diagram of traffic from the internet through cloudflare and apache

How to use Cloudflare's free Flexible SSL on Jira and Confluence Server with Apache and ProxyPass


These instructions are assuming Jira and Confluence are running each at their own subdomain, such as jira.domain.com and confluence.domain.com, where domain.com is a placeholder for your domain name. These instructions have been tested on Jira Server 7.9.2, Confluence Server 6.9.0, and Ubuntu Server 16.04.4 LTS (Xenial Xerus), however, the configuration options are very standard.

In order for Cloudflare’s Flexible SSL to work, traffic needs to go through Cloudflare to your apps on port 80. Ports below 1024 are privileged ports, so we need to use Apache with ProxyPass between Cloudflare and Tomcat.

First

  1. Set Cloudflare’s DNS settings so that the traffic to your hostnames will go through Cloudflare.
  2. Confirm or set the hosting’s networking configuration to your servers so that they can receive traffic on port 80.
  3. Install Apache 2.4 (Applications that use Synchrony, e.g. Confluence 6.0, must use Apache 2.4.10 and up.) on your servers with: sudo apt-get install apache2

For Jira

Create and edit

/etc/apache2/sites-available/jira.conf

and add:

<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName jira.domain.com
ServerAlias jira.domain.com
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>

Save and enable.

sudo a2ensite jira.conf
sudo a2dissite 000-default.conf
sudo service apache2 reload

Now, open and edit

/opt/atlassian/jira/conf/server.xml

Locate and disable the Default Connector by adding <!-- and --> to above and below its code section, respectively, just like the other disabled sections.

Locate and enable the section below “HTTPS - Proxying Jira via Apache or Nginx over HTTPS” by removing the <!-- and --> from above and below its code section.

Within this newly enabled “Connector,” confirm or edit the follow settings for:

redirectPort="8443"
scheme="https"
proxyName="jira.domain.com"
proxyPort="443"

Save and restart Jira.

sudo /etc/init.d/jira stop
sudo /etc/init.d/jira start

For Confluence

Cloudflare will not work with Confluence as it runs on port 8090, by default. Cloudflare does not work with port 8090. The following effectively changes Confluence to run on port 8880, with an Apache ProxyPass to that port.

Create and edit

/etc/apache2/sites-available/confluence.conf

and add:

<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName confluence.domain.com
ServerAlias confluence.domain.com
ProxyPass / http://localhost:8880/
ProxyPassReverse / http://localhost:8880/
</VirtualHost>

Save and enable.

sudo a2ensite confluence.conf
sudo a2dissite 000-default.conf
sudo service apache2 reload

Now, open and edit 

/opt/atlassian/confluence/conf/server.xml

Locate and disable the Default Connector by adding <!-- and --> to above and below its code section, respectively, just like the other disabled sections.

Locate and enable the section below “HTTPS - Proxying Confluence via Apache or Nginx over HTTPS” by removing the <!-- and --> from above and below its code section.

Within this newly enabled “Connector,” confirm or edit the follow settings for:

port="8880"
redirectPort="8443"
scheme="https"
proxyName="confluence.domain.com"
proxyPort="443"

Save and restart Confluence.

sudo /etc/init.d/confluence stop
sudo /etc/init.d/confluence start

Conclusion

Now for each app, http://jira.domain.com and http://confluence.domain.com will load on port 80, without any port being specified in the URL. If the traffic is passing through Cloudflare, they will also load on https, with Cloudflare handling everything else, including its Flexible SSL, automatically. 

Need help with your Atlassian tools?

Looking for Jira or Agile Coaching?