fd Blog

Daniel Hilgarth on software development

Use Apache as Proxy for Confluence, JIRA & Stash

This tutorial shows how to use Apache as a proxy for Confluence, JIRA & Stash.
We will configure Apache so that it only accepts SSL connections, but without the need to enable SSL in the TomCat instances of Confluence, JIRA & Stash.
Each application will be available at its own sub domain, e.g. confluence.<your-domain>.com etc.

Apache configuration

Site configuration

For each application, create a config file in /etc/apache2/sites-available with the following content:

<Virtualhost *:80>
  ServerName <sub>.<domain>
  Redirect permanent / https://<sub>.<domain>/
</Virtualhost>

<Virtualhost *:443>
  ServerName <sub>.<domain>
  SSLEngine On
  SSLProxyEngine On
  ProxyPass        /  http://localhost:<port>/ connectiontimeout=5 timeout=300
  ProxyPassReverse /  http://localhost:<port>/
</Virtualhost>

Where <sub> is the sub-domain, e.g. confluence, <domain> is your domain, e.g. fire-development.com and <port> is an unused port. Please note, this is not the default port of the application, i.e. it is not 8080 for confluence. Port and sub-domain need to be different in each file you create. I used 8443, 8444 and 8445 for the ports and confluence, jira and git for the sub-domains.

Enable the sites via sudo a2ensite <config-file>

Required modules

Enable the required modules:

sudo a2enmod ssl
sudo a2enmod proxy
sudo a2enmod proxy_http

SSL configuration

Create a new file /etc/apache2/conf-available/ssl.conf with the following content:

SSLCertificateFile /etc/apache2/ssl/<certificate>
SSLCertificateKeyFile /etc/apache2/ssl/<certificate-key>
SSLCACertificateFile /etc/apache2/ssl/<intermediate-certificate>

Example:

SSLCertificateFile /etc/apache2/ssl/rapidssl-fire-development.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/rapidssl-fire-development.com.key
SSLCACertificateFile /etc/apache2/ssl/rapidssl-intermediate.crt

Make sure the referenced files actually exist :-)

Finally, you need to enable the new configuration file:

sudo a2enconf ssl

TomCat configuration

For each application, you need to edit the file path/to/application/conf/server.xml, e.g. sudo nano /opt/atlassian/confluence/conf/server.xml.

In each file, you need to find the existing Connector tag. It should be inside the Server/Service tag. Right below it, still inside the Service tag, insert another Connector tag. <port>, <sub> and <domain> are the values from the corresponding config file created in the first step.

Confluence

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="<port>" minProcessors="5"
           maxProcessors="75"
           enableLookups="false" acceptCount="10" debug="0" connectionTimeout="20000"
           useURIValidationHack="false" URIEncoding="UTF-8"
           scheme="https"
           proxyName="<sub>.<domain>"
           proxyPort="443"/>

JIRA

<Connector port="<port>"

           maxThreads="150"
           minSpareThreads="25"
           connectionTimeout="20000"

           enableLookups="false"
           maxHttpHeaderSize="8192"
           protocol="HTTP/1.1"
           useBodyEncodingForURI="true"
           acceptCount="100"
           disableUploadTimeout="true"
           scheme="https"
           proxyName="<sub>.<domain>"
           proxyPort="443"/>

Stash

<Connector port="<port>" protocol="HTTP/1.1"
           connectionTimeout="20000"
           useBodyEncodingForURI="true"
           compression="on"
           compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
           scheme="https"
           proxyName="<sub>.<domain>"
           proxyPort="443"/>

Apply changes

To apply the changes, all involved applications need to be restarted:

sudo service confluence stop
sudo service confluence start
sudo service jira stop
sudo service jira start
sudo service atlstash stop
sudo service atlstash start
sudo service apache2 restart

Fix Base URL

Each application has a configuration value that specifies the Base URL that users use to access it. This value needs to be adjusted to https://<sub>.<domain>, e.g. https://confluence.fire-development.com.

Please refer to the Atlassian documentation on how to do this:

Comments