Ssl – Tomcat/JIRA redirects to HTTP when accessed by HTTPS through a Pound proxy

jirapoundPROXYssltomcat

I'm trying to get a JIRA install to work behind a Pound proxy that is doing SSL termination/"acceleration". Unfortunately it seems that JIRA (Coyote) is redirecting to HTTPS when accessed:

C:\Users\Josh>openssl s_client -connect www:443
...
---
GET /support HTTP/1.1
Host: www

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://www/support/
Transfer-Encoding: chunked
Date: Sat, 21 Jul 2012 16:05:03 GMT

0

I can't figure out how to stop this… This is my Pound config:

ignorecase 1

listenhttps
  address 10.3.0.12
  port 443
  cert "/usr/local/etc/bundle.pem"

  service
    headrequire "Host: www"
    url "/support.*"
    backend
      address 10.3.0.16
      port 8080
    end
    session
      type cookie
      ttl 1800
      id "X-SA"
    end
  end
end

Is there any setting in Tomcat or JIRA that would affect this?

Best Answer

Glad you got it working. I'll try and add a bit of color to this in the event it's useful. When terminating SSL with an upstream device - a proxy, load balancer, etc., the downstream service won't know this. So your Tomcat was seeing normal HTTP traffic, specifically for a URI of just "/". At this point, Tomcat is doing an self referential redirect to /support/, where the application is configured.

When it does this, it builds the URI to use http://... instead of HTTPS://, as it's got literally no idea about the upstream proxy that is doing SSL. By adding the proxyPort and ProxyName directives, above, you've given Tomcat explicit awareness of an upstream device, so it'll now rebuild those redirects using https://, which will work.

--Matt

Related Solutions

Ssl – How to force SSLv3 in pound HTTP Proxy

I hope you've found an answer by now. But this was approved by a quality third party ethical hacking firm, Qualys WAS and network scanner, and IBM's AppScanner:

Ciphers "ALL:!ADH:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:+EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5"

This removes the sslv2 but leaving sslv3 in place. It is however best practice to disable sslv3 where possible.

Nginx – Basic auth for a Tomcat app (JIRA) with Nginx as reverse proxy

Ok just found the solution on the nginx mailing list. I just had to tell nginx to not forward the auth headers to tomcat. Adding a couple of lines to the location blocks in nginx.conf did the trick:

  location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8090/;
        proxy_redirect off;

        # Password
        auth_basic "Restricted";
        auth_basic_user_file /home/passwd/.htpasswd;

        # Don't forward auth to Tomcat
        proxy_set_header   Authorization "";
    }

Now i just have to figure out how to prevent nginx from asking for auth on each subdomain (jira, confluence, stash, etc). Having to introduce the credentials just once for all of them would be perfect, but that's another issue.

Hope this helps!

Cheers.

Best Answer

Related Solutions

Ssl – How to force SSLv3 in pound HTTP Proxy

Nginx – Basic auth for a Tomcat app (JIRA) with Nginx as reverse proxy

Related Topic