Connector redirect to proxy FQDN doesn't work in JIRA 7.1+

Summary

When setting JIRA up to run behind Apache HTTP server with SSL, as per our documentation: https://confluence.atlassian.com/jira/integrating-jira-with-apache-using-ssl-203395380.html
The redirection to the proxy FQDN does not work.
Referring to step 7 of Configure Tomcat:

Test that the new connector is working by accessing JIRA on the appropriate proxy connector, for example http://jiraserver:8080/. This should redirect to the proxy FQDN (in this example, https://jira.atlassian.com), which will fail as the proxy is not yet configured. The test is to ensure Tomcat is set up to correctly redirect to the proxy.

In JIRA 7.1.0 and 7.1.1, accessing the non-proxy port directly does not trigger the redirect. You can access JIRA over localhost:8080/
This does not happen on JIRA 7.0.9 or 6.4.12.

Environment

• JIRA 7.1.0 or newer.

Steps to Reproduce

1. Install JIRA 7.1.0, and configure its connector:

   <Connector port="8082"
   
                      maxThreads="150"
                      minSpareThreads="25"
                      connectionTimeout="20000"
   
                      enableLookups="false"
                      maxHttpHeaderSize="8192"
                      protocol="HTTP/1.1"
                      useBodyEncodingForURI="true"
                      redirectPort="443"
                      acceptCount="100"
                      disableUploadTimeout="true"
   
                      proxyName="test.dleng.org"
                      proxyPort="443"
                      scheme="https"
                      secure="true"/>
   

2. Set up Apache HTTP server:

   <VirtualHost *:443>
           <Proxy *>
             Order deny,allow
             Allow from all
           </Proxy>
           SSLEngine               On
           SSLProxyEngine          On
           ProxyRequests           Off
   
           ServerName test.dleng.org
   
           ProxyPass               /       http://localhost:8082/
           ProxyPassReverse        /       http://localhost:8082/
   
           #   A self-signed (snakeoil) certificate can be created by installing
           #   the ssl-cert package. See
           #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
           #   If both key and certificate are stored in the same file, only the
           #   SSLCertificateFile directive is needed.
           SSLCertificateFile /etc/apache2/extra/example.org/apache.crt
           SSLCertificateKeyFile /etc/apache2/extra/example.org/apache.key
   </VirtualHost>
   

   You can generate the self-signed certificate and key with:

   sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.org/apache.key -out example.org/apache.crt
   

Expected Results

Accessing http://localhost:8082/ should redirect you to https://test.dleng.org/

Actual Results

1. While JIRA is still starting up, the redirect to proxy works just fine. Accessing via http://localhost:8082/ redirects to https://test.dleng.org/
2. After JIRA starts up successfully, notice that the redirect doesn't work anymore. You can access JIRA via http://localhost:8082.
   Additionally behaviours include being unable to log-in if you access via localhost.
3. The following appears in the atlassian-jira.log:

   2016-03-12 16:17:47,112 http-nio-8082-exec-15 WARN anonymous 977x33x1 - 0:0:0:0:0:0:0:1 /rest/webResources/1.0/resources [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://test.dleng.org/rest/webResources/1.0/resources , origin: http://localhost:8082 , referrer: http://localhost:8082/secure/Dashboard.jspa , credentials in request: true , allowed via CORS: false
   2016-03-12 16:17:47,160 http-nio-8082-exec-16 WARN anonymous 977x34x1 - 0:0:0:0:0:0:0:1 /rest/webResources/1.0/resources [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://test.dleng.org/rest/webResources/1.0/resources , origin: http://localhost:8082 , referrer: http://localhost:8082/secure/Dashboard.jspa , credentials in request: true , allowed via CORS: false
   

4. A warning message appears below the UI, with message:

   We've detected a potential problem with JIRA's Dashboard configuration that your administrator can correct. Hide
   Dashboard Diagnostics: Mismatched URL Scheme
   

Additional notes

It didn't happen in 7.0.9, which uses the same Tomcat and Java version as 7.1.0.

Resolution

Not a bug. It's a new behavior of JIRA 7.1. The root page no longer redirects.