It’s time to Use NGINX as the Standard Proxy Server for Atlassian’s JIRA
With NGINX now serving over 37% of the top 1000 websites it’s a great time to evaluate replacing Apache as the standard proxy server for Atlassian’s JIRA issue tracker. Two reasons you should consider NGINX:
- Configuration is fast and simple, saving you tons of time
- NGINX handles highly concurrent, long-lived connections out of the box, and uses significantly less resources to do so
JIRA is a Java application deployed in a Tomcat container, and is typically run by an un-privileged user on port 8080. Apache is often used as a proxy server in front of Tomcat, proxying HTTP/S requests and terminating SSL connections, but its configuration can be time consuming and error prone. With NGINX it takes just minutes to start serving JIRA behind a modern, powerful proxy server.
Here’s how in 3 steps:
Step 1: Serve Only Over HTTPS
The first thing we do is ensure we are only serving over HTTPS. Any requests to our JIRA server over HTTP will be redirected to the HTTPS equivalent.
server {
server_name jira.example.com;
listen 80;
location / {
return 301 https://$server_name$request_uri;
}
}
Step 2: Listen, Terminate, and Forward On
We then configure NGINX to listen for all HTTPS requests for JIRA, terminate the SSL connection, and forward the request on.
server {
listen 443 ssl;
server_name jira.example.com;
ssl_certificate /etc/ssl/certs/jira.example.com.pem;
ssl_certificate_key /etc/ssl/private/jira.example.com.key;
# NGINX usually only allows 1M per request. Increase this to JIRA's maximum attachment size (10M by default)
client_max_body_size 10M;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8080;
}
}
Step 3: Tomcat Needs to Know…
We now let Tomcat know that we are proxying its requests, so that it can respond appropriately. If we do not update this configuration Tomcat will generate invalid addresses when it responds to requests, and the application will break. The Tomcat configuration is located in the application installation directory, in conf/server.xml
We are interested in the Connector descriptions.
It is often useful to have a non-proxied Connector configured in Tomcat, to allow bypassing the proxy when troubleshooting issues. Copy the default Connector and change the port to an available port such as 8081.
Add the following attributes to the pre-existing, default connector. They specify the address and protocol that the proxy will be serving JIRA on. Be sure to use your domain name in the proxyName attribute!
proxyName="jira.example.com" proxyPort="443" scheme="https" secure="true"
Your Connector description should now look something like this.
<connector acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" enablelookups="false" maxhttpheadersize="8192" maxthreads="150" minsparethreads="25" port="8080" protocol="HTTP/1.1" proxyname="jira.example.com" proxyport="443" redirectport="8443" scheme="https" secure="true" usebodyencodingforuri="true"></connector>
Finally, reload NGINX’s configuration and restart JIRA, and you are good to go!