• Documentation

Configure required connections and upstream ports

Allow outgoing connections from your network, and add an HTTP connector and upstream port to make sure your self-managed instance can connect to the tunnel.

Allow outgoing connections from your network

Allow outgoing connections on port 443:

To tunnel endpoint

When creating the tunnel, your self-managed instance needs to reach https://tunnel.services.atlassian.com, which is the tunnel endpoint on the cloud side.

You can verify that it does by running curl https://tunnel.services.atlassian.com/status -I. The request should return an error, which is the correct behavior.

To cloud products

When authorizing the application links as the last step of the procedure, your self-managed instance needs to reach your cloud products directly. The outgoing communication is not using the tunnel.

You don’t have to allow any incoming connections to your network or IP ranges.

Add an HTTP connector and upstream port

The HTTP connector that you configure needs to be accessible from localhost only.

Stop your instance and then complete the following steps:

Jira and Bamboo

  1. In your installation directory, edit the conf/server.xml file.

  2. Add one of the following connectors. Use a port number that isn't already used by any application on this instance. 

    1. Jira

      1 2 3 <Connector port="8081" connectionTimeout="20000" maxThreads="200" minSpareThreads="10" enableLookups="false" acceptCount="10" URIEncoding="UTF-8" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"/>
    2. Bamboo

      1 2 <Connector port="8093" connectionTimeout="20000" maxThreads="200" minSpareThreads="10" enableLookups="false" acceptCount="10" URIEncoding="UTF-8" />
  3. Add the following snippet to JVM_SUPPORT_RECOMMENDED_ARGS in setenv.sh. Specify the same port number you used for the HTTP connector above: 

    1 -Dsecure.tunnel.upstream.port=<port_number>

Confluence

  1. In your installation directory, edit the conf/server.xml file.

  2. Add the following connector. Use a port number that isn't already used by any application on this instance. 

    1 2 <Connector port="8093" connectionTimeout="20000" maxThreads="200" minSpareThreads="10" enableLookups="false" acceptCount="10" URIEncoding="UTF-8" />
  3. Add the following snippet to CATALINA_OPTS in setenv.sh. Specify the same port number you used for the HTTP connector above: 

    1 -Dsecure.tunnel.upstream.port=<port_number>

Bitbucket

  1. In your Bitbucket home directory, go to shared, and edit the bitbucket.properties file.

  2. Add a connector and upstream port. Use a port number that isn't already used by any application on this instance. 

    1 2 server.additional-connector.1.port=8081 plugin.secure.tunnel.upstream.port=8081

Remove the HTTPS redirection

If you enabled SSL for your instance, you probably modified the configuration files to redirect traffic to HTTPS. Since the new connector is using HTTP, you need to revert these changes so the traffic isn’t redirected. Any traffic that passes through the tunnel will still be encrypted, but if some traffic is trying to reach your regular port on HTTP, it will no longer be redirected.

Before you start

If you rely on the Atlassian product to handle the HTTPS redirection through configuration files, it will no longer work. If you still need the redirection, you’ll need to configure it by using another component, such as reverse proxy or load balancer. For an example on how to configure it, see Securing your Atlassian applications.

Jira, Confluence, and Bamboo

To remove the HTTPS redirection:

  1. In your installation directory, edit the conf/web.xml file.

  2. Remove the following snippet: 

    1 2 3 4 5 6 7 8 9 10 11 12 <security-constraint> <web-resource-collection> <web-resource-name>all-except-attachments</web-resource-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspa</url-pattern> <url-pattern>/browse/*</url-pattern> <url-pattern>/issues/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
  3. Start your instance.

Bitbucket

To remove the HTTPS redirection:

  1. In your Bitbucket home directory, edit the bitbucket.properties file.

  2. Remove the server.require-ssl property.

Optional: Restrict access to the HTTP connector to localhost

To improve security, you can restrict outside access to the newly created connector. The connector needs to be accessible from localhost only, so restricting outside access won’t affect the tunnel at all.

Jira and Confluence

In the following example, we’re allowing the localhost address (needed for application tunnels) to access all ports, and limit any outside access to port 8080, which is our publicly available port.

To restrict access to the connector:

  1. In your installation directory, edit the conf/server.xml file.

  2. Add the following snippet within the <Engine> section. Make sure to adjust the port number (8080) to your publicly accessible port:

    1 <Valve className="org.apache.catalina.valves.RemoteAddrValve" addConnectorPort="true" allow="127.0.0.1;\d*|::1;\d*|.*;8080"/>

Bitbucket

Bitbucket is using embedded Tomcat, that’s why you can’t restrict outside access to the connector by editing the configuration file. To do it, you have to restrict it on your firewall. As mentioned above, the tunnel won’t be affected, because it needs to be accessible by localhost only.

Next steps

Go to Create an application tunnel to your self-managed instance.

Still need help?

The Atlassian Community is here for you.