Basic Nginx Reverse Proxy Configuration for Atlassian Jira, Confluence, and Bamboo

This is a template Nginx configuration I use to reverse proxy for my test instances in Amazon AWS using Amazon Linux instances.  This configuration uses virtual hosts and TLS 1.2. Additional configuration may be required at the DNS level to support the subdomains used here.

Configuration Location:

/etc/nginx/nginx.conf

Contents:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   300;
    types_hash_max_size 2048;
    proxy_connect_timeout 75;
    proxy_read_timeout 300;
    proxy_send_timeout 300;
    send_timeout 300;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    index   index.html index.htm;

    server {
        listen 80;
        server_name jira.{your-domain}.com;
        rewrite ^ https://$server_name$request_uri? permanent;
    }

    server {
        listen 80;
        server_name confluence.{your-domain}.com;
        rewrite ^ https://$server_name$request_uri? permanent;
    }

    server {
        listen 80;
        server_name bamboo.{your-domain}.com;
        rewrite ^ https://$server_name$request_uri? permanent;
    }

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;

        # SSL/TLS Configuration
        ssl_certificate {PATH-TO-CERT};
        ssl_certificate_key {PATH-TO-CERT-KEY};
        ssl_protocols TLSv1.2;
        ssl_ciphers {SSL-Ciphers}
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 10m;
        ssl_session_cache shared:SSL:1m;
        ssl_dhparam "{PATH-TO-GENERATED-DHPARAM}";

        server_name jira.{your-domain}.com;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            proxy_pass https://{internal-ip-to-jira}:{internal-port-to-jira}/;
        }
    }

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;

        # SSL/TLS Configuration
        ssl_certificate {PATH-TO-CERT};
        ssl_certificate_key {PATH-TO-CERT-KEY};
        ssl_protocols TLSv1.2;
        ssl_ciphers {SSL-Ciphers}
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 10m;
        ssl_session_cache shared:SSL:1m;
        ssl_dhparam "{PATH-TO-GENERATED-DHPARAM}";

        server_name confluence.{your-domain}.com;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            proxy_pass https://{internal-ip-to-confluence}:{internal-port-to- confluence }/;
        }
    }

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;

        # SSL/TLS Configuration
        ssl_certificate {PATH-TO-CERT};
        ssl_certificate_key {PATH-TO-CERT-KEY};
        ssl_protocols TLSv1.2;
        ssl_ciphers {SSL-Ciphers}
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 10m;
        ssl_session_cache shared:SSL:1m;
        ssl_dhparam "{PATH-TO-GENERATED-DHPARAM}";

        server_name bamboo.{your-domain}.com;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            proxy_pass https://{internal-ip-to- bamboo}:{internal-port-to-bamboo}/;
        }
    }
}

For SSL

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
openssl dhparam -check -out /etc/nginx/ssl/dhparams.pem 2048
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK
sudo service nginx restart
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s