Configure SSL Connector for Embedded YouTrack Server
The most straightforward way to set up a secure connection for a YouTrack instance is to install an SSL-terminating reverse proxy server in front of YouTrack. Alternatively, you can enable SSL on the YouTrack's embedded Jetty server with a Jetty configuration file.
To make YouTrack use the external XML configuration, point to the Jetty configuration file in the command that you use to start the service. For example:
java -Xmx1g -Djava.awt.headless=true -jar youtrack.jar 8443 /home/user/.youtrack/jetty.xmlThe following sample jetty.xml file shows how to reference a single SSL connector:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!--Feel free to add other connectors, if necessary-->
<Call id="sslConnector" name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server">
<Ref refid="Server"/>
</Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory">
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath">/home/.youtrack/keystore</Set>
<Set name="KeyStorePassword">password</Set>
<Set name="KeyManagerPassword">password</Set>
<Set name="TrustStorePath">/home/.youtrack/truststore</Set>
<Set name="TrustStorePassword">trustPassword</Set>
<Set name="NeedClientAuth">false</Set>
<Set name="WantClientAuth">false</Set>
</New>
</Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config">
<New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme">https</Set>
<Set name="securePort">8443</Set>
<Set name="sendServerVersion">false</Set>
<Call name="addCustomizer">
<Arg>
<New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
</Call>
</New>
</Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="port">8443</Set>
<Set name="idleTimeout">30000</Set>
</New>
</Arg>
</Call>
</Configure>Set the values for the following parameters to match your YouTrack installation:
| Parameter | Value |
|---|---|
/home/.youtrack/keystore | The location of your Java keystore file (JKS) and server key.
A key with the alias jetty is used by default.
If you don't know where to get a Java keystore, take a look at the instructions for SSL and TLS configuration in the Jetty documentation.
|
password | The password of the Java keystore. |
/home/.youtrack/truststore | The location of a Java keystore file (JKS) with trusted CA roots. |
trustPassword | The password for the trust store. |
Last modified: 18 April 2017