowed via CORS: false

 

Confluence:

2016-11-02 15:57:20,071 WARN [http-nio-8090-exec-10] [common.security.jersey.XsrfResourceFilter] passesAdditionalBrowserChecks Additional XSRF checks failed for request: https://www.mydomain.com/confluence/rest/analytics/1.0/publish/bulk , origin: null , referrer: http://www.mydomain.com/confluence/login.action , credentials in request: true , allowed via CORS: false
 -- referer: http://www.mydomain.com/confluence/login.action?os_destination=%2Findex.action&permissionViolation=true | url: /cf/rest/analytics/1.0/publish/bulk | traceId: aeee4a16b71b21e9 | userName: anonymous

Something seems to be wrong with the configuration.

The Request is HTTPS the referrer is only HTTP.

 

Any idea how to solve this?

Answer
Watch
Like Be the first to like this
4026 views

3 answers

0 votes
Paul Stallworth
Paul Stallworth
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 5, 2016

Are you running them on their own virtual servers?  If not you can get some weird errors if you run them both off a single VS.

If you are terminating SSL at the F5, you may not need the "secure=true" parameter on the HTTP connector.  You may also need to do HTTP to HTTPS redirection on the F5, we do it via an iRule but a Policy would probably work.

We have run ours at varying times in both configurations: SSL terminating at the F5 as well as SSL all the way through to Tomcat.  Here's a sample of our server.xml from our dev environment:

<Connector port="8082" connectionTimeout="20000" redirectPort="8443"
                maxThreads="200" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" 
				proxyName="hdsdevconfluence.colorado.edu" proxyPort="443" scheme="https"
				/>
 
<Connector port="8443" maxHttpHeaderSize="8192"
                   maxThreads="75" minSpareThreads="25"
                   protocol="org.apache.coyote.http11.Http11NioProtocol"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
                   URIEncoding="UTF-8" keyAlias="hdsdevconfluence" keystoreFile="C:\path\to\keystore.jks"
keystorePass="keystorepass" keystoreType="JKS"/>
Reply
0 votes
Manse Wolken
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 4, 2016

Looks more like you have configured your base URLs to http://... 

And add automatic redirection to https on your webserver (if the F5 does not support this)

 

View More Comments
Andre Eikermann
Andre Eikermann November 4, 2016

base URL is set to httpS://

Like
Panagiotis Karampis
Panagiotis Karampis
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 4, 2016

base url should be set to http:// not S, as the "S" part is handled by the proxy

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 4, 2016

No.  The base url should be set to whatever the users are going to use to connect to it.  Https in this case.

Also, make sure that each server can reach itself via that base url.  They like to talk to themselves!

Like
Panos
Panos
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 4, 2016

Thats true. I got confused with the proxy pass param of nginx. I'll update my comment

Like
Reply
0 votes
Panos
Panos
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 4, 2016

I don't know much about F5, but i post you part of my nginx config hoping it can help you as you need to have proxy settings set

location / {
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_read_timeout 3600;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:8090;
        }
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
atlassian, atlassian government cloud, fedramp, webinar, register for webinar, atlassian cloud webinar, fedramp moderate offering, work faster with cloud

Unlocking the future with Atlassian Government Cloud ☁️

Atlassian Government Cloud has achieved FedRAMP Authorization at the Moderate level! Join our webinar to learn how you can accelerate mission success and move work forward faster in cloud, all while ensuring your critical data is secure.

Register Now
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.