Jira Service Desk is a great helpdesk tool, unfortunately it comes with port 8080 as the default port and does not have https built in as of Feb 2020.

This may be alright if you use it as an internal tool, but not that convenient and secure if you open to the clients.

I found it really convenient to deploy both if you use Apache as the Reverse proxy to achieve both, first, apache will Rewrite http request to https. Secondly, it will do a https(default 443 on apache) to http:8080(tomcat) reverse proxy.

Environment
  • CentOS 7
  • httpd with ssl module installed, see https://frankfu.click/security/security-basic/deploy-https-on-redhat-with-apache.html if have not.
  • Jira 8.7.1

But when you do the configuration, you will do the reverse order:

Configure the Atlassian applications

This section describes how to update the proxy configuration of the Tomcat web server bundled with each Atlassian application to run behind an SSL-enabled reverse proxy.

1. Stop the Atlassian applications

Stopping the application also stops Tomcat by command

sudo service jira stop
2. Update the Connector configuration
 In  /opt/atlassian/jira/conf , find  section <Service name=”Catalina”> below it , there is section like:

 

        <Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8080" protocol="HTTP/1.1" redirectPort="8443" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`&quot;&lt;&gt;" useBodyEncodingForURI="true"/>
Comment it out into :
<!--
        <Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8080" protocol="HTTP/1.1" redirectPort="8443" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`&quot;&lt;&gt;" useBodyEncodingForURI="true"/>

-->
Then find section   HTTPS – Proxying Jira via Apache or Nginx over HTTPS , uncommon it, and modify it into:
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
  maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
  maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
  acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
  proxyName="you.domain.name" proxyPort="443"/>

Start jira service desk by command:

 service jira start

Check if jira is listening on 8080:

sudo netstat -lpn

[sudo] password for frank: 

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
       

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1343/sshd           

tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd           

tcp6       0      0 :::80                   :::*                    LISTEN      18095/httpd         

tcp6       0      0 :::8080                 :::*                    LISTEN      16349/java   

Now Jira is running on 8080.

Setup https in the Apache
Request certificate via certbot

 

Here we will use apache with certbot, so we can renew the cert every 100 days easily:

Install certbot here: https://frankfu.click/security/security-basic/deploy-https-on-redhat-with-apache.html

Since the data folder is not on the apache2, the auto mode can not create a verification file, hence does not work for us, we need to use manual mode. Open you Domain register portal ready for creating a txt record:

sudo certbot-2 certonly --manual -d your.domain.name --preferred-challenges dns

It will show your an txt record “_acme-challenge” and desired value.

Then you will need to create a txt record name “_acme-challenge”, pointing to the value shown above.

Once finished, it will create key files under /etc/letsencrypt/live/your.domain.name/

Configure Https:

Type command:

sudo certbot-2 --apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your.domain.name
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

Select 1 for you domain name.

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Attempt to reinstall this existing certificate

2: Renew & replace the cert (limit ~5 per 7 days)

Select 1 cause we already have the cert.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: No redirect - Make no further changes to the webserver configuration.

2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select 2 and hit enter.

Then you will see the congratulation message, It basically will do below:

  • Copy the vhost section for your.domain.name from /etc/httpd/conf.d/ssl.conf to /etc/httpd/conf.d/ssl-le-ssl.conf
  • Redirect http traffic to https by added below two lines:
RewriteCond %{SERVER_NAME} =your.domain.name
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

If you want to enable https for all sites on your server, change RewriteCond %{SERVER_NAME} =your.domain.name to RewriteCond %{HTTPS} !=on

Configure Reverse Proxy

All we need to do is create a reverse proxy in apache:

sudo vi /etc/httpd/conf.d/ssl-le-ssl.conf

Add or edit below lines within host:

ProxyRequests Off

<Proxy *>
 Require all granted
</Proxy>

ProxyPass / https://your.domain.name:8080/
ProxyPassReverse / https://your.domain.name:8080/

By default, CentOS SELinux prevents Apache from initiating outbound connections, so it is unable to proxy requests to tomcat Server.

Resolution

Run the following command on the server to allow apache to make outbound connections.

/usr/sbin/setsebool -P httpd_can_network_connect 1

Now if you open your browser with http://your.domain.name, it should redirect to https://your.domain.name and show the service desk tomcat instance.

 

troubleshooting:

 

Server startup logs are located in /opt/atlassian/jira/logs/catalina.out

Using CATALINA_BASE:   /opt/atlassian/jira

Using CATALINA_HOME:   /opt/atlassian/jira

Using CATALINA_TMPDIR: /opt/atlassian/jira/temp

Using JRE_HOME:        /opt/atlassian/jira/jre/

Using CLASSPATH:       /opt/atlassian/jira/bin/bootstrap.jar:/opt/atlassian/jira/bin/tomcat-juli.jar

Using CATALINA_PID:    /opt/atlassian/jira/work/catalina.pid

Apache logs: 

/var/log/httpd/error_log

/var/log/httpd/access_log

Reference

Secure Tomcat with https.