场景
通过在nginx中增加ssl证书认证,并将客户的请求转发到JIRA中。JIRA中无需再配置认证证书。
在以下配置过程中,我们假定需要进行的配置上下文件为
Confluence人访问地址为:需要使用https的协议访问jira,confluence,bitbucket。
此时需要配置https的相应证书,证书看需要配置到哪一层。包括直接配置在jira,confluence,bitbucket,还是在前端增加nginx,配置在nginx中。
一般配置https时,需要开启 443 或者 8443 端口。
如:Confluence访问地址为:http://confluene.hktxcn.com 现需要通过https来进行访问,即地址为:https://confluene.hktxcn.com
- JIRA的IP地址为: Confluence的IP地址为: 10.10.1.1 端口号为8080端口号为8090
- Nginx的IP地址为: 20.20.1.1 端口号为80
信息来源
https://confluence.atlassian.com/jirakb/integrating-jira-with-nginx-426115340.html
步骤一:修改配置文件server.xml
...
<!-- 将以下内容进行屏蔽 -->
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>
...
使用Nginx进行配置
配置nginx的server内容
红色是配置的内容
| server { listen 80; server_name confluence.hktx.com; listen 443 default ssl; ssl_certificate /usr/local/etc/nginx/ssl/nginx.crt; ##私钥证书 ssl_certificate_key /usr/local/etc/nginx/ssl/nginx.key; ##私钥证书的key ssl_session_timeout 5m; location / { client_max_body_size 100m; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://10.10.1.1:8090; } } |
配置jira\confluence的server.xml内容
通常情况下,可以将原来配置的Connector 进行屏蔽,可以在server.xml的配置文件下方找到另外的一个Connector
填写以下内容(以jira为例),server.xml文件位于安装目录下的conf目录中。
| <Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https" proxyName=" |
| confluence. |
| hktx. |
| cn" proxyPort="443"/> |
<!--
========
AJP - Proxying Jira via Apache over HTTP or HTTPS
If you're proxying traffic to Jira using the AJP protocol, uncomment the following connector line
See the following for more information:
Apache - https://confluence.atlassian.com/x/QiJ9MQ
========
-->
<!--
<Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3"/>
-->
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
<Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
<Manager pathname=""/>
<JarScanner scanManifest="false"/>
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="120" />
</Context>
</Host>
<Valve className="org.apache.catalina.valves.AccessLogValve"
pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""/>
</Engine>
</Service>
</Server>
<?xml version="1.0" encoding="utf-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<Service name="Catalina">
<!--
========
DEFAULT - Direct connector with no proxy for unproxied access to Jira.
If using a http/https proxy, comment out this connector.
========
-->
<!-- Relaxing chars because of JRASERVER-67974 -->
<!-- 将以下内容进行屏蔽 -->
<!--
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>
-->
<!--
========
HTTP - Proxying Jira via Apache or Nginx over HTTP
If you're proxying traffic to Jira over HTTP, uncomment the below connector and comment out the others.
Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.
See the following for more information:
Apache - https://confluence.atlassian.com/x/4xQLM
nginx - https://confluence.atlassian.com/x/DAFmGQ
========
-->
<!--
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false" scheme="http"
proxyName="<subdomain>.<domain>.com" proxyPort="80"/>
-->
<!--
========
HTTPS - Proxying Jira via Apache or Nginx over HTTPS
If you're proxying traffic to Jira over HTTPS, uncomment the below connector and comment out the others.
Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.
See the following for more information:
Apache - https://confluence.atlassian.com/x/PTT3MQ
nginx -
配置bitbucket的 bitbucket.properties的server.xml内容
bitbucket.properties文件通常情况下位于文件目录下的 shared 目录,可以在以下文件增加以下信息
server.port=443 server.ssl.enabled=true server.scheme=https |
在应用中进行配置
配置jira\confluence的server.xml内容
通常情况下,可以将原来配置的Connector 进行屏蔽,可以在server.xml的配置文件下方找到另外的一个Connector
填写以下内容(以jira为例),server.xml文件位于安装目录下的 conf目录中。
| <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" protocol="org.apache.coyote.http11.Http11Nio2Protocol" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true" URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" ##证书密码 keystoreFile="<MY_CERTIFICATE_LOCATION>"/> ##证书位置 |
通常情况下,keystoreFile的文件类型应当为 .keystore
配置bitbucket的 bitbucket.properties的server.xml内容
bitbucket.properties文件通常情况下位于文件目录下的 shared 目录,可以在以下文件增加以下信息
server.port=8443 |
|---|
https://confluence.atlassian.com/
...
jirakb/integrating-jira-with-nginx-426115340.html
https://confluence.atlassian.com/
...
步骤二
...
说明
ssl_certificate和ssl_certificate_key填写证书存放的地址位置
这里指响应超时时间为5分钟
...
bitbucketserver/secure-bitbucket-with-tomcat-using-ssl-776640127.html
https://confluence.atlassian.com/doc/running-confluence-over-ssl-or-https-161203.html