NGINX as reverse proxy for Jira and Confluence on Docker

Overview of series “How to run Jira and Confluence behind NGINX reverse proxy on Docker”

This is the second article of a quick start series on how to run Jira and Confluence with PostgreSQL as their database on a single Docker host. This time we will setup NGINX as reverse proxy for Jira and Confluence.

  1. Run Atlassian Jira and Confluence with PostgreSQL on Docker
  2. NGINX as reverse proxy for Jira and Confluence on Docker
  3. Disable external access to PostgreSQL
  4. Enable SSL for NGINX reverse proxy using Let’s Encrypt on Docker

Introduction

After starting up Jira, Confluence and pgAdmin and exposing their ports, we now want to implement NGINX as reverse proxy for Jira and Confluence. It will be the only available webserver from externally. All other ports than port 80 or later also 443 will be disabled.

To do that we want to be able that the containers can communicate by their names directly. Docker assigns IP addresses randomly that is why we cannot use them. The default network we used in the last article does not allow using names therefore we have to create our own for our service.

Docker host local hosts file

Edit the local hosts file of the Docker hosts to allow it to loopback to itself. After changing the hosts file everything should work without a reboot of the host but in my experience it is most reliable to reboot it.

 nano /etc/hosts

Add the following lines into the hosts file

127.0.0.1 jira.yourdomain.com
127.0.0.1 confluence.yourdomain.com
127.0.0.1 pgadmin.yourdomain.com

Create Docker bridge network

On the Docker host enter the following command to create our own service network:

docker network create atlassian

Recreate existing containers

Now the existing containers for Jira, Confluence and pgAdmin need to be recreated to remove their exposed ports and assign them to our new network. Jira and Confluence also will receive 3 additional environment variables that they are aware of reverse proxying (change the urls in ATL_PROXY_NAME to your needs):

docker rm pgadmin confluence jira -f

docker run \
    --name pgadmin \
    -e 'PGADMIN_DEFAULT_EMAIL=postgres' \
    -e 'PGADMIN_DEFAULT_PASSWORD=SuperSecret' \
    -v pgAdminData:/pgadmin4 \
    -v pgAdminApplicationData:/var/lib/pgadmin \
    --network atlassian \
    -d dpage/pgadmin4

docker run -d \
    --name jira \
    -e JVM_MINIMUM_MEMORY=2048m \
    -e JVM_MAXIMUM_MEMORY=8192m \
    -e ATL_PROXY_NAME=JIRA.YOUR_DOMAIN.COM \
    -e ATL_PROXY_PORT=80 \
    -e ATL_TOMCAT_SCHEME=http \
    -v jiraApplicationData:/var/atlassian/application-data/jira \
    --network atlassian \
    atlassian/jira-software:latest

docker run -d \
    --name confluence \
    -e JVM_MINIMUM_MEMORY=2048m \
    -e JVM_MAXIMUM_MEMORY=8192m \
    -e ATL_PROXY_NAME=CONFLUENCE.YOUR_DOMAIN.COM \
    -e ATL_PROXY_PORT=80 \
    -e ATL_TOMCAT_SCHEME=http \
    -v confluenceApplicationData:/var/atlassian/application-data/confluence \
    --network atlassian \
    atlassian/confluence-server:latest

Start NGINX as reverse proxy for Jira and Confluence

Ports 8080, 8090 and 5050 are now not accessible any more. It is time to set up NGINX now. We will use the official NGINX image from Docker Hub. Start the container with this command:

 docker run -d -p 80:80 \
    --name nginx \
    -v nginxConfig:/etc/nginx \
    --network atlassian \
    nginx:latest

Configure NGINX

The default path where Docker stores it’s volumes is /var/lib/docker/volumes. If you have changed that you will have to adjust the following commands to it’s location.

Create the file Atlassian.conf with nano. Copy and paste the configuration following (adjust the domains to your needs):

nano /var/lib/docker/volumes/nginxConfig/_data/conf.d/Atlassian.conf
# Configuration for Jira - client_max_body_size must be at least the max allowed attachment size
server {
    server_name JIRA.YOUR_DOMAIN.COM;
    proxy_read_timeout 600s;
    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://jira:8080;
        client_max_body_size 50M;
    }
}
 
 
# Configuration for Wiki - client_max_body_size must be at least the max allowed attachment size
server {
    server_name CONFLUENCE.YOUR_DOMAIN.COM;
    proxy_read_timeout 600s;
    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://confluence:8090;
        client_max_body_size 50M;
    }
}

# Configuration for pgAdmin
server {
    server_name PGADMIN.YOUR_DOMAIN.COM;
    proxy_read_timeout 600s;
    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://pgadmin;
    }
}

NGINX will now need to reload the configuration. Test the syntax and reload it with this commands:

docker exec nginx nginx -t
docker exec nginx nginx -s reload

Conclusion

Great! You are now using NGINX as reverse proxy for Jira and Confluence and pgAdmin. We disabled access through ports 8080, 8090 and 5050. Only the containers inside your host communicate with these ports.

Currently the database is still accessible from outside through port 5432. Only the containers should be allowed to do that. This will be the next step.

Disable external access to PostgreSQL

docker postgres jira confluence pgadmin nginx reverse proxy 3

Leave a Reply