• Products
  • Documentation
  • Resources

Configure required connections and upstream ports

Allow outgoing connections from your network, and add an HTTP connector and upstream port to make sure your self-managed instance can connect to the tunnel.

Allow outgoing connections from your network

Allow outgoing connections on port 443:

To tunnel endpoint

When creating the tunnel, your self-managed instance needs to reach https://tunnel.services.atlassian.com, which is the tunnel endpoint on the cloud side.

You can verify that it does by running curl https://tunnel.services.atlassian.com/status -I. The request should return an error, which is the correct behavior.

To cloud products

When authorizing the application links as the last step of the procedure, your self-managed instance needs to reach your cloud products directly. The outgoing communication is not using the tunnel.

You don’t have to allow any incoming connections to your network or IP ranges.

Add an HTTP connector and upstream port

Stop your instance and then complete the following steps:

Jira, Bamboo

  1. In your installation directory, edit the conf/server.xml file.

  2. Add one of the following connectors. Use a port number that isn't already used by any application on this instance. 

    1. Jira

      1 2 3 <Connector port="8081" connectionTimeout="20000" maxThreads="200" minSpareThreads="10" enableLookups="false" acceptCount="10" URIEncoding="UTF-8" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"/>
    2. Bamboo

      1 2 <Connector port="8093" connectionTimeout="20000" maxThreads="200" minSpareThreads="10" enableLookups="false" acceptCount="10" URIEncoding="UTF-8" />
  3. Add the following snippet to JVM_SUPPORT_RECOMMENDED_ARGS in setenv.sh. Specify the same port number you used for the HTTP connector above: 

    1 -Dsecure.tunnel.upstream.port=$portNumber

Confluence

  1. In your installation directory, edit the conf/server.xml file.

  2. Add the following connector. Use a port number that isn't already used by any application on this instance. 

    1 2 <Connector port="8093" connectionTimeout="20000" maxThreads="200" minSpareThreads="10" enableLookups="false" acceptCount="10" URIEncoding="UTF-8" />
  3. Add the following snippet to CATALINA_OPTS in setenv.sh. Specify the same port number you used for the HTTP connector above: 

    1 -Dsecure.tunnel.upstream.port=$portNumber

Bitbucket

  1. In your Bitbucket home directory, go to shared, and edit the bitbucket.properties file.

  2. Add a connector and upstream port. Use a port number that isn't already used by any application on this instance. 

    1 2 server.additional-connector.1.port=8081 plugin.secure.tunnel.upstream.port=8081

Optional: Restrict access to the HTTP connector to localhost

Available for Jira and Confluence.

To improve security, you can restrict access to the newly created connector. In the following example, we’re allowing the localhost address (needed for application tunnels) to access all ports, and limit any outside access to port 8080, which is our publicly available port.

To restrict access to the connector:

  1. In your installation directory, edit the conf/server.xml file.

  2. Add the following snippet within the <Engine> section. Make sure to adjust the port number (8080) to your publicly accessible port:

    1 <Valve className="org.apache.catalina.valves.RemoteAddrValve" addConnectorPort="true" allow="127.0.0.1;\d*|::1;\d*|.*;8080"/>

Remove HTTPS redirection from the web.xml file

If you enabled SSL for your instance, you might have used the following snippet to redirect traffic to HTTPS. Since the new connector is using HTTP, you need to remove this snippet so the traffic isn't redirected. Any traffic that passes through the tunnel will still be encrypted, but if some traffic is trying to reach your regular port on HTTP, it will no longer be redirected.

Before you start

If you rely on Apache Tomcat to handle the HTTPS redirection through the web.xml file, it will no longer work. If you still need the redirection, you’ll need to configure it by using another component, such as reverse proxy or load balancer. For an example on how to configure it, see Securing your Atlassian applications.

Jira, Confluence, Bamboo

To remove the HTTPS redirection:

  1. In your installation directory, edit the conf/web.xml file.

  2. Remove the following snippet: 

    1 2 3 4 5 6 7 8 9 10 11 12 <security-constraint> <web-resource-collection> <web-resource-name>all-except-attachments</web-resource-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspa</url-pattern> <url-pattern>/browse/*</url-pattern> <url-pattern>/issues/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
  3. Start your instance.

Bitbucket

To remove the HTTPS redirection:

  1. In your Bitbucket home directory, edit the bitbucket.properties file.

  2. Remove the server.require-ssl property.

Next steps

Go to Create an application tunnel to your self-managed instance.

Additional Help