Hello,
We currently use a single host to run a Confluence and JIRA server (Atlassian products) on port 8080 and 7080. We are not using SSL yet, and would like to set this up using Let's Encrypt. Let's Encrypt uses port 80 to renew its certificate once every 60 days or so.
Here is what we are trying to do:
1. All current traffic hitting port 8080 or 7080 gets transferred to HTTPS (443) and handed off to the correct application by reading the URL
2. We still allow port 80 to be open to Let's Encrypt so that it can automatically renew
3. Since JIRA and Confluence used to operate on port 8080 and 7080, we now have to proxy_pass them over to ports 8100 and 7100 respectively
I am running into an issue with the NGINX portion not correctly handing off, and I think there's an issue with my nginx.conf configuration.
Here it is. Please let me know if you notice anything wrong:
---
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
# include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
# tcp_nopush on;
# tcp_nodelay on;
keepalive_timeout 65;
# types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
index index.html index.htm;
gzip on;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/xml+rss;
# server_names_hash_bucket_size 128;
# Initial listener to hand off Let's Encrypt renewal
server {
listen 80 default_server;
server_name test.domain.com;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
}
#Second listener to redirect all HTTP traffic to HTTPS and over to the correct proxy_pass by reading the FQDN of the request
server {
listen 80;
return 301 https://$host$request_uri;
}
# Listener on port 8080 redirecting JIRA traffic to correct HTTPS handoff
server {
listen 8080;
return https://$host$request_uri;
}
# Listener on port 7080 redirecting Confluence traffic to correct HTTPS handoff
server {
listen 7080;
return https://$host$request_uri;
}
# Listener on 443 with proxy_pass setup to hand it off to port 8100 (new JIRA port)
server {
listen 443 ssl http2;
server_name test.domain.com;
location / {
proxy_pass http://localhost:8100;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
client_max_body_size 10M;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
satisfy any;
allow all;
}
## 500 error page - using default HTML directory for CentOS; change if desired. Sample error page and image background included in repository
error_page 500 502 503 504 /50x.html;
location ~ /50x.(html|png) {
root /usr/share/nginx/html;
}
ssl_certificate /etc/letsencrypt/live/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.domain.com/privkey.pem;
## SSL Configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# Protocol and Cipher configuration
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS - instructs browsers to only connect to you via HTTPS in the future
add_header Strict-Transport-Security max-age=15768000;
resolver 8.8.8.8;
}
# Listener on 443 with proxy_pass setup to hand it off to port 7100 (new Confluence port)
server {
listen 443 ssl http2;
server_name test1.domain.com;
location / {
proxy_pass http://localhost:7100;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
client_max_body_size 10M;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
satisfy any;
allow all;
}
## 500 error page - using default HTML directory for CentOS; change if desired. Sample error page and image background included in repository
error_page 500 502 503 504 /50x.html;
location ~ /50x.(html|png) {
root /usr/share/nginx/html;
}
ssl_certificate /etc/letsencrypt/live/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.domain.com/privkey.pem;
## SSL Configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# Protocol and Cipher configuration
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS - instructs browsers to only connect to you via HTTPS in the future
add_header Strict-Transport-Security max-age=15768000;
resolver 8.8.8.8;
}
}
We currently use a single host to run a Confluence and JIRA server (Atlassian products) on port 8080 and 7080. We are not using SSL yet, and would like to set this up using Let's Encrypt. Let's Encrypt uses port 80 to renew its certificate once every 60 days or so.
Here is what we are trying to do:
1. All current traffic hitting port 8080 or 7080 gets transferred to HTTPS (443) and handed off to the correct application by reading the URL
2. We still allow port 80 to be open to Let's Encrypt so that it can automatically renew
3. Since JIRA and Confluence used to operate on port 8080 and 7080, we now have to proxy_pass them over to ports 8100 and 7100 respectively
I am running into an issue with the NGINX portion not correctly handing off, and I think there's an issue with my nginx.conf configuration.
Here it is. Please let me know if you notice anything wrong:
---
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
# include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
# tcp_nopush on;
# tcp_nodelay on;
keepalive_timeout 65;
# types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
index index.html index.htm;
gzip on;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/xml+rss;
# server_names_hash_bucket_size 128;
# Initial listener to hand off Let's Encrypt renewal
server {
listen 80 default_server;
server_name test.domain.com;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
}
#Second listener to redirect all HTTP traffic to HTTPS and over to the correct proxy_pass by reading the FQDN of the request
server {
listen 80;
return 301 https://$host$request_uri;
}
# Listener on port 8080 redirecting JIRA traffic to correct HTTPS handoff
server {
listen 8080;
return https://$host$request_uri;
}
# Listener on port 7080 redirecting Confluence traffic to correct HTTPS handoff
server {
listen 7080;
return https://$host$request_uri;
}
# Listener on 443 with proxy_pass setup to hand it off to port 8100 (new JIRA port)
server {
listen 443 ssl http2;
server_name test.domain.com;
location / {
proxy_pass http://localhost:8100;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
client_max_body_size 10M;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
satisfy any;
allow all;
}
## 500 error page - using default HTML directory for CentOS; change if desired. Sample error page and image background included in repository
error_page 500 502 503 504 /50x.html;
location ~ /50x.(html|png) {
root /usr/share/nginx/html;
}
ssl_certificate /etc/letsencrypt/live/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.domain.com/privkey.pem;
## SSL Configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# Protocol and Cipher configuration
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS - instructs browsers to only connect to you via HTTPS in the future
add_header Strict-Transport-Security max-age=15768000;
resolver 8.8.8.8;
}
# Listener on 443 with proxy_pass setup to hand it off to port 7100 (new Confluence port)
server {
listen 443 ssl http2;
server_name test1.domain.com;
location / {
proxy_pass http://localhost:7100;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
client_max_body_size 10M;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
satisfy any;
allow all;
}
## 500 error page - using default HTML directory for CentOS; change if desired. Sample error page and image background included in repository
error_page 500 502 503 504 /50x.html;
location ~ /50x.(html|png) {
root /usr/share/nginx/html;
}
ssl_certificate /etc/letsencrypt/live/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.domain.com/privkey.pem;
## SSL Configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# Protocol and Cipher configuration
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS - instructs browsers to only connect to you via HTTPS in the future
add_header Strict-Transport-Security max-age=15768000;
resolver 8.8.8.8;
}
}