<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=70416&amp;fmt=gif">

Sorry! Your browser is not supported on this site and it might be acting a bit wonky. Please use Firefox, Chrome or Edge instead

Proxying Hipchat

Written by:
Kalle Sirkesalo

Read more about Proxying Hipchat in this blog post from Eficode's Kalle Sirkesalo!

Hello, once again this time I managed to find a topic that I can write a good guide as it’s very basic thing, but you will have to dig through internet to find the correct settings as Atlassian has no guide on their own website how to manage Hipchat proxying like they do with JIRA and Confluence etc.

So I was working to make one of our local Hipchat installations work behind a reverse proxy (Nginx). Which is pretty standard work and usually really easy. So why am I writing a blog if it’s so easy? Well Hipchat isn’t only using http and https it also uses TCP for its clients. Yes TCP means that I can’t manage everything with just  nginx. This meant I had to look into HAProxy etc. load balancing systems.

hipchat

So why can’t Nginx handle it? Well Nginx in it’s core is built to work as HTTP/HTTPS proxy meaning using it for other traffic has crippling effect in performance and as Hipchat in itself is already kind of weird thing I wanted to at least manage it correctly in our proxy. Well to this I decided let’s go with HAProxy as it’s the most known technology from load balancing side. It has strong background and most of our technical experts knew it. Meaning it’s currently strong enough technology that it has regular updates and the security is kept strong.

Okay so I have HAProxy for other traffic, but isn’t Hipchat using HTTP/HTTPS traffic? Nope, so Hipchat when used in a browser uses HTTP and HTTPS. However when you use it in any native app you need to use TCP 5222 and 5223 for XMPP traffic. This means we need to open these ports for the desktop clients etc. Which requires us to proxy it with HAProxy instead of Nginx. Why would we want to proxy this traffic? Well Hipchat currently comes in as an VirtualBox image. This means we might want to shelter or guide the traffic through controlled reverse proxy.

So what would a basic configuration in Nginx look for 443 and 80.

server {
   listen 80;
   return 301 https://$host$request_uri;
}

server {

   listen 443;
   server_name hipchatserver.domain.com;

   ssl_certificate           /etc/nginx/cert.crt;
   ssl_certificate_key       /etc/nginx/cert.key;

   ssl on;
   ssl_session_cache  builtin:1000  shared:SSL:10m;
   ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
   ssl_prefer_server_ciphers on;

   access_log            /var/log/nginx/hipchat.access.log;

   location / {

     proxy_set_header        Host $host;
     proxy_set_header        X-Real-IP $remote_addr;
     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header        X-Forwarded-Proto $scheme;

     # Fix the “It appears that your reverse proxy set up is broken" error.
     proxy_pass          http://hipchatserver;
     proxy_read_timeout  90;

     proxy_redirect      http://hipchatserver https://hipchatserver.domain.com;
   }
 }

So this would add us the HipChat servers proxy rule for the 443 port. However we still need the 4222 and 4223 ports. This can be managed by the following style configuration in HAProxy:

global

       log /dev/log    local0

       log /dev/log    local1 notice

       chroot /var/lib/haproxy

       user haproxy

       group haproxy

       daemon

defaults

       log     global

       mode    tcp

       option  dontlognull

       contimeout 5000

       clitimeout 50000

       srvtimeout 50000

frontend hipchatserver

       bind *:5222

       mode tcp

       option tcplog

       default_backend hipchatserver

backend hipchatserver

       mode tcp

       server hipchatserver.domain.com <IP>:5222

frontend hipchatserver2

       bind *:5223

       mode tcp

       default_backend hipchatserver2

backend hipchatserver2

       mode tcp

       server hipchatserver.domain.com <IP>:5223

So why have I split the configuration into two parts? First to make it more clear what we are doing as if you have not used proxies before it might cause issues and second when adding logging to this configuration you want to monitor both the 5223 and 5222 in their separate locations as they are for different cases.

Okay so that’s how easy it looks like to configure your Hipchat. Hopefully this will help you in your local Hipchat tests. I am currently on my way to AtlasCamp and will do some live tweeting etc so you can stay up to date of the event by following us! Cheers!