Reverse Proxy Configuration
You can set up YouTrack to work behind a reverse proxy server.
The reverse proxy setup consists of the following steps:
- Configure YouTrack to point to the base URL of the proxy server.
Configure the headers of your proxy server. This page includes guidelines for Apache, IIS, and NGINX servers.
Prerequisites
To get the best performance from your YouTrack installation, your proxy server should support HTTP/2. For most servers, the HTTP/2 protocol only works with HTTPS connections, which means that you need to secure your connections with a SSL/TLS certificate.
You also need to ensure that the OpenSSL library that is used by the reverse proxy server is version 1.0.2 or later. With earlier versions of OpenSSL, users connect using the legacy HTTP/1.1 specification, which lacks the performance benefits of an HTTP/2 connection.
The instructions on this page assume that these requirements are met. Use the following list to determine which server version is required to complete this setup:
Server | Minimum Version |
---|---|
Apache | 2.4.17 |
IIS | 10.0 version 1709 |
NGINX | 1.11.7 |
HTTP Strict Transport Security
We also strongly recommend that you set up your reverse proxy server to use HTTP Strict Transport Security (HSTS). This protects your installation against possible man-in-the-middle attacks, where the redirect from the HTTP to the HTTPS version of the site can be exploited to direct a user to a malicious site instead of the secure version of the original page.
The instructions for proxy server header configurations that are provided on this page include the directives that support HSTS.
Performance Optimization for Worker Connections
You will also need to optimize the performance settings for your server to allow a sufficient number of connections to YouTrack. These connections are required by pages that support live updates. If you have an insufficient number of connections, or are serving pages over plain HTTP, issues and agile boards that are opened in new tabs are either blank, loading, or partially loaded.
The exact values for connection-related directives varies based on server load. Use the diagnostic tools for your reverse proxy to determine whether you provide sufficient connections and adjust these values accordingly.
Change the Base URL of your YouTrack Server
You can use the following procedure to change the base URL for both ZIP and MSI distributions. To execute these commands in an MSI distribution, open the Command Prompt window as an administrator. Always execute the configure
command on behalf of the OS user that runs the YouTrack service. This command creates configuration files and folders. The YouTrack service user should have sufficient permissions to access these files and folders.
To change the base URL for a ZIP or MSI distribution:
Stop the YouTrack service. For specific instructions, see Stop and Start YouTrack.
In a command-line interface, change the directory to
<youtrack_home>/bin/
.For a ZIP installation, the
<youtrack_home>
directory is the location where the ZIP distribution was unpacked during installation.For an MSI installation, the
<youtrack_home>
directory is the location where YouTrack was installed.
Enter the following command:
youtrack.sh configure --listen-port 1111 --base-url https://youtrack.mydomain.com:XXXX1111
is the port number that your YouTrack server listens to.https://youtrack.mydomain.com
is the address of your proxy server.XXXX
is the port number your proxy server listens to.
Configure the headers in your proxy server. Follow the guidelines that are appropriate for your Apache, IIS, or NGINX server.
Start the YouTrack service. For specific instructions, see Stop and Start YouTrack.
To change the base URL for a JAR distribution:
Run the
configure
command for the YouTrack service:java -jar youtrack-<version>.jar configure --listen-port 1111 --base-url https://youtrack.mydomain.com:XXXX1111
is the port number that your YouTrack server listens to.https://youtrack.mydomain.com
is the address of your proxy server.XXXX
is the port number your proxy server listens to.
Configure the headers in your proxy server. Follow the guidelines that are appropriate for your Apache, IIS, or NGINX server.
Start the YouTrack service.
To change the Base URL of the YouTrack service in a Docker container:
Stop YouTrack:
docker exec <containerId> stop
-
Execute the following command:
docker run --rm -it \ -v <path to conf directory>:/opt/youtrack/conf \ jetbrains/youtrack:<version> \ configure --base-url=https://youtrack.mydomain.com:XXXXhttps://youtrack.mydomain.com
is the address of your proxy server.XXXX
is the port number that your proxy server listens to.
Important: For the docker container, the application listen port inside the container is not changed. That's why it isn't mentioned in the provided command. Instead, you should configure your proxy server to pass all traffic to the host port that is mapped to the application listen port inside the container. The host port is configured with
-p
parameter when you execute thedocker run
command:
-p {port on the host machine to pass the traffic from proxy}:8080
-
Start YouTrack:
docker start <containerId>
Configure Proxy Server Headers
To configure the headers in your proxy server, follow the guidelines that are specific to your server. Configuration guidelines for Apache HTTP Server, IIS, NGINX, and Pound are provided below.
Apache HTTP Server Configuration
To use an Apache HTTP Server as a reverse proxy, you need to run an a2enmod
script and add directives to a .conf
file on your server.
Requires Apache httpd version 2.4.17 or later.
To set up an Apache HTTP Server as a reverse proxy:
Use the following
a2enmod
script to enable theheaders
,rewrite
,proxy_http
,ssl
, andhttp2
modules:$ a2enmod headers $ a2enmod rewrite $ a2enmod proxy_http $ a2enmod ssl $ a2enmod http2Add the following directives to the
VirtualHost
section of a relevant.conf
file:Protocols h2 http/1.1 RequestHeader set X-Forwarded-Proto "https" RewriteEngine on AllowEncodedSlashes on ProxyRequests off ProxyPass / http://127.0.0.1:1111/ ProxyPassReverse / http://127.0.0.1:1111/ SSLEngine On SSLCertificateFile <path_to_certificate> SSLCertificateKeyFile <path_to_key>Set the following variables to match your Hub configuration:
Replace
1111
with the actual port number that your Hub server listens to.Set the value for the
<path_to_certificate>
to the location of the SSL/TLS certificate for your server.Set the value for the
<path_to_key>
to the location of the PEM-encoded private key file for the server certificate.
Add the additional HSTS header to the HTTPS VirtualHost directive. Max-age is measured in seconds.
# Guarantee HTTPS for 1 Year including subdomains Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"Note that this header is only valid on a HTTPS VirtualHost.
Add a server-side redirect to upgrade non-HTTPS connections the first time the site is accessed. Add this to the non-HTTP VirtualHost.
[...] ServerName myYouTrackService.com Redirect permanent / https://myYouTrackService.com/Replace
myYouTrackService.com
with the actual domain name of your YouTrack server.
For more information, refer to the documentation for the Apache Module mod_proxy.
IIS Server Configuration
To use an IIS server as a reverse proxy, you need to use the Application Request Routing (ARR) extension.
Requires IIS version 10.0 version 1709 or later.
To set up an IIS server as a reverse proxy:
Download and install the Application Request Routing (ARR) extension from the Microsoft website.
In IIS Manager, connect to the IIS server - in this case,
localhost
.Highlight the server in the Connections pane.
Double-click URL Rewrite.
Click View server variables in the right pane.
Add the following server variables to the list:
HTTP_X_FORWARDED_HOST HTTP_X_FORWARDED_SCHEME HTTP_X_FORWARDED_PROTOSet the response buffer threshold. For single web servers:
Select the server in the Connections pane.
Double-click Application Request Routing Cache.
Click Server Proxy Settings under the Proxy heading in the Actions pane.
Select the Enable proxy checkbox, set the Response buffer threshold to
0
, then click Apply. Leave the default values in place.
For server farms:
Select the YouTrack server farm in the Connections pane.
Double-click the Proxy icon.
In the Buffer Setting section of the form, set the Response buffer threshold to
0
, then click Apply.
Deselect the Reverse rewrite host in response headers checkbox and click Apply.
In the Connections pane, under Sites, select Default Web Site.
Double-click the URL Rewrite feature, then click Add Rule(s) in the Actions pane.
Add a reverse proxy rule with the server name:
localhost:1111
(replace with the real location and port of your YouTrack service).Open the rule, check the rewrite URL, and add the following server variables:
Set the
HTTP_X_FORWARDED_HOST
variable to{HTTP_HOST}
.Set the
HTTP_X_FORWARDED_SCHEME
variable tohttps
.Set the
HTTP_X_FORWARDED_PROTO
tohttps
.
Make sure that anonymous authentication is enabled:
In the Sites section of the Connections pane, select Default Web Site.
Double-click Authentication, select Anonymous, then click Enable in the right pane.
Make sure that Dynamic Content Compression is disabled. The location of this setting varies by operating system.
In the Connections pane, under Sites, select Default Web Site.
Double-click the Request Filtering feature, then click Edit Feature Settings in the Actions pane.
Increase the values for the following parameters:
Parameter
Value
Maximum URL length
6144
Maximum query string
4096
Add a new SSL binding to the Default Web Site.
The address that the SSL binding listens to (Host URL) should match the YouTrack base URL.
The certificate that you choose should correspond to the server DNS address.
Configure the HTTP Strict Transport Security (HSTS) settings for the Default Web Site
Set the
enabled
attribute for the<hsts>
totrue
.Specify a value for the
max-age
attribute. For example,31536000
(one year, in seconds).Set the values for the
includeSubDomains
andredirectHttpToHttps
totrue
as well.
For specific instructions, please refer to the ISS configuration reference.
NGINX Server Configuration
The basic requirements for configuring an NGINX server as a reverse proxy consists of the following steps:
Update the values for the worker_rlimit_nofile and worker_connections directives. This ensures that YouTrack is afforded a reasonable number of connections to support live updates in multiple issue views.
Set the variables for the server_name directive.
Add the proxy_set_header and proxy_pass directives.
Requires NGINX version 1.11.7 or later.
To configure NGINX reverse proxy headers:
Open the configuration file for your NGINX server. By default, the configuration file is named
nginx.conf
. The default directory is either/usr/local/nginx/conf
,/etc/nginx
, or/usr/local/etc/nginx
.You can find the exact location of the configuration file by entering
nginx -V
in a command line interface.Increase the value for the
worker_rlimit_nofile
directive to a minimum value of4096
.In the
events
section, increase the value for theworker_connections
directive to a minimum value of2048
.Update the
server
directive and add theproxy_set_header
andproxy_pass
directives in your configuration file. Use the following sample as a guide:server { listen 443 ssl http2; ssl_certificate <path_to_certificate>; ssl_certificate_key <path_to_key>; server_name localhost; add_header Strict-Transport-Security max-age=31536000; location / { proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 10m; proxy_http_version 1.1; proxy_pass http://youtrackmachine.domain.local:1111; } location /api/eventSourceBus { proxy_cache off; proxy_buffering off; proxy_read_timeout 86400s; proxy_send_timeout 86400s; proxy_set_header Connection ''; chunked_transfer_encoding off; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_pass http://youtrackmachine.domain.local:1111; } }Set the following variables to match your YouTrack configuration:
listen 443
is the port number that you specified in the--base-url
parameter.proxy_pass http://youtrackmachine.domain.local:1111
is the path to your YouTrack server with the port that you specified with the-–listen-port
command.
Save and close your configuration file.
Check for errors in your NGINX configuration by stopping and starting the server with the following commands:
sudo nginx -s stop sudo nginxAlternatively, you can reload the configuration with the following command:
sudo nginx -s reload
The client_max_body_size
directive defines the maximum amount of data that NGINX accepts in an HTTP request. If you don't specify a value, the default set by NGINX is 1 megabyte. We recommend that you increase the maximum to 10 megabytes to correspond to the default value in YouTrack.
The second location
block disables buffering for connections from the agile board to support live updates. If you customize any of the common connection settings in the first location
block, you should set the same custom parameters for the /api/eventSourceBus
location. You can also put all of your common settings in a separate file and reference the file with an include
directive. For more information, read the NGINX documentation.
If you use a Java keystore, you need to convert it to the PKCS12 format to use a NGINX server as an SSL-terminating proxy. The following procedure shows you how to convert the keystore using keytool and openssl.
To convert a Java keystore to PKCS12 format:
Use keytool to convert your current
.jks
file to the PKCS12 key store format.p12
:keytool -importkeystore -srckeystore oldkeystore.jks -destkeystore newkeystore.p12 -deststoretype PKCS12 Enter destination keystore password: [enter private key password from oldkeystore.jks, it will be password for newkeystore.p12] Re-enter new password: [same as above] Enter source keystore password: [enter password for oldkeystore.jks] ... Enter key password for <key alias name> [enter private key password from oldkeystore.jks] ...You will be required to enter a "destination keystore password". If your
.jks
keystore contains a private key with a password, then the "destination keystore password" should equal the password of the private key.List the contents of the new key store file:
keytool -deststoretype PKCS12 -keystore newkeystore.p12 -list Enter keystore password: [enter password for newkeystore.p12 provided on step 1] ...Extract the .pem file (certificate) from the
.p12
key store:openssl pkcs12 -nokeys -in newkeystore.p12 -out certfile.pem Enter Import Password: [enter password for newkeystore.p12 provided on step 1] ...Extract the unencrypted key file from the
.p12
key store:openssl pkcs12 -nocerts -nodes -in newkeystore.p12 -out keyfile.key Enter Import Password: [enter password for newkeystore.p12 provided on step 1] ...
CORS Support
If you use an external Hub service, YouTrack may require CORS support to make calls to Hub. The aforementioned configurations work fine and don't require any further tuning. Additional custom proxy rules, however, may interfere with CORS, making login to YouTrack impossible.
Consider the following guidelines when using an external Hub service behind the reverse proxy:
Proxy rules should not block CORS-related HTTP headers:
Access-Control-Request-Method
Access-Control-Request-Headers
Access-Control-Allow-Origin
Access-Control-Allow-Credentials
Access-Control-Expose-Headers
Access-Control-Max-Age
Access-Control-Allow-Methods
Access-Control-Allow-Headers
The proxy server should allow HTTP OPTIONS requests.
HTTP OPTIONS requests should not be a subject of proxy-enforced authentication, if any. For example, you may want to set up certificate-based authentication to comply with enterprise security policy. In this case, an authentication check should be skipped if incoming request is an OPTIONS type. OPTIONS requests cannot return any customer-related data by themselves, so it's safe to let them in.
Troubleshooting
If users report problems working with YouTrack behind a reverse proxy server, check the following errors.
Condition | YouTrack displays the error message: "The live update connection is taking longer than expected." |
---|---|
Cause | Your reverse proxy server is buffering connections that support live updates. |
Solution | Verify the current settings for your reverse proxy server and confirm that your connections are not subject to buffering.
|
Condition | Your reverse proxy is configured as described in this guide or you are not using a reverse proxy. You continue to see the error message: "The live update connection is taking longer than expected." |
---|---|
Cause | You are using anti-virus or endpoint security software that blocks server-sent events. |
Solution | Disable your software settings to allow automatic updates from the server. |
Condition | Error 413 Request Entity Too Large. |
---|---|
Cause | A user attempts to upload an attachment that exceeds the maximum body size accepted by the reverse proxy server. |
Solution | Verify the current settings for your reverse proxy server and increase the maximum allowed size, if required. The recommended value for this setting is 10 megabytes.
|
Condition | Users are periodically logged out of YouTrack. |
---|---|
Cause | The built-in Hub service uses a hidden inline frame to refresh authentication tokens. If you have set the value for the |
Solution | All responses that contain static content from the Hub service set the value for the |
Condition | Issues and agile boards that are opened in new tabs are either blank, loading, or partially loaded. |
---|---|
Cause | Your proxy server doesn't support the number of connections that are required by pages that support live updates. The average upper limit is 30 connections per user. Users who open several issue views on different browser tabs can use up all of the available connections. |
Solution | Tune the performance settings of your reverse proxy server to allow more connections to YouTrack.
|