Setting up YouTrack via https over IIS Reverse Proxy

Question

I am trying up to set YouTrack, along with the JetBrains services TeamCity, Hub and UpSource to run over https by means of an IIS reverse proxy.

I have operated as detailed in the documentation, but I am not having any success, despite having tried various variants, I have not been able to figure out a successful one.

Currently, we have YouTrack installed on a server under an url like: http://server.company.com:8080/issues

I am trying to get it to work from the following url: https://server.company.com/youtrack/

I have already managed to set up an almost identical URL Rewrite for OctopusDeploy on the same server (https://server.company.com/octopus/ -> http://server.company.com:8888/octopus), so I know it is at least theoretically possible. By extension, I know that the issue must lie with some sort of peculiarity with YouTrack, as opposed to IIS. Also, it works for TeamCity, and kinda works for Hub (some security issues due to Hub using http for some things).

Anyway, my web.config currently looks as follows:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Reverse Proxy to TeamCity" stopProcessing="true">
                    <match url="^teamcity/(.*)" />
                    <action type="Rewrite" url="http://server.company.com/{R:1}" />
                </rule>
                <rule name="Reverse Proxy to YouTrack" stopProcessing="true">
                    <match url="^youtrack/(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8080/issues/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
                        <set name="HTTP_X_FORWARDED_SCHEMA" value="https" />
                        <set name="HTTP_X_FORWARDED_PROTO" value="https" />
                    </serverVariables>
                </rule>
                <!--rule name="Reverse Proxy to Oauth" stopProcessing="true">
                    <match url="^oauth(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8080/oauth{R:1}" />
                </rule-->
                <rule name="Reverse Proxy to Hub" stopProcessing="true">
                    <match url="^hub/(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8082/hub/{R:1}" />
                </rule>
                <rule name="Reverse Proxy to UpSource" stopProcessing="true">
                    <match url="^upsource/(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8081/{R:1}" />
                </rule>
                <rule name="Reverse Proxy to Octopus" stopProcessing="true">
                    <match url="^octopus/(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8888/octopus/{R:1}" />
                </rule>
                <rule name="Reverse Proxy to Collaboration General" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://server.company.com/{R:1}" />
                </rule>
            </rules>
        </rewrite>
        <security>
            <requestFiltering>
                <requestLimits maxUrl="6144" maxQueryString="4096" />
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

This currently results in a redirect to a TeamCity 404 page that happens when YouTrack somehow manages to make a redirect to https://server.company.com/oauth/?state=%2Fissues%2F that supersedes the URL rewrite, thus causing the default action "Reverse Proxy to Collaboration General" to kick in (I had to add this to get TeamCity to work) because the url no longer matches the pattern for the YouTrack rule.

I have added the following rule to counter this:

            <rule name="Reverse Proxy to Oauth" stopProcessing="true">
                <match url="^oauth(.*)" />
                <action type="Rewrite" url="http://server.company.com:8080/oauth{R:1}" />
            </rule>

However, when this rule is active, I am instead redirected to an empty page under https://server.company.com/oauth?state=%2Fissues%2F.

I have also tried the following variant with trailing "/" after "oauth":

            <rule name="Reverse Proxy to Oauth" stopProcessing="true">
                <match url="^oauth/(.*)" />
                <action type="Rewrite" url="http://server.company.com:8080/oauth/{R:1}" />
            </rule>

However, that only causes the following text-only page to show up:

Diese Seite wurde nicht gefunden
Sie sind nicht angemeldet.
Zurück Anmelden Tickets

All these results are for configurations based on the following command:

youtrack.bat configure --listen-port 8080 --base-url https://server.company.com:443 

I have also tried the following variant of that command:

youtrack.bat configure --listen-port 8080 --base-url https://server.company.com/youtrack/

However, that only causes the following error:

HTTP ERROR: 404
Problem accessing /issues/. Reason:
Not Found
Powered by Jetty:// 9.3.20.v20170531

Also, changing the web.config not to point to issues, such as follows:

                <action type="Rewrite" url="http://server.company.com:8080/{R:1}" />

...only causes the error message to change accordingly:

HTTP ERROR: 404
Problem accessing /. Reason:
Not Found
Powered by Jetty:// 9.3.20.v20170531

At this point, I'm pretty much at my wit's end. I've tried everything I can think of and still have not gotten a single step closer to the solution. I know for a fact that it is possible to run YouTrack under https because the JetBrains issue tracker itself is doing so (https://youtrack.jetbrains.com), but I can't figure out how to get it to work for us.

Does anyone have any ideas how I could resolve this? Any pointers or suggestions would be greatly appreciated at this point.

---

UPDATE 4-Apr-2018

I have made some progress with this, but it is still not quite working.

A customer support employee from YouTrack pointed out to me that the base url and the redirect url need to end on the same path, so I used this command on the youtrack.bat...

youtrack.bat configure --listen-port 8080 --base-url http://server.company.com:8080/youtrack

...and set the web.config section up as follows:

                <rule name="Reverse Proxy to YouTrack" stopProcessing="true">
                    <match url="^youtrack(.*)" />
                    <action type="Rewrite" url="http://server.company.com:8080/youtrack{R:1}" />
                    <serverVariables>
                        <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
                        <set name="HTTP_X_FORWARDED_SCHEMA" value="https" />
                        <set name="HTTP_X_FORWARDED_PROTO" value="https" />
                    </serverVariables>

Now I get as far as the login.

From this point onwards, the problem appears to be related to Hub, because the login redirects me to the http version of hub and then traps me in an endless loop, where every login attempt just redirects to the login page.

Answer 1

Please change base URLs from http to https for both YouTrack(https://www.jetbrains.com/help/youtrack/standalone/Reverse-Proxy-Configuration.html#Change_Base_URL) and Hub(https://www.jetbrains.com/help/hub/Proxy-Configuration.html#change-baseurl-zip-msi) and restart both services. Please should also solve the problem with the redirection. If it doesn't, then please try cleaning the browser cache and check again. Please let me know if it helps.

Answer 2

Okay, so I figured out how to do this. Ana's answer was almost correct, but it lacked one final crucial step: Reconfiguring the hub-url parameter for YouTrack to match the new Hub URL.

NOTE: All commands beginning with hub.bat need to be performed on the hub.bat file in [Hub Installation Directory]\bin and all commands beginning with youtrack.bat need to be performed on the youtrack.bat file in [YouTrack Installation Directory]\bin.

youtrack.bat stop
hub.bat stop

hub.bat configure --listen-port 8082 --base-url https://server.company.com/hub
youtrack.bat configure --listen-port 8080 --base-url=https://server.company.com/youtrack --hub-url=https://server.company.com/hub/hub

hub.bat start
youtrack.bat start

NOTE: I don't know why, but Hub appends an extra /hub after its base address, that's why the hub-url setting for YouTrack ends with /hub/hub.

After that, all I needed to do was add the redirection URL to the list of allowed redirection URLs for YouTrack in Hub > Settings > Services > YouTrack, and now it works perfectly.