SSL を使用して nginx の内側にある Bitbucket Server を保護する

This page describes how to establish a network topology in which the nginx server acts as a reverse proxy for Bitbucket Data Center and Server. Typically, such a configuration would be used when Bitbucket is installed in a protected zone 'behind the firewall', and nginx provides a gateway through which users outside the firewall can access Bitbucket.

このページに記載されている構成は、次のシナリオの結果を示しています。

  • External client connections with nginx are secured using SSL. Connections between nginx and Bitbucket are unsecured.
  • Bitbucket and nginx run on the same machine.
  • Bitbucket is available at https://mycompany.com:7990/bitbucket.

このページの内容

また、次の点にも留意してください。

  • すでに実行中の nginx インスタンスが存在することを想定しています。nginx が実行されていない場合、nginx のダウンロードやインストールについて nginx のドキュメントをご確認ください。
  • サーバー マシンに SSL 証明書がインストールされている必要があります。
  • Any existing links with other applications will need to be reconfigured using the new URL for Bitbucket.
  • Securing Git operations between the user's computer and Bitbucket is a separate consideration - see Enabling SSH access to Git.

Be aware that Bitbucket does not need to run behind a web server, since it is capable of serving web requests directly; to secure Bitbucket when run in this way see Securing Bitbucket Server with Tomcat using SSL. Otherwise, if you want to install Bitbucket in an environment that incorporates nginx, this document is for you. (You can of course run Bitbucket behind nginx without securing client connections to nginx using SSL – we don't describe this option on this page.)

Note that the Atlassian Support Offering does not cover nginx integration. Assistance with nginx may be obtained through the Atlassian community or from an Atlassian Partner.

ステップ 1: 組み込みの Tomcat コネクタを設定する

Find the Bitbucket configuration properties file <Bitbucket home directory>/shared/bitbucket.properties, creating it if necessary and add the properties as shown below. Instead of mycompany.com, set the server.proxy-name property to your domain name that the nginx server will be configured to serve. This informs Bitbucket of the domain name and port of the requests that reach it via nginx, and is important for the correct operation of the Bitbucket functions that construct URLs.

server.port=7990
server.secure=true
server.scheme=https
server.proxy-port=443
server.proxy-name=mycompany.com
 

Step 2: Set a context path for Bitbucket

By default, Bitbucket is configured to run with an empty context path; in other words, from the 'root' of the server's name space. In that default configuration, Bitbucket would be accessed at:

http://mycompany.com:7990/

For the example configuration on this page, we want Bitbucket to be accessed at: 

https://mycompany.com/bitbucket

In Bitbucket's configuration properties file  <Bitbucket home directory>/shared/bitbucket.properties file, set the context path to /Bitbucket by adding the following property:

server.context-path=/bitbucket

コンテキスト パスを使用する場合、同じパスが次のように使われていることが重要です。

  • appended to the context path of Bitbucket's base URL (Step 3).
  • used when setting up the location for the proxy_pass directive (Step 4). 

Step 3: Change Bitbucket's base URL

Before re-starting Bitbucket, open a browser window and log into Bitbucket using an administrator account. Go to the Bitbucket administration area and click Server settings (under 'Settings'), and change Base URL to match the proxy URL (the URL that the nginx server will be serving).

For this example, use  http://mycompany.com/bitbucket (Note the context path included with this).

ステップ 4: NGINX の構成

Edit /etc/nginx/nginx.conf , using the example server configuration below, to configure nginx as a proxy server. 

Put the proxy_pass directive in the location block, and specify the protocol, name and port of the proxied server in the parameter (in our case, it is http://localhost:7990):

https://confluence.atlassian.com/bitbucketserverkb/git-push-fails-client-intended-to-send-too-large-chunked-body-779171802.html

http {
...
...
	client_max_body_size 0;
...
...
	server {
		listen          443;
    	server_name     mycompany.com;
	
		ssl                  	on;
    	ssl_certificate      	<path/to/your/certificate>;
	    ssl_certificate_key  	<path/to/your/certificate/key>;
	    ssl_session_timeout  	5m;
	    ssl_protocols  			TLSv1 TLSv1.1 TLSv1.2;
	    ssl_ciphers  			HIGH:!aNULL:!MD5;
	    ssl_prefer_server_ciphers   on;
	
		# Optional optimisation - please refer to 
		# http://nginx.org/en/docs/http/configuring_https_servers.html
		# ssl_session_cache   shared:SSL:10m;
	    location /bitbucket {
	        proxy_pass 			http://localhost:7990;
			proxy_set_header 	X-Forwarded-Host $host;
	        proxy_set_header 	X-Forwarded-Server $host;
			proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header    X-Real-IP $remote_addr;
			proxy_redirect 		off;
    	}
	}

...
...
}

http://nginx.org/en/docs/http/ngx_http_proxy_module.html を参照してください。

設定ファイルへの変更は、設定をリロードするコマンドが nginx に送信されるか、nginx が再起動されるまで適用されません。設定をリロードするには、以下を実行します。

nginx -s reload

このコマンドは、nginx を開始したユーザーと同じユーザーで実行する必要があります。

Notice that we added client_max_body_size 0; to the http block of the nginx configuration because of Git push fails - client intended to send too large chunked body.


リソース

You may find the following resources helpful in setting up Bitbucket behind nginx:


最終更新日: 2021 年 2 月 25 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.