Integrating JIRA with Apache

Atlassian applications allow the use of reverse-proxies within our products, however Atlassian Support does not provide assistance for configuring them. Consequently, Atlassian can not guarantee providing any support for them.

If assistance with configuration is required, please raise a question on Atlassian Answers.

This page describes how to integrate Apache HTTP Server (also referred to as httpd) with JIRA, utilising mod_proxy so that Apache operates as a reverse-proxy over HTTP. If HTTPS configuration is required, please see our Integrating JIRA with Apache using SSL documentation. Configuring Apache allows for running JIRA on non-standard HTTP port (such as 8080) and users will be able to access JIRA over standard HTTP as their traffic will be routed through the proxy.

Apache can be configured to allow access to JIRA in any of the following methods:

This documentation will cover a straightforward implementation of mod_proxy using the above three configurations. If a more complication solution is required, refer to the Apache HTTP Server Version Documentation, consult with the Apache SME within your organisation and if need be raise a question on Atlassian Answers or look at getting in touch with one of our Atlassian Experts.

  Expand for an example of a common Apache configuration
  1. JIRA is running on port 8080 on a server within the LAN that cannot be accessed externally (the router/firewall is not forwarding port 8080 to it).
  2. Apache is set up on another server (or the same server as JIRA) that can be accessed externally on HTTP (80).
  3. Apache is then accessed over HTTP on the appropriate URL (VirtualHost), routing the traffic to and from the JIRA server.

On this page:

Step 1: Configure Tomcat

  1. Stop JIRA.
  2. Edit Tomcat's server.xml to include the required JIRA context path. The below example uses path="/jira" - this means JIRA is accessible on http://jiraserver:8080/jira given the default JIRA port is used.

    This step is only required if JIRA will be accessed on a context path, for example http://atlassian.com/jira. If this is not required, this step can be skipped.

            <Engine defaultHost="localhost" name="Catalina">
                <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
                    <Context docBase="${catalina.home}/atlassian-jira" path="/jira" reloadable="false" useHttpOnly="true">
    
                        <!--
                         ====================================================================================
                         Note, you no longer configure your database driver or connection parameters here.
                         These are configured through the UI during application setup.
                         ====================================================================================
                        -->
                        <Resource auth="Container" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60" name="UserTransaction" type="javax.transaction.UserTransaction"/>
                        <Manager pathname=""/>
                    </Context>
                </Host>

    (info) Ensure the path value is set with a prepending forward slash (/) . For example, path="/jira" rather than path="jira".

  3. Edit Tomcat's server.xml to include a separate connector to proxy the requests. This requires the proxyName & proxyPort attributes. Replace them with the appropriate domain and port of the proxy, as in the below example:

    <Service name="Catalina">
     
    	<!-- Apache Proxy Connector -->
            <Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8080" protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true" 
                proxyName="jira.atlassian.com" proxyPort="80"/> 
    
    	<!-- Standard HTTP Connector -->
            <Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8081" protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true"/>

    (info) The proxyName parameter should be set to the FQDN that the JIRA server will be accessed on - for example jira.example.com if accessing it on http://jira.example.com or example.com if accessing it on http://www.example.com/jira. It should not include the context path.

  4. Start JIRA.
  5. Test that JIRA is accessible on the normal connector, using a context path if applicable - for example http://jiraserver:8081/jira.
  6. Test that the new connector is working by accessing JIRA on the appropriate proxy connector, for example http://jiraserver:8080/. This should redirect to the proxy FQDN (in this example, http://jira.atlassian.com), which will fail as the proxy is not yet configured. The test is to ensure Tomcat is set up to correctly redirect to the proxy.

Step 2: Configure Apache HTTP Server

The installation of Apache and configuration of a DNS is not covered in this documentation. Additionally, it is assumed that Apache 2.2 has been installed and DNS entries have been configured for the JIRA domain. As Apache's configuration is specific to the operation system that is used, only some distributions and their configurations are currently documented.

2.1 Enable the Proxy Modules

Debian/Ubuntu
  Expand to see Debian/Ubuntu instructions
  1. Enable the module with the following:

    $ sudo a2enmod proxy_http
    Considering dependency proxy for proxy_http:
    Enabling module proxy.
    Enabling module proxy_http.
    To activate the new configuration, you need to run:
      service apache2 restart
  2. Restart Apache.
Windows/Other OS
  Expand to see Windows/Other OS instructions
  1. Locate and edit the httpd.conf file, adding the below lines:

    LoadModule proxy_module modules/mod_proxy.so 
    LoadModule proxy_connect_module modules/mod_proxy_connect.so 
    LoadModule proxy_http_module modules/mod_proxy_http.so
  2. Restart Apache.

2.2. Configure Apache to use those Modules

Debian/Ubuntu
  Expand to see Debian/Ubuntu instructions
  1. Switch into user root.
  2. Backup the existing site or create a new one. Creating a new site is not covered within this documentation (copying the default should be sufficient).
  3. Modify the existing site within $APACHE_INSTALL/sites-available, for example default.
  4. Add the following inside the VirtualHost, replacing jiraserver with the hostname of the JIRA server and also modifying the port if required.

    On its own domain or subdomain:
    # JIRA Proxy Configuration:
    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>
    
    ProxyRequests           Off
    ProxyPreserveHost       On
    ProxyPass               /       http://jiraserver:8080/
    ProxyPassReverse        /       http://jiraserver:8080/

    (info) Missing a forward slash at the end of the URL will cause proxy errors - ensure this is in place!

    The configuration above is for Apache 2.2. In Apache 2.4 you should replace Order deny, allow Allow from all to Require all granted

    Using a context path:
    # JIRA Proxy Configuration:
    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>
    
    ProxyRequests           Off
    ProxyPreserveHost       On
    ProxyPass               /jira       http://jiraserver:8080/jira
    ProxyPassReverse        /jira       http://jiraserver:8080/jira

    (info) The path used must be identical to the Tomcat context path. For example, forwarding /jira to /jira520 cannot be done without considerable rewrite rules that are not always reliable.

    The configuration above is for Apache 2.2. In Apache 2.4 you should replace Order deny, allow Allow from all to Require all granted

  5. (Optional): Enable the site with the following:

    # a2ensite jira
    Enabling site jira.
    To activate the new configuration, you need to run:
      service apache2 reload

    (info) This is only required if a new site has been created in favour of using the default.

  6. Reload the Apache configuration.
  7. Test by accessing JIRA through Apache, for example http://jira.com or http://atlassian.com/jira.
Windows/Other OS
  Expand to see Windows/Other OS instructions
  1. Locate and edit the httpd.conf file.
  2. Add the following inside the VirtualHost, replacing jiraserver with the hostname of the JIRA server and also modifying the port if required.

    On its own domain or subdomain:

    # JIRA Proxy Configuration:
    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>
    
    ProxyRequests           Off
    ProxyPreserveHost       On
    ProxyPass               /       http://jiraserver:8080/
    ProxyPassReverse        /       http://jiraserver:8080/

    (info) Missing a forward slash at the end of the URL will cause proxy errors - ensure this is in place!

    The configuration above is for Apache 2.2. In Apache 2.4 you should replace Order deny, allow Allow from all to Require all granted

    Using a context path:

    # JIRA Proxy Configuration:
    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>
    
    ProxyRequests           Off
    ProxyPreserveHost       On
    ProxyPass               /jira       http://jiraserver:8080/jira
    ProxyPassReverse        /jira       http://jiraserver:8080/jira

    (info) The path used must be identical to the Tomcat context path. For example, forwarding /jira to /jira520 cannot be done without considerable rewrite rules that are not always reliable.

    The configuration above is for Apache 2.2. In Apache 2.4 you should replace Order deny, allow Allow from all to Require all granted

  3. Restart Apache.
  4. Test by accessing JIRA through Apache, for example http://jira.com or http://atlassian.com/jira.

Step 3: Configure JIRA

  1. Set Use gzip compression to OFF as in Configuring JIRA Options. GZIP compression is known to cause performance issues using a reverse-proxy, especially if the proxy is also compressing the traffic.
  2. Set the Base URL to be the FQDN that JIRA will be accessed on, for example http://jira.atlassian.com. This is also located in Configuring JIRA Options.
    (warning) JIRA can only be configured to respond to a single URL and the Base URL (as in Configuring JIRA Options) must match the URL end-users are accessing. Misconfiguration of this may cause significant problems within JIRA such as the Activity Stream and Dashboard Gadgets failing to function correctly.
  3. Test by accessing JIRA on the FQDN (e.g.: http://jira.atlassian.com), ensuring that JIRA is accessible and all dashboard gadgets correctly display.

Troubleshooting

Hijacked Sessions

Some users have reported problems with user sessions being hijacked when the mod_cache module is enabled. If these problems are encountered, try disabling the mod_cache module. 
(info) This module is enabled by default in some Apache HTTP Server version 2 distributions.

Permission Denied Errors enabling mod_proxy (and mod_jk) on Linux distros that use SELinux

Users have reported 'permission denied' errors when trying to get mod_proxy (and mod_jk) working. See How to debug SELinux for information on how to debug SELinux.

Running Mac OS X

Disable webperfcache, which proxies port 80 by default. A user reported this as the likely cause of JIRA session problems, in the form of users' identities becoming mixed up, as below.
(warning) Additionally we do not recommend using Max OS X as it is not supported, as in our Supported Platforms.

The OSX Servers enable webperfcache by default for Virtual Hosts, which for static content would be great, but for dynamic sites (which ALL of ours are) it is Evil and causes many issues. 
Of note recently was the jira session issue. Also see :-
http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/webperfcache.8.html
Unfortunately even if you disable webperfcache for a site, if there is a single site enabled then all sites will still proxy through webperfcache with resulting session problems.

Too many redirects

Both Tomcat & Apache are redirecting, when only one should be. Disable redirection in Tomcat (revert any changes as in Running JIRA over SSL or HTTPS) and check that there is only one redirection in Apache.

General Problems

  1. Clear the browser cache and try again.
  2. Ensure that JIRA works as expected when running directly from Tomcat and bypassing Apache. For example, accessing http://jiraserver:8080 instead of http://jira.atlassian.com.
  3. Increase the LogLevel for Apache to debug and restart it.
  4. Attempt to access JIRA and check the Apache Log Files for any errors.
  5. Raise a question on Atlassian Answers for assistance.

403 Forbidden error

Add the RequestHeader unset Authorization line to the apache configuration page to disable authorization headers.

<Location /jira>
  RequestHeader unset Authorization
  ProxyPreserveHost On
  ProxyPass http://jiraserver/jira
  ProxyPassReverse http://jiraserver/jira
</Location>

See Also

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport