How to create a Tomcat unproxied connector (backdoor) in Jira (Server and Data Center)

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Does this apply to you?

When needing to access specific nodes in a Jira DC Cluster, it is necessary to have a separate Tomcat connector, without using the LB as proxy for access.

Example scenario

JIRA

  • Proxied address: https://jira.mycompany.com/

  • Unproxied address: http://192.168.100.100:8081/

Prerequisites

You must be able to browse to the application via the unproxied URL. Some network configurations may allow communication between the two servers, but you must be able to browse to the unproxied addresses for the purpose of creating the application link.

Set up an unproxied HTTP connector in Tomcat

To bypass a reverse proxy or SSL configuration, introduce an additional HTTP connector in Tomcat. The following is a bare minimum HTTP connector for use in Tomcat across Atlassian Products:

<Connector port="8081"connectionTimeout="20000"maxThreads="200"minSpareThreads="10"

enableLookups="false"acceptCount="10"URIEncoding="UTF-8"relaxedPathChars="[]|"relaxedQueryChars="[]|{}^\`&quot;&lt;&gt;" />

To make use of this, edit the server.xml file for the application in question. The connector must be added inside the Service element. You will also need to restart the application to take effect.

You should adjust the value of the port attribute in the new connector. Ensure to use a port that isn't already used by any application on the same physical machine. For example, if you have JIRA listening for incoming connections on port 8080 (which is in turn connected to a reverse proxy), you should change your new connector to something else, such as 8081.

Ifweb.xmlhas been edited as per ourdocumentationto redirect to SSL, the following lines will need to be removed:For more information, please see this Jira specific KB article.

Note for SSO bypass

The SSO configuration may need to be bypassed in order to log in to the node directly without redirection to SSO URL. See this page for instructions:

Bypass SAML authentication for Jira Data Center

Updated on April 17, 2025
Platform
Data Center only
Products
Jira Software Data Center
Bitbucket Data Center
Confluence Data Center
Bamboo Data Center
Fisheye Data Center
On this pageDoes this apply to you?Example scenarioJIRAPrerequisitesSet up an unproxied HTTP connector in TomcatNote for SSO bypass

Still need help?

The Atlassian Community is here for you.
Ask the Community