0

I am trying to set up our Jira so that it can be accessed from two domains. While I know that this is not officially supported by Atlassian, I am sure that there is a server config that allows it.

So far I am able to access the pages themselves successfully from domainA and domainB, but for domainB I get a 403 forbidden error for resources like images.

My current configuration is as follows:

.conf file:

<VirtualHost *:443>
    ServerName domainA.com
    ServerAlias domainB.com
    ...

server.xml:

<Connector port="8101" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
                   maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
                   maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
                   acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
                   proxyName="domainA.com" proxyPort="443"/>

If I change the proxyName of the Connector to domainB.com it works for domainB but no longer for domainA.

I have tried to set up an additional second Connector for another port as follows for domainB, but without success:

<Connector port="8102" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
                   maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
                   maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
                   acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
                   proxyName="domainB.com" proxyPort="443"/>

The behaviour seems to be independent of the base URL set in the Jira. Also I am able to access Jira just fine from an internal IP via http with the following additional connector:

<Connector port="8301" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
                   maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
                   maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
                   acceptCount="100" disableUploadTimeout="true" bindOnInit="false" URIEncoding="UTF-8" />

Any ideas how to solve this?

Thank you.

Luigi04
  • 141

1 Answers1

2

I am trying to set up our Jira so that it can be accessed from two domains"... This is not officially supported by Atlassian ...

Then as a professional you don't go there.

I am sure that there is a server config that allows it

It seems that even the "cloud" or "hosted" version of Jira that Atlassian offers doesn't appear to support multi-tenancy and multiple domains but rather launches an instance for each customer and each unique domain based on for example https://support.atlassian.com/organization-administration/docs/how-many-instances-of-a-product-does-my-organization-need/

So I doubt support for multiple domains is an "undocumented" hidden feature setting that allows you to achieve that.

What are you attempting to cirumvent?

Many web applications get configured with a setting for the fully qualified domain name, port and protocol that site vistors are expected to use.

The application uses that information for example to:

  • thwart abuse and attacks.
    For instance by setting a Content Security Policy header in each response.

  • generate self-referential URL's.
    That are not only used in the CSS, JS and HTML of web pages, but for example also in the e-mails that the application sends.

Can you circumvent that?

To a degree you can use a reverse proxy to modify the requests and request headers from site visitors that get sent to the web-application. Rewrite those to the protocol, FQDN and port that the web application (Jira) expects.

The reverse proxy will also need to modify both the headers the web applications sets, as well as all HTML, CSS, JS and other response bodies that get sent back to the site visitor. In other words: rewrite the protocol, FQDN and port that the web application (Jira) generates to the protocol, FQDN and port that site visitor should be using.

For an approach: you run your Jira in one VirtualHost and get that working properly and your second domain does not get added as a ServerAlias, but in a second VirtualHost that gets set up as a Reverse Proxy

<VirtualHost *:443>
    ServerName jira.example.com
    ...
</VirtualHost>
<VirtualHost *:443>
    ServerName jira.example.org
    SSLProxyEngine On
    ProxyPass        / https://jira.example.com/
    ProxyPassReverse / https://jira.example.com/
    ...
    ProxyHTMLURLMap jira.example.com  jira.example.org
    ...
</VirtualHost>

Some details on how to reverse proxy here: How to handle relative urls correctly with a reverse proxy

HBruijn
  • 84,206
  • 24
  • 145
  • 224