Cloud
Versions
- 9.17
- 9.16
- 9.15
- 9.14
- 9.13
- 9.12
- 9.11
- 9.10
- 9.9
- 9.8
- 9.7
- 9.6
- 9.5
- 9.4
- 9.3
- 9.2
- 9.1
- 9.0
- 8.22
- 8.21
- 8.20
- See all
Integrating Jira with Apache
- Configuring Apache Reverse Proxy Using the AJP Protocol
- Integrating Jira with Apache using SSL
- Troubleshooting Apache
On this page
Related content
- No related content found
Still need help?
The Atlassian Community is here for you.
Ask the community
Atlassian applications allow the use of reverse-proxies within our products, however Atlassian Support does not provide assistance for configuring them. Consequently, Atlassian can not guarantee providing any support for them.
If assistance with configuration is required, please raise a question on Atlassian Community.
“Ghostcat” vulnerability in Apache Tomcat
Following this guide might make your Jira instance prone to a recent high-risk vulnerability found in Apache Tomcat.
We recommend that you wait until Jira is bundled with the Tomcat version that fixes this issue, we’ll update this note once it’s released. For more info about this vulnerability, see:
Until then, if you need to use the AJP Connector, there are steps you can take to mitigate this issue. For more info, see this article.
This page describes how to integrate Apache HTTP Server(also referred to as httpd) with Jira, utilizing mod_proxy_ajp so that Apache operates as a reverse-proxy. AJP is a wire protocol and is an optimized version of the HTTP protocol to allow a standalone web server such asApacheto talk to Tomcat.
This protocol can be used in favor of HTTP/1.1 as in either of the following Apache configurations:
- Integrating Jira with Apache
- Integrating Jira with Apache using SSL
On this page:
Step 1:Configure Tomcat
- Stop Jira.
Enable the AJP Connector on the Tomcat container hosting Jira by uncommenting the following element in
$JIRA_INSTALL/conf/server.xml:<Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />- Start Jira.
- Test that Jira is accessible on the standard HTTP connector, for example
http://jiraserver:8080. This is to ensure that Tomcat hassuccessfullyrestarted.
Step 2:Configure Apache HTTP Server
The installation of Apache and configuration of a DNS is not covered in this documentation. Additionally, it is assumed that Apache 2.2 has been installed and DNS entries have been configured for the Jira domain.As Apache's configuration is specific to the operation system that is used, only some distributions and their configurations are currently documented.
2.1 Enable the Proxy Modules
Debian/Ubuntu
Enable the module with the following:
$ sudo a2enmod proxy_ajpConsidering dependency proxy for proxy_ajp:Module proxy already enabledEnabling module proxy_ajp.To activate the new configuration, you need to run: service apache2 restart- Restart Apache.
Windows/Other OS
Locate and edit the
httpd.conffile, adding the below lines:LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_ajp_module modules/mod_proxy_ajp.so- Restart Apache.
2.2. Configure Apache to use those Modules
Debian/Ubuntu
- Switch into user
root. - Backup the existing site or create a new one. Creating a new site is not covered within this documentation (copying the default should be sufficient).
- Modify the existing site within
$APACHE_INSTALL/sites-available, for exampledefault(HTTP) ordefault-ssl(HTTPS). Add the following inside the
VirtualHost, replacingjiraserverwith the hostname of the Jira server and also modifying the port if required.# Jira AJP Proxy Configuration:<Proxy *> Order deny,allow Allow from all</Proxy>ProxyRequests OffProxyPass / ajp://jiraserver:8009/ProxyPassReverse / ajp://jiraserver:8009/
Missing a forward slash at the end of the URL will cause proxy errors - ensure this is in place!(Optional): Enable the site with the following:
# a2ensite jiraEnabling site jira.To activate the new configuration, you need to run: service apache2 reload This is only required if a new site has been created in favor of using the default.If using HTTP, skip to step 8. For HTTPS, the certificates need to be installed by copying the certificate and private key to the appropriate directories and the following will also need to be added to the site:
SSLProxyEngine OnInclude them in the Apache configuration, within the
VirtualHostas below:SSLCertificateFile /etc/ssl/certs/jira.crtSSLCertificateKeyFile /etc/ssl/private/jira.key- Reload the Apache configuration.
- Test by accessing Jira through Apache, for example http://jira.com or http://atlassian.com/jira.
Missing a forward slash at the end of the URL will cause proxy errors - ensure this is in place!Windows/Other OS
- Locate and edit the
httpd.conffile. Add the following inside the
VirtualHost, replacingjiraserverwith the hostname of the Jira server and also modifying the port if required.# Jira AJP Proxy Configuration:<Proxy *> Order deny,allow Allow from all</Proxy>ProxyRequests OffProxyPass / ajp://jiraserver:8009/ProxyPassReverse / ajp://jiraserver:8009/ Missing a forward slash at the end of the URL will cause proxy errors - ensure this is in place!If using HTTP, skip to step 5. For HTTPS, the certificates need to be installed by copying the certificate and private key to the appropriate directories and the following will also need to be added to the site:
SSLProxyEngine OnInclude them in the Apache configuration, within the
VirtualHostas below:SSLCertificateFile /etc/ssl/certs/jira.crtSSLCertificateKeyFile /etc/ssl/private/jira.key- Restart Apache.
- Test by accessing Jira through Apache, for example http://jira.com or http://atlassian.com/jira.
2.3 Redirect HTTP to HTTPS
This is an optional step and is only required if using HTTPS. It can be done by usingmod_rewrite(this module may require enabling),add the following to the HTTPVirtualHost:
RewriteEngine OnRewriteCond %{HTTPS} offRewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}Step 3: Configure Jira
- SetUse gzip compressiontoOFFas inConfiguring Jira options. GZIP compression is known to cause performance issues using a reverse-proxy, especially if the proxy is also compressing the traffic.
- Set theBase URLto be the FQDN that Jira will be accessed on, for examplehttp://jira.atlassian.com. This is also located inConfiguring Jira options.Jira can only be configured to respond to a single URL and the Base URL (as inConfiguring Jira options) must match the URL end-users are accessing. Misconfiguration of this may cause significant problems within Jira such as the Activity Stream and Dashboard Gadgets failing to function correctly.
- Test by accessing Jira on the FQDN (e.g.:http://jira.atlassian.com), ensuring that Jira is accessible and all dashboard gadgets correctly display.
Jira can only be configured to respond to a single URL and the Base URL (as inTroubleshooting
- Hijacked Sessions:Some users have reported problems with user sessions being hijacked when themod_cachemodule is enabled. If these problems are encountered, try disabling the
mod_cachemodule.This module is enabled by default in some Apache HTTP Server version 2 distributions. - Permission Denied Errors enabling
mod_proxy(andmod_jk) on Linux distros that use SELinux:Usershave reported 'permission denied' errors when trying to getmod_proxy(andmod_jk) working. Disabling SELinux (/etc/selinux/config) apparently fixes this. Running Mac OS X:Disablewebperfcache,which proxies port 80 by default. A user reported this as the likely cause of Jira session problems, in the form of users' identities becoming mixed up, as below.
Additionally we do not recommend using Max OS X as it is not supported, as in ourSupported platforms.
The OSX Servers enable webperfcache by default for Virtual Hosts, which for static content would be great, but for dynamic instances (which ALL of ours are) it is Evil and causes many issues.
Of note recently was the jira session issue. Also see :-
http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/webperfcache.8.html
Unfortunately even if you disable webperfcache for a instance, if there is a single instanceenabled then all instances will still proxy through webperfcache with resulting session problems.
- Too many redirects:Both Tomcat & Apache are redirecting, when only one should be. Disable redirection in Tomcat (revert any changes as inRunning Jira over SSL or HTTPS) and check that there is only one redirection in Apache.
- General Problems:
- Clear the browser cache and try again.
- Ensure that Jira works as expected when running directly from Tomcat and bypassing Apache. For example, accessing
http://jiraserver:8080instead ofhttp://jira.atlassian.com. - Increase theLogLevelfor Apacheto debug and restart it.
- Attempt to access Jira and check theApache Log Filesfor any errors.
- Raise a question onAtlassian Answersfor assistance.
- 403 Forbidden error:
Add the
RequestHeader unset Authorizationline to the apache configuration page to disable authorization headers.<Location /jira> RequestHeader unset Authorization ProxyPreserveHost On ProxyPass http://jiraserver/jira ProxyPassReverse http://jiraserver/jira</Location>
See also
- Integrating Jira with Apache
- Integrating Jira with Apache using SSL
- Apache Virtual Host documentation
Last modified on Oct 6, 2021
Related content
- No related content found
Powered by Confluence and Scroll Viewport.
