Basic Nginx Reverse Proxy Configuration for Atlassian Jira, Confluence, and Bamboo

This is a template Nginx configuration I use to reverse proxy for my test instances in Amazon AWS using Amazon Linux instances.  This configuration uses virtual hosts and TLS 1.2. Additional configuration may be required at the DNS level to support the subdomains used here.

Configuration Location:

/etc/nginx/nginx.conf

Contents:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   300;
    types_hash_max_size 2048;
    proxy_connect_timeout 75;
    proxy_read_timeout 300;
    proxy_send_timeout 300;
    send_timeout 300;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    index   index.html index.htm;

    server {
        listen 80;
        server_name jira.{your-domain}.com;
        rewrite ^ https://$server_name$request_uri? permanent;
    }

    server {
        listen 80;
        server_name confluence.{your-domain}.com;
        rewrite ^ https://$server_name$request_uri? permanent;
    }

    server {
        listen 80;
        server_name bamboo.{your-domain}.com;
        rewrite ^ https://$server_name$request_uri? permanent;
    }

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;

        # SSL/TLS Configuration
        ssl_certificate {PATH-TO-CERT};
        ssl_certificate_key {PATH-TO-CERT-KEY};
        ssl_protocols TLSv1.2;
        ssl_ciphers {SSL-Ciphers}
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 10m;
        ssl_session_cache shared:SSL:1m;
        ssl_dhparam "{PATH-TO-GENERATED-DHPARAM}";

        server_name jira.{your-domain}.com;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            proxy_pass https://{internal-ip-to-jira}:{internal-port-to-jira}/;
        }
    }

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;

        # SSL/TLS Configuration
        ssl_certificate {PATH-TO-CERT};
        ssl_certificate_key {PATH-TO-CERT-KEY};
        ssl_protocols TLSv1.2;
        ssl_ciphers {SSL-Ciphers}
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 10m;
        ssl_session_cache shared:SSL:1m;
        ssl_dhparam "{PATH-TO-GENERATED-DHPARAM}";

        server_name confluence.{your-domain}.com;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            proxy_pass https://{internal-ip-to-confluence}:{internal-port-to- confluence }/;
        }
    }

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;

        # SSL/TLS Configuration
        ssl_certificate {PATH-TO-CERT};
        ssl_certificate_key {PATH-TO-CERT-KEY};
        ssl_protocols TLSv1.2;
        ssl_ciphers {SSL-Ciphers}
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 10m;
        ssl_session_cache shared:SSL:1m;
        ssl_dhparam "{PATH-TO-GENERATED-DHPARAM}";

        server_name bamboo.{your-domain}.com;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            proxy_pass https://{internal-ip-to- bamboo}:{internal-port-to-bamboo}/;
        }
    }
}

For SSL

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
openssl dhparam -check -out /etc/nginx/ssl/dhparams.pem 2048
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK
sudo service nginx restart