Integrate Jira/Jira Data Center with AWS ELB
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
This article only applies to JIRA Server (including JIRA Data Center), as opposed to JIRA Cloud.
Atlassian applications allow the use of reverse-proxies within our products, however, Atlassian Support does not provide assistance for configuring them. Consequently, Atlassian cannot guarantee to provide any support for them.
If assistance with configuration is required, please raise a question on the Atlassian Community.
This article describes how AWS ELB can be configured as a reverse proxy/load balancer for JIRA/JIRA Data Center installed on AWS EC2 environment.
It's a bonus if you're familiar with Integrating JIRA with Integrating Jira with Apache using SSL or Configure Jira to run behind a NGINX reverse proxy, as well as Installing Jira Data Center, in your own system environment.
This article uses a sample URL without Set a context path for Atlassian applications: https://jira.aws.elb (as well as http://jira.aws.elb for HTTP). It doesn't matter whether your JIRA URL has a context path or not, but the domain name (jira.aws.elb in this example) that you're going to use must resolve to your AWS ELB.
Solution
1. Configure AWS Security Groups
In the context of this article, the following ports must be allowed in your AWS Security Groups for your EC2 instance/s:
8080
8081
8082
80
This will allow us to test JIRA accessibility as well as enable ELB to communicate with JIRA in your EC2 instance/s.
2. Configure Tomcat
Configure the Tomcat Connectors so we have one or two serving as Proxy Connector/s and another for bypassing proxy (for troubleshooting purpose). This is done in the same
JIRA_Install/conf/server.xmlfile, locating this code segment (the only connector enabled by default):1<Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"/>Make 2 copies of the above connector and modify all the 3 as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19<!-- 1. Add proxyName and proxyPort to the original connector that uses port 8080 - This connector is to be used for HTTP access via AWS ELB --> <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" proxyName="jira.aws.elb" proxyPort="80"/> <!-- 2. Add proxyName, proxyPort, scheme, and secure to the second connector - modify it to use port 8081 - This connector is to be used for HTTPS access via AWS ELB --> <Connector port="8081" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" proxyName="jira.aws.elb" proxyPort="443" scheme="https" secure="true"/> <!-- 3. Modify the third connector to use port 8082 without adding anything else - This connector is to be used for bypassing proxy e.g. JIRA can be accessed directly via http://ec2-hostname:8082 --> <Connector port="8082" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"/>Restart JIRA and ensure it can be accessed via (all bypassing proxy):
3. Configure ELB for HTTP access
From EC2 management, go to Target Groups and create a new Target Group as follows:
Name: ELB-HTTP-access
Protocol: HTTP
Port: 80
Add Target/s to Target Group:
Select the above target group → open Targets tab → Edit
Select your JIRA instance that is running (if not, double check step 2.3 above)
Modify the Port to 8080
Add to registered
From EC2 management, go to Load Balancers and create a new Load Balancer as follows:
Type: Application Load Balancer
-Next-
Name: JIRA-ELB
Load Balancer Protocol: HTTP
Load Balancer Port: 80
Availability Zones: select the same VPC as your EC2 instance/s then choose 2 Availability Zones
-Next-
Security Groups: select appropriate security groups
-Next-
Target group: Existing target group
Name: ELB-HTTP-access
-Next-
Review & Create
Ensure that your load balancer is accessible via your domain name, jira.aws.elb in this example. How to configure this is beyond the scope of this article as well as Atlassian Support.
Once this is done, you should be able to access JIRA via http://jira.aws.elb which routes requests to http://ec2-hostname:8080.
4. Configure ELB for HTTPS access
From EC2 management, go to Target Groups and create a new Target Group as follows:
Name: ELB-HTTPS-access
Protocol: HTTP
Port: 80
Add Target/s to Target Group:
Select the above target group → open Targets tab → Edit
Select your JIRA instance that is running (if not, double check step 2.3 above)
Modify the Port to 8081
Add to registered
From EC2 management, go to Load Balancers and edit the existing Load Balancer created in step 3.3:
Select the load balancer → open Listeners tab → Add listener
-Next-
Protocol: HTTPS
Port: 443
Default Target Group: ELB-HTTPS-access
Choose or Upload your SSL certificate
Once this is done, you should be able to access JIRA via https://jira.aws.elb which routes requests to http://ec2-hostname:8081.
5. Configure HTTP-HTTPS redirection
Application Load Balancer
Please follow this guide on how to configure HTTP to HTTPS redirection on the Application Load Balancer.
Classic Load Balancer
If you need to configure the redirect by using the Classic Load Balancer (e.g Nginx) instead using the AWS Application Load Balancer, please follow the steps below.
There's no easy way to configure this in the ELB itself. According to How do I redirect HTTP traffic on my server to HTTPS on my load balancer?, we will need an additional proxy service installed on an EC2 instance. In this example, we suggest using Nginx:
Install Nginx on an EC2 instance. This can be the same instance where JIRA is installed. You may follow How To Install Nginx on Ubuntu 14.04 LTS and ensure Nginx is running on port 80.
Modify the Nginx config so that it will redirect requests from HTTP to HTTPS (modify
server_nameaccordingly):1 2 3 4 5 6 7server { listen 80; server_name jira.aws.elb; if ($http_x_forwarded_proto != "https") { rewrite ^(.*)$ https://$server_name$REQUEST_URI permanent; } }Restart Nginx
Edit ELB-HTTP-access target group (refer to step 3.2):
Remove the current target listening on port 8080
Select your EC2 instance where Nginx is running
Modify the Port to 80 (default)
Add to registered
Once this is done, you still can access https://jira.aws.elb directly. If you access http://jira.aws.elb instead, the followings will happen:
http://jira.aws.elb is routed to Nginx on port 80
Nginx rewrite the protocol from HTTP to HTTPS, which means it will hit https://jira.aws.elb
https://jira.aws.elb is routed to JIRA on port 8081 (as per step 4)
In other words, HTTP is redirected to HTTPS seamlesly.
6. How about JIRA Data Center
If you use JIRA Data Center, you can add all JIRA nodes to the target groups as in step 3.2 and/or 4.2. Just select the right instances and use the right Tomcat ports (you may want to configure Tomcat similarly for all nodes - refer to step 2).
You will also need to enable Load Balancer Stickiness, following these steps:
Select the respective target group → open Description tab → Edit attributes
Enable load balancer generated cookie stickiness
Save
Once this is done, users will be routed to the registered targets (JIRA nodes) on a load balancing basis.
Notes
Most probably you would like JIRA to be accessible via HTTPS, with HTTP being redirected to HTTPS automatically. If so, you may skip step 3 and focus on steps 4 and 5. In such a case, refer to:
step 3.3 for how to create a load balancer - you will need to make necessary changes to Load Balancer Protocol and Port
step 3.1 and 3.2 for how to create a target group to be used in step 5.4
In any case, you can always reconfigure the Listeners (step 4.3) and Target Groups to meet your needs.
If you only want HTTPS without redirection, step 5 can be skipped.
If you have multiple Atlassian applications behind the same load balancer, you may experience issues with conflicting session cookies causing your users to be logged out. If this occurs, please refer to Logging into another Atlassian application logs me out of Confluence for solutions to resolve this conflict.
Was this helpful?