(Windows) TeamCity Over HTTPS (No Reverse Proxy)
I got tired of seeing all the 'Use a reverse proxy" for TeamCity, because... I don't need Yet Another Web Server.
So here is my guide, if anyone finds it helpful. We use self-signed certificates, where the certificate authority has been pushed to all machines through group policy. But we have to get the cert on the server.
File Locations:
Tomcat Configuration -> c:\TeamCity\conf\server.xml
Certificates (can be any directory) -> c:\Certificates
CA Certs (for HUB service) -> c:\TeamCity\jre\lib\security\cacerts
Requirements:
1. Java keystores will not import a cert and key, to my knowledge. Must be converted to a PKCS12 file. There are plenty of tutorials out there on how to combine.
2. Java keystores will not importa a PKCS12 file that does not have a password. There are plenty of tutorials out there on how to convert to a PKCS12 with password. If it has been imported using IIS, and export was allowed, can export with a new password.
Creating Keystore:
keytool -importkeystore -srckeystore c:\Certificates\PasswordedPFXFile.pfx -srcstoretype PKCS12 -srcstorepass thesourcepassword -destkeystore c:\Certificates\KeyStore.jks -deststorepass changeit -destkeypass ihatejava
This will complete but give a warning. Follow up with (not sure if step necessary, but...)
keytool -importkeystore -srckeystore c:\Certificates\KeyStore.jks -destkeystore c:\Certificates\KeyStore.jks -deststoretype pkcs12
Source keystore password: empty
Password Prompt x3: ihatejava
Tomcat Config:
Edit (c:\TeamCity\conf\server.xml).
Only need to edit the connectors, but I'll copy in my full config down at the end.
Remove any other connectors, unless you want HTTP so can do a redirect (I do not). Make sure to edit port, we've got IIS on 443, YouTrack on 8443, so putting TeamCity on 8553.
<Connector
port="8553"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="c:\Certificates\KeyStore.jks"
keystorePass="ihatejava"
clientAuth="false"
sslProtocol="TLS"
/>
Restart the TeamCity Server Service
Stop the server service: Services->Team City Server-> Right click->Restart
Other Things
Connections through TeamCity to HUB since HUB/YouTrack also have SSL cert, I had to add the CA using:
keytool -importcert -trustcacerts -file c:\Certificates\CA.crt -keystore c:\TeamCity\jre\lib\security\cacerts -storepass changeit
Full Tomcat Config
<?xml version='1.0' encoding='utf-8'?>
<Server port="8105" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource
name="UserDatabase"
auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml"
/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector
port="8553"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="c:\Certificates\KeyStore.jks"
keystorePass="ihatejava"
clientAuth="false"
sslProtocol="TLS"
/>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" />
</Realm>
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
</Host>
</Engine>
</Service>
</Server>
Please sign in to leave a comment.
Hi, and first of all, thanks for your contribution. Hopefully someone will find it useful.
There is though a number of reasons to recommend reverse proxies over tomcat configuration. Among other things, during server upgrades, local configuration, the local tomcat, the jvm, etc. are all subject to change. By forcing this change into the teamcity installation directly, should any of those change you would need to manually run the process again, maybe modifying it because some new update handles certificates differently, while setting the reverse proxy would make it independent from the installation. This is particularly important for manual upgrades to the server, as the usual process includes removing the installation directory (where the config resides) and setting up the new one.
Now, it's a perfectly valid option to decide to add it directly to tomcat, particularly for smaller installations, but it should be a conscious decision weighing the pros and cons.
Hi, thanks for the response. I believe it is always best to do a pro/con analysis, based on quantitative measurements when possible, and logical ones when not.
The only real reason I see given here seems to be upgrading, either server or software, altering a configuration file.
Luckily, the only configuration change here is the connector in server.xml. That's it. One change.
The location of the keystore that holds the certificate is static, and it can be backed up. Altering the cacerts is only needed for HUB integration, not TeamCity specific.
So if the only pro/con here is changing one line in a config file that might get blown away... that doesn't seem like much of a con for changing Tomcat config natively, and definitely isn't enough of a con to warrant the need to configure a reverse proxy (that might also one day need an update that blows away a config).
I'm not sure what the smaller v larger installations here is talking about, because I don't think it is concurrent users. 100 concurrent users (which I believe Tomcat can handle would be a really, really large organization given the use case of TeamCity).