How to force Jira to redirect requests to the load balancer or reverse-proxy using Tomcat

Summary

One popular requirement is to prevent users to make requests directly to the application servers, bypassing the frontend load balancer or reverse-proxy.

There is a multitude of ways to achieve this, such as using network restrictions or web server rewrite rules.

This article describes how to use a Tomcat configuration to make Jira redirect the users to the frontend URL on every redirect, such as the one that happens on logon. This does not prevent users from making access to the nodes directly, and should not be viewed as a security measure - it's more of a way to decrease access to nodes than prevent it.

Environment

This assumes that the load balancer or reverse proxy is already configured in the environment and working as expected.  If not, please refer to these articles for guidance and examples:

• https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

• https://confluence.atlassian.com/enterprise/jira-data-center-load-balancer-examples-781200827.html

Solution

By default, Tomcat redirects users in a relative manner, but we can configure it to use absolute paths.

1. Open the jira-install/conf/server.xml file.

2. Add the useRelativeRedirects="false" parameter to the Context tag.

   Your Jira tag will look like this:

   1 2 3 4 5 6 <Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true" useRelativeRedirects="false"> <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/> <Manager pathname=""/> <JarScanner scanManifest="false"/> <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="120" /> </Context>

3. Restart the Jira application.

For more details about this configuration, check https://tomcat.apache.org/tomcat-8.5-doc/config/context.html.