Add SSL Support

[Conzar]

Can you please add SSL support?

[stack72]

Do you think it is possible to use something like Nginx to SSL Proxy jira?

[Conzar]

Using puppetlabs/apache seems to work without having to modify the jira configuration at all. So maybe its not worth adding since apache can handle it?

  class { 'apache':
    mpm_module    => 'prefork',
    default_vhost => false,
  }

  class { 'apache::mod::rewrite':
  }

  class { 'apache::mod::ssl':
  }
  apache::vhost { 'jira non-ssl':
    servername => 'jira',
    port       => '80',
    docroot    => '/var/www',
    rewrites   => [
      {
        comment      => 'redirect to https',
        rewrite_cond => ['%{HTTPS} off'],
        rewrite_rule => ['(.*) https://%{HTTP_HOST}:443%{REQUEST_URI}'],
      },
    ],
  }

  apache::vhost { 'jira ssl':
    servername          => 'jira',
    port                => '443',
    docroot             => '/var/www',
    default_vhost       => true,
    ssl                 => true,
    ssl_cert            => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
    ssl_key             => '/etc/ssl/private/ssl-cert-snakeoil.key',
    proxy_preserve_host => 'On',
    proxy_pass => [
      { 'path' => '/', 'url' => 'http://localhost:8080/' },
    ],
    require => Apache::Vhost [ 'jira non-ssl']
  }

[stack72]

@Conzar that's great news. I think the documentation for the module can just be updated to show your example code. I'm not a massive fan of complicating systems and SSL Termination works a lot of the time for me :)

[Conzar]

Well, not so good news. It seemed to work on a fresh install of Jira. But it didn't work on an existing install of jira. Essentially, it was getting a proxy timeout error. Does anything need to change on the server.xml?

Here is the main error:

JIRA is reporting that it is using the URL scheme 'http', which does not match the scheme used to run these diagnostics, 'https'. This is known to cause JIRA to construct URLs using an incorrect hostname, which will result in errors in the dashboard, among other issues.

[stack72]

@Conzar this article may be of use to you

https://confluence.atlassian.com/display/STASH/Securing+Stash+behind+nginx+using+SSL

I know its for stash but they work in a similar way

[Conzar]

Do you think the changes required to the connector in the server.xml should be rolled into this module?

[mkrakowitzer]

@Conzar The scheme should be https. I will add some examples on how to do this with the puppet apache and puppet nginx modules. This is the way I would recommend setting it up.

That being said i think we could role in the required https settings into this module. I will take a look at it.

[Conzar]

I have switched to using reverse proxies in Apache (for port 80 to 8080 traffic). What needs to be done to use ssl? I saw you added the following:
proxy => { scheme => 'https', proxyName => 'www.example.com', proxyPort => '443', },

What is proxy, is that specific to this module?

[mkrakowitzer]

No proxy is specific to tomcat, Setting the tomcat connector:

<Connector port="8081" ...
              proxyName="www.mycompany.com"
              proxyPort="443"
              scheme="https"/>

will cause servlets inside this web application to think that all proxied requests were directed to www.mycompany.com on port 443 using https. More detail here: http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html#Attributes

AFAIK its required if you are doing ssl offloading with reverse proxying via apache/nginx.