Hi @Nic Brough -Adaptavist- 

so you set up the URLs for tools on the same server with a reverse proxy is that right?

My best

Merve

hi Nic,

Thanks for your help.

Considering our current setup, it would be fine If we can setup a structure where Jira and Confluence exists on separate URLs. Something like the following:

https://abcJira.com

https://abcConfluence.com

Now this is not a hard requirement and if having https://abcjira.com and https://abcjira.com/confluence is easier to implement, the business would be onboard with that as well.

I am exploring what the SSL costs would be if we chose different domains though so in that sense, the first option is more preferable.

We are working with NetScaler for some other applications so using a proxy server would be feasible.

What do you think would be a good starting point here?

Thanks a lot for your help.

Regards,

Shib Saha 

A reverse proxy is my personally preferred route, probably because it's what I'm most familiar with (it's also good to offload the SSL on to the proxy, is easier to integrate into larger web sites, and it's very similar to load balancers when you scale up to data-centre, and most of our clients are doing it, so it's good to practice)

Is that what you are aiming for?

Hi Nic,

I would like to to go with same flow(reverse proxy) for implementing this task.

Could you please guide me with the steps involved in implementing this.

Thanks a lot for your help!

Regards,

Shib 

Ok, I would break this task into two parts.  First, get a proxy working with http, then, second, add httpS to the proxy. 

So, first, see https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

There's a lot there, but if you follow each step, it will work fine.  Most of the text is really more about giving you a sample than actual instructions.  It comes down to making sure your web-server has the right modules to support it, then editing the "site" files for the web-server to add the proxy server settings and the Jira server's server.xml to match the context, and telling Jira what the new base url is.

The second step is confusing.  SSL is not simple (if it were, it probably wouldn't be secure enough).  Do NOT even start on this step until you have Jira working ok through a simple http proxy, that way lies madness.  But assuming you have that, your next steps are reading two docs:

• https://confluence.atlassian.com/adminjiraserver/running-jira-applications-over-ssl-or-https-938847764.html
• https://confluence.atlassian.com/adminjiraserver/integrating-jira-with-apache-using-ssl-938847754.html

These try too hard, imho, and could do with a summary (assuming you have an http proxy setup working ok)

• You need a server certificate to put on the proxy.  Incoming connections will be measured against it.
• You need a client certificate.  Browsers connecting to a well-configured server should negotiate one, but it is important to understand that your Jira server also needs one of these, and it cannot negotiate one for itself like a browser can.  You will have to install that yourself.  Jira will actually work, but not well, until you install it
• Your http Jira will not work properly through a proxy that does not know that the other side of the proxy is ssl.  You need to tell it (this is adding three lines to your server.xml as per docs)
• Once you've got that lot done, Jira will work, but complain about the base url until you change from http://something to httpS:something

Hey Nic,

Sorry for the late reply, I was on leave.

Now we have proxy enabled with expired cert as we are configuring QA environment first.

But getting Gadget error "MSG_gadget_name" and "gadget.common.error.500".

Do you know what could be the cause?

Installation of cert on jira server(this cert will be same cert that we will be using on proxy server or different cert), please share if there is any doc for installing cert on jira server.

Thanks a lot!

Regards,

Shib Saha 

It means you need to get a new, valid, certificate and install that, replacing the expired one.  See the links above for instructions on installing it.

Thanks nic for the info.

Regards,

Shib Saha 

Hey Nic,

We have configured the reverse proxy with netscaler at network end, but business did not agree to use this approach.

Now we are using apache as reverse proxy and with http both the application is working fine with apache as reverse proxy, but when we are enabling the SSLengine service(jira and Confluence) site is not reachable.

We have been struggling for two days but still not able to figure out the root cause.

Could you please help where we are missing something?

Thanks and Regards

Shib Saha 

It's impossible to say without a description of the problem.

You say the service is "unreachable" - that implies that the service is not resolving, which is a DNS problem.  I don't think that's the whole problem though, if it works without SSL, I suspect its reachable but firewalled or misconfigured.

Could you tell us what the browser errors are?

Hi Nic,

Above issue is resolved now, both the application is running over https.

Again we are getting errors of gadgets "__MSG_gadget.created.vs.resolved.title__", while configuring the applications with http this error was not occurring.

I read some of the Atlassian article  and found that we need to place certificate in JRE. My opinion is if we are offloading Certificate in Apache, do we need to place cert in JRE folder also?

Thanks for your help.

Regards,

Shib Saha 

Yes.  The certificates allow something to read an https secured site.

When your browsers visit SSL sites, they can negotiate certificates, but services like Jira and Confluence can't.  They need the certificates to be loaded into their key stores.