.Net, Azure and occasionally gamedev

Jetbrains SSL setup on Windows

2017/09/09

This is an older post from back when I was using YouTrack and TeamCity at my old company. Since I have limited time right now I decided to just share it.

While I personally have switched to Visual Studio Team Services, YouTrack and TeamCity remain viable products for bug tracking and building code.

YouTrack is free for up to 10 users and TeamCity allows up to 20 build configurations (though it is limited to a single build agent) in its free version - which is more than enough to get going.


This document will describe:

For the sake of this document, I will pretend to host TeamCity on teamcity.company.com and YouTrack on youtrack.company.com, you will obviously have to replace these if you follow this tutorial.

I will also assume that you have already pointed your domain to your server using A records or CNAME and that you can already reach your server via the domain. If not, do that and wait until the DNS cache updates to reflect your domain target.

Getting SSL certificates

In order for https to work, certificates are needed. If you already possess valid certificates for the domains you intend to use, skip this section.

Otherwise I recommend you use the Let's Encrypt service as it allows you to get valid certificates for free.

Here's a great tutorial on how to use it on Windows.

Using the letsencrypt-win-simple tool I was able to create valid certificates within a few minutes.

If for some reason you can't use letsencrypt and don't want to pay for certificates there is also the option to create self-signed certificates.

Note that these are not considered valid by any browser and they all will issue warnings.

Do not use a self-signed certificate in production. Use it only for testing.

Self-signed certificates work great inside a corporate environment (where e.g. each machine comes preinstalled with the companies root certificate).

The downside of self-signed certicates are:

In order to create the self-signed certificate with IIS follow the steps in this tutorial.

Essentially:

Opening ports on Azure

Now that you have certificates and the domain is pointing to the server it is time to open the ports if you have not already done so.

If the server is hosted on Azure, all ports are blocked by default (except the RDP port).

So you need to:

This will open ports 80 and 443 and expose your server to the internet (making it reachable via the domain name).

If you want to use different ports, you can do so by chosing "custom" service and entering the port(range) manually.

Protip: Azure may change your VM's IP at any time, you might want to force the IP to be static.

To do so, select your VM in Azure and click on the Public IP. The next section will have a "Configuration" entry (note: for me this entry took a few hours to appear after I created the VM).

On the Configuration tab you can then change the Assignment from "dynamic" to "static".

Note that Azure doesn't guarantee this domain to be static forever. "Static" simply means "very long living" (I hope at least a few years, but I couldn't find any details on this elusive definition of "static").

TeamCity and YouTrack on Windows

After installing both services and configuring them correctly they should be available on the internal machine

Currently the YouTack installer doesn't ask for port and simply picks port 80 (only TeamCity installer allows you to set a port), but you can go to

<data dir>\conf\internal\bundle.properties (<data dir> defaults to C:\ProgramData\Jetbrains\Youtrack) for Youtrack

and change

listen-port=80

to e.g.

listen-port=8081

Afterwards open services.msc via start and restart the "Jetbrains YouTrack" server.

For the sake of this Document, I will assume you have configured TeamCity to run on port 8080 (the installers default) and YouTrack on 8081.

Now both TeamCity and YouTrack should be accessible on the local server via:

Next up, I installed ARR (Application Request Routing 3.0) via the "Web Platform Installer".

You may want to follow part of this tutorial to install it, but essentially it's just installing and launching Web Platform Installer and adding "Application Request Routing".

(Though don't create the Server Farm they propose in the tutorial. You won't need it).

Next, I followed this tutorial. I copied the relevant steps from there:

To use IIS and ARR as a reverse proxy:

  1. Install ARR (already done above)
  2. In IIS Manager, connect to the IIS server - in this case, localhost
  3. Highlight the server in the Connections pane
  4. Double-click URL Rewrite
  5. Click View server variables on the right pane
  6. Add HTTP_X_FORWARDED_HOST , HTTP_X_FORWARDED_SCHEMA and HTTP_X_FORWARDED_PROTO to the list
  7. Highlight the server in the Connections pane
  8. Double-click Application Request Routing Cache
  9. Click Server Proxy Settings under the Proxy heading in the Actions pane.
  10. Tick the Enable proxy checkbox (was already checked by default for me)
  11. Clear the "Reverse rewrite host in response headers" checkbox and then click Apply.

The next steps need to be repeated for both TeamCity and YouTrack:

Instead of (ab)using the default website as described in the link above, I chose to create two sites "TeamCityProxy" and "YouTrackProxy".

  1. In the Connections pane, under Sites, highlight Default Web Site (I chose to create a new site called "TeamCityProxy" and "YouTrackProxy").
  2. Double-click the URL Rewrite feature, and click "Add Rule(s)..." in the Actions pane.
  3. Add a reverse proxy rule, with server name: localhost:8080 (replace with real location and port of your TeamCity/YouTrack service)
  4. Open created rule, check rewrite URL, add server variables:
    1. set HTTP_X_FORWARDED_HOST to {HTTP_HOST}
    2. set HTTP_X_FORWARDED_SCHEMA to https (if the IIS site is configured to https, else set to http )
    3. set HTTP_X_FORWARDED_PROTO to https (if the IIS site is configured to https, else set to http )
  5. Make sure that anonymous authentication is enabled:
    1. In the Sites section of the Connections pane, select Default Web Site.
    2. Double-click Authentication, select Anonymous, then click Enable in the right pane.

From here on, I differ from the linked tutorial:

  1. In IIS highlight the Website and click on "Bindings.." on the right.
  2. Add both http and https binding on default ports (:80 and :443 respectively). Both times chose the url that you want to use (in my case teamcity.company.com / youtrack.company.com)
    1. For https you need to select a certificate. If you have a valid certificate: good, install and use it. If not, see section "create self signed certificate above" and use that
  3. Edit the web.config file of the website manually. It will be located in the websites directory. Add the following rule above the existing rule:

<rule name="HTTP to HTTPS redirect" stopProcessing="true">
  <match url="(.*)" />
    <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
    </conditions>
    <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>

The entire web.config should now look like this:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
                </rule>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://localhost:8080/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
                        <set name="HTTP_X_FORWARDED_SCHEMA" value="https" />
                        <set name="HTTP_X_FORWARDED_PROTO" value="https" />
                    </serverVariables>
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

When accessing the server from outside (make sure both :80 and :443 are open in the firewall, if you are hosting your server on Azure, make sure you followed the "Opening ports on Azure" section above), the server should be accessible:

For now I decided to require login for Youtrack as well. To do so, I logged in and simply banned the Guest user via YouTrack UI and now YouTrack is forcing everyone to login first.

Interestingly enough the YouTrack installer has a checkbox "Allow guest login" that is checked by default, it however cannot be unchecked for some reason. Banning the guest user seems to work, though.

TeamCity Tomcat (old way)

Initially I found a way to use the internal Tomcat server of TeamCity to force secure connections.

This however only works for TeamCity and not for YouTrack as YouTrack doesn't seem to be using Tomcat.

For reference I'll leave this section here, however I abandoned it and went on to the above listed steps as they work for both YouTrack and TeamCity.

To force Tomcat to use secure connections, follow this tutorial. After following it, I was able to access TeamCity via ip + port using SSL.


I hope this tutorial helps other people as well (or possible me in the future once I forget all these steps and have to redo them for another service).

tagged as Jetbrains, TeamCity, YouTrack, IIS, SSL