Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-60167

Connector redirect to proxy FQDN doesn't work in JIRA 7.1+

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a bug
    • Icon: Low Low
    • None
    • 7.1.0, 7.1.1
    • None

      Summary

      When setting JIRA up to run behind Apache HTTP server with SSL, as per our documentation: https://confluence.atlassian.com/jira/integrating-jira-with-apache-using-ssl-203395380.html
      The redirection to the proxy FQDN does not work.
      Referring to step 7 of Configure Tomcat:

      Test that the new connector is working by accessing JIRA on the appropriate proxy connector, for example http://jiraserver:8080/. This should redirect to the proxy FQDN (in this example, https://jira.atlassian.com), which will fail as the proxy is not yet configured. The test is to ensure Tomcat is set up to correctly redirect to the proxy.

      In JIRA 7.1.0 and 7.1.1, accessing the non-proxy port directly does not trigger the redirect. You can access JIRA over localhost:8080/
      This does not happen on JIRA 7.0.9 or 6.4.12.

      Environment

      • JIRA 7.1.0 or newer.

      Steps to Reproduce

      1. Install JIRA 7.1.0, and configure its connector:
        <Connector port="8082"
        
                           maxThreads="150"
                           minSpareThreads="25"
                           connectionTimeout="20000"
        
                           enableLookups="false"
                           maxHttpHeaderSize="8192"
                           protocol="HTTP/1.1"
                           useBodyEncodingForURI="true"
                           redirectPort="443"
                           acceptCount="100"
                           disableUploadTimeout="true"
        
                           proxyName="test.dleng.org"
                           proxyPort="443"
                           scheme="https"
                           secure="true"/>
        
      2. Set up Apache HTTP server:
        <VirtualHost *:443>
                <Proxy *>
                  Order deny,allow
                  Allow from all
                </Proxy>
                SSLEngine               On
                SSLProxyEngine          On
                ProxyRequests           Off
        
                ServerName test.dleng.org
        
                ProxyPass               /       http://localhost:8082/
                ProxyPassReverse        /       http://localhost:8082/
        
                #   A self-signed (snakeoil) certificate can be created by installing
                #   the ssl-cert package. See
                #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
                #   If both key and certificate are stored in the same file, only the
                #   SSLCertificateFile directive is needed.
                SSLCertificateFile /etc/apache2/extra/example.org/apache.crt
                SSLCertificateKeyFile /etc/apache2/extra/example.org/apache.key
        </VirtualHost>
        

        You can generate the self-signed certificate and key with:

        sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.org/apache.key -out example.org/apache.crt
        

      Expected Results

      Accessing http://localhost:8082/ should redirect you to https://test.dleng.org/

      Actual Results

      1. While JIRA is still starting up, the redirect to proxy works just fine. Accessing via http://localhost:8082/ redirects to https://test.dleng.org/
      2. After JIRA starts up successfully, notice that the redirect doesn't work anymore. You can access JIRA via http://localhost:8082.
        Additionally behaviours include being unable to log-in if you access via localhost.
      3. The following appears in the atlassian-jira.log:
        2016-03-12 16:17:47,112 http-nio-8082-exec-15 WARN anonymous 977x33x1 - 0:0:0:0:0:0:0:1 /rest/webResources/1.0/resources [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://test.dleng.org/rest/webResources/1.0/resources , origin: http://localhost:8082 , referrer: http://localhost:8082/secure/Dashboard.jspa , credentials in request: true , allowed via CORS: false
        2016-03-12 16:17:47,160 http-nio-8082-exec-16 WARN anonymous 977x34x1 - 0:0:0:0:0:0:0:1 /rest/webResources/1.0/resources [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://test.dleng.org/rest/webResources/1.0/resources , origin: http://localhost:8082 , referrer: http://localhost:8082/secure/Dashboard.jspa , credentials in request: true , allowed via CORS: false
        
      4. A warning message appears below the UI, with message:
        We've detected a potential problem with JIRA's Dashboard configuration that your administrator can correct. Hide
        Dashboard Diagnostics: Mismatched URL Scheme
        

      Additional notes

      It didn't happen in 7.0.9, which uses the same Tomcat and Java version as 7.1.0.

      Resolution

      Not a bug. It's a new behavior of JIRA 7.1. The root page no longer redirects.

              Unassigned Unassigned
              dleng Daniel Leng (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: