Integrating JIRA/JIRA Data Center with AWS ELB - HTTP, HTTPS, and redirection

Still need help?

The Atlassian Community is here for you.

Ask the community

This article only applies to JIRA Server (including JIRA Data Center), as opposed to JIRA Cloud.

Atlassian applications allow the use of reverse-proxies within our products, however, Atlassian Support does not provide assistance for configuring them. Consequently, Atlassian cannot guarantee to provide any support for them.

If assistance with configuration is required, please raise a question on the Atlassian Community.

tip/resting Created with Sketch.

This article describes how AWS ELB can be configured as a reverse proxy/load balancer for JIRA/JIRA Data Center installed on AWS EC2 environment.

It's a bonus if you're familiar with Integrating JIRA with Apache or Nginx, as well as Installing JIRA Data Center, in your own system environment.

This article uses a sample URL without context path: https://jira.aws.elb (as well as http://jira.aws.elb for HTTP). It doesn't matter whether your JIRA URL has a context path or not, but the domain name (jira.aws.elb in this example) that you're going to use must resolve to your AWS ELB.

1. Configure AWS Security Groups

In the context of this article, the following ports must be allowed in your AWS Security Groups for your EC2 instance/s:

  1. 8080
  2. 8081
  3. 8082
  4. 80

This will allow us to test JIRA accessibility as well as enable ELB to communicate with JIRA in your EC2 instance/s.

2. Configure Tomcat

  1. Configure the Tomcat Connectors so we have one or two serving as Proxy Connector/s and another for bypassing proxy (for troubleshooting purpose). This is done in the same JIRA_Install/conf/server.xml file, locating this code segment (the only connector enabled by default):

    <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"/>
  2. Make 2 copies of the above connector and modify all the 3 as follows:

    <!--
    1. Add proxyName and proxyPort to the original connector that uses port 8080
     - This connector is to be used for HTTP access via AWS ELB
    -->
    <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"
    proxyName="jira.aws.elb" proxyPort="80"/>
     
    <!--
    2. Add proxyName, proxyPort, scheme, and secure to the second connector - modify it to use port 8081
     - This connector is to be used for HTTPS access via AWS ELB
    -->
    <Connector port="8081" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"
    proxyName="jira.aws.elb" proxyPort="443" scheme="https" secure="true"/>
     
    <!--
    3. Modify the third connector to use port 8082 without adding anything else
     - This connector is to be used for bypassing proxy e.g. JIRA can be accessed directly via http://ec2-hostname:8082
    -->
    <Connector port="8082" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"/>
  3. Restart JIRA and ensure it can be accessed via (all bypassing proxy):

3. Configure ELB for HTTP access

  1. From EC2 management, go to Target Groups and create a new Target Group as follows:
    • Name: ELB-HTTP-access
    • Protocol: HTTP
    • Port: 80

  2. Add Target/s to Target Group:
    • Select the above target group → open Targets tab → Edit
    • Select your JIRA instance that is running (if not, double check step 2.3 above)
    • Modify the Port to 8080
    • Add to registered

  3. From EC2 management, go to Load Balancers and create a new Load Balancer as follows:
    • Type: Application Load Balancer

      -Next-
    • Name: JIRA-ELB
    • Load Balancer Protocol: HTTP
    • Load Balancer Port: 80
    • Availability Zones: select the same VPC as your EC2 instance/s then choose 2 Availability Zones

      -Next-
    • Security Groups: select appropriate security groups

      -Next-
    • Target group: Existing target group
    • Name: ELB-HTTP-access

      -Next-
    • Review & Create

  4. Ensure that your load balancer is accessible via your domain name, jira.aws.elb in this example. How to configure this is beyond the scope of this article as well as Atlassian Support.
tip/resting Created with Sketch.

Once this is done, you should be able to access JIRA via http://jira.aws.elb which routes requests to http://ec2-hostname:8080.

4. Configure ELB for HTTPS access

  1. From EC2 management, go to Target Groups and create a new Target Group as follows:
    • Name: ELB-HTTPS-access
    • Protocol: HTTP
    • Port: 80

  2. Add Target/s to Target Group:
    • Select the above target group → open Targets tab → Edit
    • Select your JIRA instance that is running (if not, double check step 2.3 above)
    • Modify the Port to 8081
    • Add to registered

  3. From EC2 management, go to Load Balancers and edit the existing Load Balancer created in step 3.3:
    • Select the load balancer → open Listeners tab → Add listener

      -Next-
    • Protocol: HTTPS
    • Port: 443
    • Default Target Group: ELB-HTTPS-access
    • Choose or Upload your SSL certificate
tip/resting Created with Sketch.

Once this is done, you should be able to access JIRA via https://jira.aws.elb which routes requests to http://ec2-hostname:8081.


5. Configure HTTP-HTTPS redirection

There's not an easy way to configure this in the ELB itself. According to How do I redirect HTTP traffic on my server to HTTPS on my load balancer?, we will need an additional proxy service installed on an EC2 instance. In this example, we suggest using Nginx:

  1. Install Nginx on an EC2 instance. This can be the same instance where JIRA is installed. You may follow How To Install Nginx on Ubuntu 14.04 LTS and ensure Nginx is running on port 80.

  2. Modify Nginx config so that it will redirect requests from HTTP to HTTPS (modify server_name accordingly):

    server {
          listen         80;
          server_name    jira.aws.elb;
          if ($http_x_forwarded_proto != "https") {
              rewrite ^(.*)$ https://$server_name$REQUEST_URI permanent;
          }
    }
  3. Restart Nginx

  4. Edit ELB-HTTP-access target group (refer to step 3.2):
    • Remove the current target listening on port 8080
    • Select your EC2 instance where Nginx is running
    • Modify the Port to 80 (default)
    • Add to registered
tip/resting Created with Sketch.

Once this is done, you still can access https://jira.aws.elb directly. If you access http://jira.aws.elb instead, the followings will happen:

In other words, HTTP is redirected to HTTPS seamlesly.

6. How about JIRA Data Center

If you use JIRA Data Center, you can add all JIRA nodes to the target groups as in step 3.2 and/or 4.2. Just select the right instances and use the right Tomcat ports (you may want to configure Tomcat similarly for all nodes - refer to step 2).

You will also need to enable Load Balancer Stickiness, following these steps:

  1. Select the respective target group → open Description tab → Edit attributes
  2. Enable load balancer generated cookie stickiness
  3. Save
tip/resting Created with Sketch.

Once this is done, users will be routed to the registered targets (JIRA nodes) on a load balancing basis.

Notes

  • Most probably you would like JIRA to be accessible via HTTPS, with HTTP being redirected to HTTPS automatically. If so, you may skip step 3 and focus on steps 4 and 5. In such a case, refer to:
    • step 3.3 for how to create a load balancer - you will need to make necessary changes to Load Balancer Protocol and Port
    • step 3.1 and 3.2 for how to create a target group to be used in step 5.4
  • In any case, you can always reconfigure the Listeners (step 4.3) and Target Groups to meet your needs.
  • If you only want HTTPS without redirection, step 5 can be skipped.

Last modified on Nov 6, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.