Secure Bitbucket behind HAProxy using SSL

Still need help?

The Atlassian Community is here for you.

Ask the community

This page describes how to establish a network topology in which the HAProxy server acts as a reverse proxy for Bitbucket Data Center and Server. Typically, such a configuration would be used when either when:

  1. Bitbucket is installed in a protected zone 'behind the firewall', and HAProxy provides a gateway through which users outside the firewall can access Bitbucket.
  2. Bitbucket needs to be served on protected ports (e.g. ports < 1024 on Linux). Bitbucket cannot access these ports directly as it must not be run as a privileged user (e.g root). In this case HAProxy can bind to these ports and forward the requests to Bitbucket.


The configuration described on this page results in a scenario where:

  • External client connections with HAProxy are secured using SSL. Connections between HAProxy and Bitbucket are unsecured.
  • Bitbucket and HAProxy run on the same machine.
  • Bitbucket is currently available at http://mycompany.com:7990/.
  • Bitbucket is to be made available at https://mycompany.com/bitbucket.

Stash_topo_nginx


Important considerations

  • We assume that you already have a running instance of HAProxy.
  • SSL certificates must be installed on the server machine.
  • Any existing links with other applications will need to be reconfigured using the new URL for Bitbucket.
  • Securing Git operations between the user's computer and Bitbucket is a separate consideration - see Enabling SSH access to Git.
  • It is also possible to get Bitbucket to directly use SSL without the help of a proxy as documented in Secure Bitbucket with Tomcat using SSL.

Note that the Atlassian Support Offering does not cover HAProxy integration, but you can get assistance with HAProxy from the Atlassian community on answers.atlassian.com, or from an Atlassian Expert.

Step 1: Set a context path for Bitbucket

Bitbucket and HAProxy need to be serving from the same context. Bitbucket is currently accessed at http://mycompany.com:7990. It needs to be changed to serve from http://mycompany.com:7990/bitbucket to match context https://mycompany.com/bitbucket.

  1. Locate the bitbucket.properties file in the shared directory of your <Bitbucket home directory>.

  2. Change the context path for Bitbucket by adding 

    server.context-path=/bitbucket
  3. Save the file.

Good to know

  • If you use a context path, it is important that the same path is appended to the context path of Bitbucket's base URL (Step 2). 
  • The context path for serving from the root context is path="" (i.e not path="/").

Step 2: Change Bitbucket's base URL

  1. Open a browser window and log into Bitbucket using an administrator account.
     
  2. Go to the Bitbucket administration area and click Server settings (under 'Settings'), and change Base URL to match the URL HAProxy will be serving. For this example, use https://mycompany.com/bitbucket.

Step 3: Configure the Tomcat Connector

Following our example, you need to configure these attributes that tell Tomcat how HAProxy is serving Bitbucket so it can generate correct URLs.

Locate the <Bitbucket home directory>/shared/bitbucket.properties file, and add the following: 

server.secure=true
server.scheme=https
server.proxy-port=443
server.redirect-port=443
server.proxy-name=mycompany.com


What these attributes do

  • proxyPort is set to 443 to indicate that HAProxy is accepting connections over on the standard HTTPS port 443. 
  • proxyName and scheme are are set to the values that HAProxy is serving Bitbucket over. 

  • secure attribute is also set to true to tell Bitbucket that the connection between the client and HAProxy is considered secure. 

  • redirectPort is set to 443 so that Tomcat knows how to send a user to a secure location when necessary (this is not really necessary in this example because this connector is already secure). 


For more information about configuring the Tomcat Connector, refer to the Apache Tomcat 7.0 HTTP Connector Reference.

Step 4: Configure HAProxy

Merge the example below into your HAProxy configuration (e.g /etc/haproxy/haproxy.cfg). This is a complete HAProxy 1.5.x configuration. Note that HAProxy 1.5.x or greater is required for SSL support. You can just take the bits that fit your needs. The important configuration is in the bitbucket_http_frontend and bitbucket_http_backend.

global
	log /dev/log local0
	log /dev/log local1 notice
	user haproxy
	group haproxy
	daemon
    ssl-default-bind-options no-sslv3
    maxconn 1000

defaults
	log	global
	mode http
	option httplog
	option dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
 
# Tells HAProxy to start listening for HTTPS requests. It uses the SSL key 
# and certificate found within certAndKey.pem. All requests will be routed 
# to the bitbucket_http_backend.
frontend bitbucket_http_frontend
    bind *:443 ssl crt /etc/haproxy/certAndKey.pem ciphers HIGH:!aNULL:!MD5
    default_backend bitbucket_http_backend
    # This is an optional rule that will redirect all requests to https://mycompany.com
    # to https://mycompany.com/bitbucket.
    redirect location /bitbucket if { path -i / }

# The bitbucket_http_backend simply forwards all requests onto http://mycompany.com:7990/. 
# It will only allow 50 concurrent connections to the server at once.
backend bitbucket_http_backend
    mode http
    option httplog
    option forwardfor
    option http-server-close
    option httpchk
    server bitbucket01 mycompany.com:7990 maxconn 50

(Optional) Step 4: Redirect SSH connections 

HAProxy also has the ability to proxy all Bitbucket SSH traffic. See Setting up SSH port forwarding for details.


Last modified on Jul 26, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.