Setting up YouTrack via https over IIS Reverse Proxy

Hello everyone,

I am trying up to set YouTrack, along with the JetBrains services TeamCity, Hub and UpSource to run over https by means of an IIS reverse proxy.

I have operated as detailed in the documentation, but I am not having any success, despite having tried various variants,I have not been able to figure out a succesful one.

Currently, we have YouTrack installed on a server under an url like: http://server.company.com:8080/issues

I am trying to get it to work from the following url: https://server.company.com/youtrack/

I have already managed to set up an almost identical URL Rewrite for OctopusDeploy on the same server (https://server.company.com/octopus/ -> http://server.company.com:8888/octopus), so I know it is at least theoretically possible. By extension, I know that the issue must lie with some sort of peculiarity with YouTrack, as opposed to IIS. Also, it works for TeamCity, and kinda works for Hub (some security issues due to Hub using http for some things).

Anyway, my web.config currently looks as follows:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Reverse Proxy to TeamCity" stopProcessing="true">
                    <match url="^teamcity/(.*)" />
                    <action type="Rewrite" url="http://server.company.com/{R:1}" />
                </rule>
                <rule name="Reverse Proxy to YouTrack" stopProcessing="true">
                    <match url="^youtrack/(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8080/issues/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
                        <set name="HTTP_X_FORWARDED_SCHEMA" value="https" />
                        <set name="HTTP_X_FORWARDED_PROTO" value="https" />
                    </serverVariables>
                </rule>
                <!--rule name="Reverse Proxy to Oauth" stopProcessing="true">
                    <match url="^oauth(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8080/oauth{R:1}" />
                </rule-->
                <rule name="Reverse Proxy to Hub" stopProcessing="true">
                    <match url="^hub/(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8082/hub/{R:1}" />
                </rule>
                <rule name="Reverse Proxy to UpSource" stopProcessing="true">
                    <match url="^upsource/(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8081/{R:1}" />
                </rule>
                <rule name="Reverse Proxy to Octopus" stopProcessing="true">
                    <match url="^octopus/(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8888/octopus/{R:1}" />
                </rule>
                <rule name="Reverse Proxy to Collaboration General" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://server.company.com/{R:1}" />
                </rule>
            </rules>
        </rewrite>
        <security>
            <requestFiltering>
                <requestLimits maxUrl="6144" maxQueryString="4096" />
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

This currently results in a redirect to a TeamCity 404 page that happens when YouTrack somehow manages to make a redirect to https://server.company.com/oauth/?state=%2Fissues%2F that supersedes the URL rewrite, thus causing the default action "Reverse Proxy to Collaboration General" to kick in (I had to add this to get TeamCity to work) because the url no longer matches the pattern for the YouTrack rule.

I have added the following rule to counter this:

                <rule name="Reverse Proxy to Oauth" stopProcessing="true">
                    <match url="^oauth(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8080/oauth{R:1}" />
                </rule>

However, when this rule is active, I am instead redirected to an empty page under https://server.company.com/oauth?state=%2Fissues%2F.

I have also tried the following variant with trailing "/" after "oauth":

                <rule name="Reverse Proxy to Oauth" stopProcessing="true">
                    <match url="^oauth/(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8080/oauth/{R:1}" />
                </rule>

However, that only causes the following text-only page to show up:

Diese Seite wurde nicht gefunden
Sie sind nicht angemeldet.
Zurück Anmelden Tickets

All these results are for configurations based on the following command:

youtrack.bat configure --listen-port 8080 --base-url https://server.company.com:443 

I have also tried the following variant of that command:

youtrack.bat configure --listen-port 8080 --base-url https://server.company.com/youtrack/ 

However, that only causes the following error:

• HTTP ERROR: 404
• Problem accessing /issues/. Reason:
• Not Found
• Powered by Jetty:// 9.3.20.v20170531

Also, changing the web.config not to point to issues, such as follows:

                    <action type="Rewrite" url="http://server.company.com:8080/{R:1}" />

...only causes the error message to change accordingly:

• HTTP ERROR: 404
• Problem accessing /. Reason:
• Not Found
• Powered by Jetty:// 9.3.20.v20170531

At this point, I'm pretty much at my wit's end. I've tried everything I can think of and still have not gotten a single step closer to the solution. I know for a fact that it is possible to run YouTrack under https because the JetBrains issue tracker itself is doing so (https://youtrack.jetbrains.com), but I can't figure out how to get it to work for us.

Does anyone have any ideas how I could resolve this? Any pointers or suggestions would be greatly appreciated at this point.

Thanks in advance,

Kira Resari

4 comments
Comment actions Permalink
Official comment

Hello,

 

At first you need to reconfigure YouTrack itself to use the correct base URL with /youtrack in Administration > General settings.

After that and restart of YouTrack, you need to add in IIS something like that:

```

<rule name="Reverse Proxy to YouTrack" stopProcessing="true">
<match url="^youtrack/(.*)" />
<action type="Rewrite" url="http://server.company.com:8080/youtrack/{R:1}" />

```

Comment actions Permalink

Hi Luba,

thank you for the reply.

I've now set up youtrack's base url to be http://server.comapany.com:8080/youtrack with the command "youtrack.bat configure --listen-port 8080 --base-url http://server.comapany.com:8080/youtrack" and adjusted my web.config to read:

                <rule name="Reverse Proxy to YouTrack" stopProcessing="true">
                    <match url="^youtrack(.*)" />
                    <action type="Rewrite" url="http://server.comapany.com:8080/youtrack{R:1}" />

Now, when I try to access  , the first result is that the site "Loading YouTrack" (with the animation) is displayed for several minutes under the URL https://server.comapany.com/youtrack/oauth#access_token=1522807852630.b2654379-101c-4c5c-a1b0-c0a660923885.2b523098-571f-43ea-99fc-379e18efd9d7.b2654379-101c-4c5c-a1b0-c0a660923885+c2155f2c-61dc-4fca-97ad-17aa029f5bc7+0-0-0-0-0;1.MCwCFDF+zyhQK4TTmh1JgmXrJcGBcNB+AhRvE77DSsGF9zwGzwqQBO+8hDFruw==&token_type=Bearer&expires_in=3600&scope=b2654379-101c-4c5c-a1b0-c0a660923885+c2155f2c-61dc-4fca-97ad-17aa029f5bc7+0-0-0-0-0&state=405a2c63-5076-4252-8aaf-45091dd8c9cb (when accessed from the YouTrack server) or https://server.comapany.com/youtrack/oauth?state=%2Fyoutrack%2F (when accessed remotely).

On the YouTrack server itself, this continues indefinitely. However, on when trying to access YouTrack remotely, I am eventually redirected to a http (not https) log in page of Hub: http://server.comapany.com:8082/hub/auth/login?response_type=token&client_id=b2654379-101c-4c5c-a1b0-c0a660923885&redirect_uri=https:%2F%2Fserver.company.com%2Fyoutrack%2Foauth&scope=b2654379-101c-4c5c-a1b0-c0a660923885%20Upsource%20TeamCity%20YouTrack%2520Slack%2520Integration%200-0-0-0-0&state=4424edae-90cb-45e2-aa40-2b23209592b2 .

Trying to log in on that page has the effect that I am re-directed to that same page again.

So I guess this is some progress, but unfortunately the issue seems to be not quite resolved yet. Can you please help me see this through?

0
Comment actions Permalink

Okay, so I figured out how to do this. The final piece that was still missing was reconfiguring the hub-url for YouTrack as follows:

NOTE: All commands beginning with hub.bat need to be performed on the hub.bat file in [Hub Installation Directory]\bin and all commands beginning with youtrack.bat need to be performed on the youtrack.bat file in [YouTrack Installation Directory]\bin.

youtrack.bat stop
hub.bat stop

hub.bat configure --listen-port 8082 --base-url https://server.company.com/hub
youtrack.bat configure --listen-port 8080 --base-url=https://server.company.com/youtrack --hub-url=https://server.company.com/hub/hub

hub.bat start
youtrack.bat start

NOTE: I don't know why, but Hub appends an extra /hub after its base address, that's why the hub-url setting for YouTrack ends with /hub/hub.

After that, all I needed to do was add the redirection URL to the list of allowed redirection URLs for YouTrack in Hub > Settings > Services > YouTrack, and now it works perfectly.

0
Comment actions Permalink

 Kira,

Thank you for the update! Glad to know it works. 

0

Please sign in to leave a comment.