CentOS系统基于Nginx反向代理,实现域名解析访问JIRA v7.5.2
概要
本文在CentOS系统下,基于Nginx反向代理,实现JIRA v7.5.2用http://10691.cn/jira(标准HTTP端口80)访问JIRA;(标准HTTPS端口443)同理,即“CentOS系统基于Nginx反向代理,实现域名解析访问JIRA v7.5.2”。
一、修改配置文件server.xml(在jira安装目录下)
更改前:
<Context docBase="${catalina.home}/atlassian-jira" path="" reloadable="false" useHttpOnly="true">
更改后:
<Context docBase="${catalina.home}/atlassian-jira" path="/jira" reloadable="false" useHttpOnly="true">
二、配置JIRA连接器
添加proxyName和proxyPort元素(用适当的属性替换它们),以及下面的另一个连接器——这用于故障排除,以绕过代理:
<!-- Nginx Proxy Connector --> # 仅仅使用nginx不使用https
<Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"
proxyName="jira.10691.cn" proxyPort="80"/>
<!-- OPTIONAL,Nginx Proxy Connector with https --> # 本文使用这次方式
<Connector port="8081" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"
proxyName="jira.10691.cn" proxyPort="443" scheme="https" secure="true"/>
<!-- Standard HTTP Connector -->
<Connector port="8082" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true"/>
完整版,可直接粘贴修改自己的域名使用
<?xml version="1.0" encoding="utf-8"?>
<!--
====================================================================================
Atlassian JIRA Standalone Edition Tomcat Configuration.
See the following for more information
http://confluence.atlassian.com/display/JIRA/Configuring+JIRA+Standalone
====================================================================================
-->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"
scheme="https"
proxyName="jira.10691.com"
proxyPort="443"
secure="true"/>
<!--
====================================================================================
For full steps on running JIRA over SSL or HTTPS for production and testing, see:
http://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS
and
http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
A quicker method can be found below, which we recommend only for evaluation and demonstration:
* Uncomment the Connector below
* Execute:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
with a password value of "changeit" for both the certificate and the keystore itself.
* If you are on JDK1.3 or earlier, download and install JSSE 1.0.2 or later, and put the JAR files into "$JAVA_HOME/jre/lib/ext"
* Restart and visit https://localhost:8443/
====================================================================================
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keystoreFile="/opt/bamboo-agent/.keystore"/>
-->
<!--
====================================================================================
If you have Apache AJP Connector (mod_ajp) as a proxy in front of JIRA you should uncomment the following connector configuration line
See the following for more information :
http://confluence.atlassian.com/display/JIRA/Configuring+Apache+Reverse+Proxy+Using+the+AJP+Protocol
====================================================================================
-->
<!--
<Connector port="8009" redirectPort="8443" enableLookups="false" protocol="AJP/1.3" URIEncoding="UTF-8"/>
-->
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
<!--
====================================================================================
Note, you no longer configure your database driver or connection parameters here.
These are configured through the UI during application setup.
====================================================================================
-->
<Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
<Manager pathname=""/>
<JarScanner scanManifest="false"/>
</Context>
</Host>
<!--
====================================================================================
Access Logging.
This should produce access_log.<date> files in the 'logs' directory.
The output access log lies has the following fields :
IP Request_Id User Timestamp "HTTP_Method URL Protocol_Version" HTTP_Status_Code ResponseSize_in_Bytes RequestTime_In_Millis Referer User_Agent ASESSIONID
eg :
192.168.3.238 1243466536012x12x1 admin [28/May/2009:09:22:17 +1000] "GET /jira/secure/admin/jira/IndexProgress.jspa?taskId=1 HTTP/1.1" 200 24267 1070 "http://carltondraught.sydney.atlassian.com:8090/jira/secure/admin/jira/IndexAdmin.jspa" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10" "C2C99B632EE0F41E90F8EF7A201F6A78"
NOTES:
The RequestId is a millis_since_epoch plus request number plus number of concurrent users
The Request time is in milliseconds
The ASESSIONID is an hash of the JSESSIONID and hence is safe to publish within logs. A session cannot be reconstructed from it.
See http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html for more information on Tomcat Access Log Valves
====================================================================================
-->
<Valve className="org.apache.catalina.valves.AccessLogValve"
pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""/>
</Engine>
</Service>
</Server>
三、配置Nginx,域名解析访问JIRA
配置https,需要证书,使用CSR在线生成工具(https://ssl.sundns.com/tool/csrgenerator),生成csr和key文件,方便后面的使用
# 在线制作的csr和key上传到服务器/etc/pki/tls/certs目录下,如下:
-rw-r--r-- 1 root root 1050 Jul 25 20:26 jira.10691.cn.csr
-rw-r--r-- 1 root root 1675 Jul 25 20:27 jira.10691.cn.key
# 使用下面命令生成crt文件,如下:
[root@sh-kvm-3-1 certs]# openssl x509 -in jira.10691.cn.csr -out jira.10691.cn.crt -req -signkey jira.10691.cn.key -days 3650
Signature ok
subject=/C=CN/O=aniu/OU=DevOps/ST=Shanghai/L=Shanghai/CN=jira.10691.cn/emailAddress=yunwei@aniu.tv
Getting Private key
创建jira.conf文件
server {
listen 80;
server_name jira.10691.cn;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name jira.10691.cn;
ssl on;
ssl_certificate /etc/nginx/ssl/5055282_jira.10691.cn.pem;
ssl_certificate_key /etc/nginx/ssl/5055282_jira.10691.cn.key;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://data:8080; # data这里为jira所在服务器的主机名
client_max_body_size 10M;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
}
}
将jira.conf移动至nginx的/conf.d/目录下,然后重启jira和nginx,访问https://jira.10691.cn;
CentOS系统基于Nginx反向代理,实现域名解析访问JIRA v7.5.2
https://cn.10691.cn//archives/10059