HSTS configuration blocks Jira from redirect HTTP to HTTPs connections
Application is not able to redirect connections after the redirect is configured following the steps on Running Jira applications over SSL or HTTPS.
There are no clear errors on the logs, the redirection just does not work and leaves the user with a black page.
HSTS headers (Strict-Transport-Security) are enforced in a few Jira releases (8.5.11, 8.13.3, 8.14.1, 8.15.0) to address some security concerns.
Notes: The failing redirection is due to the fact that the Jira domain is added to HSTS domain security policies as Jira enforced the HSTS headers and it's hosted over non-default HTTP and HTTPS ports. This is prominent when we are using CA-signed SSL certificate (not a self-signed SSL certificate as HSTS requires the certificate to be a trusted certificate).
We do recommend using a proxy to make the redirections work, this would be the best approach for applications that are open to external connections.
For applications that are not open to external connections, we have a workaround that disables HSTS checks.
To revert the behavior back to before, we can add -Dcom.atlassian.jira.strict.transport.security.disabled=true JVM parameter to Jira Setting properties and options on startup
A HAR file taken during a redirection attempt will show us the redirection request receiving a 307 error and having the following HTTP headers.
If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com.
The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.