Skip to end of metadata
Go to start of metadata

When NGINX is action as a reverse proxy, i.e. performs HTTP (port) forwarding it requires additional configuration to correctly work with the SSO state machine.

 For Apache and IIS it is described on pages 3-4 of the IOPLEX Jespa Operators Manual and is mentioned in our install instructions.

The page from Atlassian - Integrating JIRA with NGINX, can serve as a reference for general configuration of NGINX when used with Atlassian products.

The configuration requires an additional line (#8 in the example below) to be added. The purpose of the line - add a "Jespa-Connection-Id" header that has a value combining remote client's IP address and port.

Also Kerberos-based Single Sign-On can cause large header values being sent so line #11 is recommended

 

1
2
3
4
5
6
7
8
9
10
11
12
13
server {
    listen www.atlassian.com:80;
    server_name www.atlassian.com;
    location /jira {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Jespa-Connection-Id $remote_addr:$remote_port;
        proxy_pass http://jira-hostname:8080/jira;
        client_max_body_size 10M;
        large_client_header_buffers  4 32k;
    }
}

 

Once you reconfigured your NGINX this way the telltale sign of it working will be in jespa.log at log level 4 - see *bold values*, showing the remote client's IP address and port as opposed to proxy's one. Some values have been obscured with ****

2015-03-13 19:44:37: HttpSecurityService: C: GET /rest/mywork/latest/status/notification/count
2015-03-13 19:44:37: HttpSecurityService: Request Headers: host=********* | x-requested-with=XMLHttpRequest | accept=application/json, text/javascript, /; q=0.01 | referer=******* | accept-language=en-AU | accept-encoding=gzip, deflate | user-agent=Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) | dnt=1 | cookie=confluence-sidebar.width=55; confluence.browse.space.cookie=space-blogposts; JSESSIONID=592AF09B33C01304B1D068007FA41E93 | authorization=NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== | jespa-connection-id=172.16.9.39:62624 | x-forwarded-for=172.16.9.39 | x-forwarded-host=******* | x-forwarded-server=******** | connection=Keep-Alive
2015-03-13 19:44:37: HttpSecurityService: Loading session state from session 592AF09B33C01304B1D068007FA41E93
2015-03-13 19:44:37: HttpSecurityService: Importing provider state
2015-03-13 19:44:37: HttpSecurityService: Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2015-03-13 19:44:37: HttpSecurityService: 172.16.9.39:62624: token.length=40
2015-03-13 19:44:37: HttpSecurityService: AuthContext: 172.16.9.39:62624