-
Bug
-
Resolution: Not a bug
-
Low
-
None
-
7.1.0, 7.1.1
-
None
-
7.01
-
Summary
When setting JIRA up to run behind Apache HTTP server with SSL, as per our documentation: https://confluence.atlassian.com/jira/integrating-jira-with-apache-using-ssl-203395380.html
The redirection to the proxy FQDN does not work.
Referring to step 7 of Configure Tomcat:
Test that the new connector is working by accessing JIRA on the appropriate proxy connector, for example http://jiraserver:8080/. This should redirect to the proxy FQDN (in this example, https://jira.atlassian.com), which will fail as the proxy is not yet configured. The test is to ensure Tomcat is set up to correctly redirect to the proxy.
In JIRA 7.1.0 and 7.1.1, accessing the non-proxy port directly does not trigger the redirect. You can access JIRA over localhost:8080/
This does not happen on JIRA 7.0.9 or 6.4.12.
Environment
- JIRA 7.1.0 or newer.
Steps to Reproduce
- Install JIRA 7.1.0, and configure its connector:
<Connector port="8082" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="443" acceptCount="100" disableUploadTimeout="true" proxyName="test.dleng.org" proxyPort="443" scheme="https" secure="true"/>
- Set up Apache HTTP server:
<VirtualHost *:443> <Proxy *> Order deny,allow Allow from all </Proxy> SSLEngine On SSLProxyEngine On ProxyRequests Off ServerName test.dleng.org ProxyPass / http://localhost:8082/ ProxyPassReverse / http://localhost:8082/ # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/apache2/extra/example.org/apache.crt SSLCertificateKeyFile /etc/apache2/extra/example.org/apache.key </VirtualHost>You can generate the self-signed certificate and key with:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.org/apache.key -out example.org/apache.crt
Expected Results
Accessing http://localhost:8082/ should redirect you to https://test.dleng.org/
Actual Results
- While JIRA is still starting up, the redirect to proxy works just fine. Accessing via http://localhost:8082/ redirects to https://test.dleng.org/
- After JIRA starts up successfully, notice that the redirect doesn't work anymore. You can access JIRA via http://localhost:8082.
Additionally behaviours include being unable to log-in if you access via localhost. - The following appears in the atlassian-jira.log:
2016-03-12 16:17:47,112 http-nio-8082-exec-15 WARN anonymous 977x33x1 - 0:0:0:0:0:0:0:1 /rest/webResources/1.0/resources [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://test.dleng.org/rest/webResources/1.0/resources , origin: http://localhost:8082 , referrer: http://localhost:8082/secure/Dashboard.jspa , credentials in request: true , allowed via CORS: false 2016-03-12 16:17:47,160 http-nio-8082-exec-16 WARN anonymous 977x34x1 - 0:0:0:0:0:0:0:1 /rest/webResources/1.0/resources [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://test.dleng.org/rest/webResources/1.0/resources , origin: http://localhost:8082 , referrer: http://localhost:8082/secure/Dashboard.jspa , credentials in request: true , allowed via CORS: false
- A warning message appears below the UI, with message:
We've detected a potential problem with JIRA's Dashboard configuration that your administrator can correct. Hide Dashboard Diagnostics: Mismatched URL Scheme
Additional notes
It didn't happen in 7.0.9, which uses the same Tomcat and Java version as 7.1.0.
Resolution
Not a bug. It's a new behavior of JIRA 7.1. The root page no longer redirects.
- is superseded by
-
JRASERVER-60313 Update "Integrating JIRA with Apache using SSL" to clarify in which cases, the redirect will happen.
- Closed
- relates to
-
-
- Gathering Impact
-