Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-5512

Stash integration functionality does not work properly when JIRA and Stash are behind SSL on subdomains

XMLWordPrintable

      Summary

      When JIRA and Stash are configured behind a reverse-proxy serving SSL on separate subdomains of the same domain, the following occurs:

      • The JIRA Development Panel does not appear
      • JIRA to Stash Triggers report as not being capable
      • The JIRA Capabilities Warning appears in the Project Administration screen

      Environment

      • Apache reverse-proxy is configured with the following VirtualHosts: 
        <VirtualHost *:443>
	ServerName jira.example.com
	DocumentRoot "/usr/local/var/www/htdocs"
	<Proxy *>
		Order deny,allow
		Allow from all
	</Proxy>

	SSLEngine on

	SSLCertificateFile "/usr/local/etc/apache2/2.2/server.crt"
	SSLCertificateKeyFile "/usr/local/etc/apache2/2.2/server.key"

	ProxyRequests           Off
	ProxyPreserveHost       On

	ProxyPass               /	http://example:8080/
	ProxyPassReverse        /	http://example:8080/
</VirtualHost>

<VirtualHost *:443>
	ServerName stash.example.com
	DocumentRoot "/usr/local/var/www/htdocs"
	<Proxy *>
		Order deny,allow
		Allow from all
	</Proxy>

	SSLEngine on

	SSLCertificateFile "/usr/local/etc/apache2/2.2/server.crt"
	SSLCertificateKeyFile "/usr/local/etc/apache2/2.2/server.key"

	ProxyRequests           Off
	ProxyPreserveHost       On

	ProxyPass               /	http://example:7990/
	ProxyPassReverse        /	http://example:7990/
</VirtualHost>
      • JIRA's server.xml: 
                <Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8080" protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true" 
            scheme="https" proxyName="jira.example.com" proxyPort="443" secure="true"/>
      • Stash's server.xml: 
                <Connector port="7990" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   compression="on"
                compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
		   proxyName="stash.example.com"
		   proxyPort="443"
		   scheme="https" />

      Steps to Reproduce

      1. Configure JIRA and Stash behind a reverse-proxy over SSL on separate subdomains. It can be easy to do this by setting /etc/hosts to 127.0.0.1 and using the above Apache config.
      2. Access the Project Admin screen and click on Development Tools.
      3. Attempt to view the development panel of an issue with a linked commit.
      4. Attempt to add a workflow trigger.

      Expected Results

      1. The capabilities warning does not fail.
      2. The development panel appears for the issue.
      3. The workflow trigger capability check responds correctly.

      Actual Results

      All of those 3 actions fail with the attached errors.

      Workaround

      Either of the following will workaround the problem:

      Notes

      This may be related to SNI in JIRA & Stash as per the attached issues.

        1. Capabilities Warning.png
          243 kB
          Daniel R
        2. Dev Panel.png
          281 kB
          Daniel R
        3. Workflow Trigger.png
          226 kB
          Daniel R

              Unassigned Unassigned
              dcurrie@atlassian.com Dave C
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: