Simplified guide for setting up a reverse proxy that allows installing multiple apps (e.g. tomcat apps) on a single server.
The guide below is for a debian/ubuntu machine. For CentOS or Amazon linux, adapt this guide here.
An SSL reverse proxy allows secured connections between client and an apache server (terminated at reverse proxy), then the apache server distributes connections to various ports (or applications) on the server, like this:
This method is advantageous and can avoid the whole (painful) keystore SSL approach.
Enable apache2 modules:
Disable sites at /etc/apache2/sites-available by using a2dissite, e.g:
We first create a .conf file which will contain the VirtualHost blocks for the reverse proxy
Below is an example of an initial proxy-ssl-host.conf for a reverse-proxy setup for Atlassian's confluence, crowd, and JIRA. It contains all directives apart from the SSL certificates (see the following section for information on how to get certbot-auto to add these automatically for you).
Click the '
> Expand source' link on the right to view file contents.
Note1: each subdomain is resolved and forwarded by apache to various localhost ports. Also includes http redirects to https. Replace <...> with actual path to SSL certificates and sub-domains with actuals sub/domains.
Note2: see here for implementing X-Forwarded-For for proper client ip address forwarding (I think might need for Crowd SSO?).
Next we want to enable the file we just created. On Ubuntu you can enable .conf site files by:
Letsencrypt for SSL certificates
Process is basically the same as outlined here. Certbot-auto has a fantastic apache plugin that makes obtaining an SSL certificate (and renewing) drop dead simple. Simply running:
allows you to select which virtual host to obtain the certificates for and will automatically update your apache .conf file (which was proxy-ssl-host.conf in my case).
Renewing can then be done simply by calling the code below. Note that since we used the
--apache arugment in obtaining the certificate, certbot-auto will gracefully renew and reload apache config (no need to stop, restart apache2).
Passing client ip address properly for logging
See Logging remote ip address when using reverse proxy for a guide on properly logging client ip addresses (instead of the reverse proxy ip).
For Atlassian apps, you'll need to enable secure proxy forwarding in their server.xml files. See here for more detail.
For each application, find the normal (non-SSL)
Connectordirective in the Tomcat
server.xmlfile, and update the
proxyPortattributes inside the
Connectordirective, as below. You would have already added these attributes when configuring the reverse proxy. You need to change
schemeto "https" and
proxyPortto the port that Apache is listening for SSL on, e.g. "443", like this:
Note1: is basically just adding the last five entries.
Note2: Atlassian recommends turning compression off when using a reverse proxy.
Restart Atlassian apps and you should be good to go.