Configuration with SSL reverse proxy

Alexander Afonyashin August 12, 2012

Is there any documentation to configure Confluence behind SSL reverse proxy server? Currently I use the following scheme:

user<-(https)->nginx<-(http)->conluence

All work fine but whet 'Server Base Url' is set to https:// prefix then UPM warns me with 'The base URL configuration of your instance is inconsistent with the URL in your browser'. How can I get rid of this warning?

Best regards,

Alexander Afonyashin

5 answers

3 votes
Alexander Afonyashin October 3, 2012

The solution is as follows. Edit server.xml file and find Connector port= element. At the end of it, before /> symbols add: proxyName="external_https_server_name" proxyPort="443" scheme="https"

This works both for JIRA and Confluence.

Wesley Grant March 6, 2014

This does work fine... until... a user clicks on a link in Confluence with an incomplete URL like:

https://confluence.example.com/display/ABCD/

in which case Confluence issues a 302 for the correct page BUT uses http instead:

http://confluence.example.com/display/ABCD/this+is+the+intended+page

Since my server does not accept connections on 80 it times out and dies.

Alexander Afonyashin March 6, 2014

Wes,

Can you provide more info? How did you create such 'incomplete' links?

Alex

Wesley Grant March 6, 2014

Hi Alexander, sure. By incomplete, I mean URLs that don't point to documents but instead point to the directory that contains the document. These URLs appear in the dashboard view and represent the 'spaces'.

0 votes
Alexander Afonyashin March 12, 2014

Hi Wes,

Good news, since I was unable to catch such redirect at our servers.

Regards,

Alex

0 votes
Alexander Afonyashin March 6, 2014

Hi Wes,

(second try - the previos post failed) I wonder if got this problem. I would like you to check your proxy settings (or even better) check if it rewrites answers from upstreams in Headers section.

Alex

Wesley Grant March 10, 2014

I've turned on mod_log_forensics on the proxy server, and I see a log entry similar to this:

GET /display/SRUD HTTP/1.1|User-Agent:...

I can't see the response headers with mod_log_forensics but I'm sure that it is Confluence that is responding to this request with a 302. Here are my full request and response headers with a few things obfuscated to protect the innocent:

Request URL:https://help.example.com/display/SRUD
Request Method:GET
Status Code:302 Found
---Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:PHPSESSID=xxxxxxxxxxxxxx; JSESSIONID=xxxxxxxxxxxxxx
Host:help.example.com
Referer:https://help.example.com/
User-Agent:Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/32.0.1700.107 Chrome/32.0.1700.107 Safari/537.36
---Response Headersview source
Cache-Control:no-cache, must-revalidate
Connection:close
Content-Length:0
Content-Type:text/html;charset=UTF-8
Date:Mon, 10 Mar 2014 19:29:38 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Location:http://help.example.com/display/SRUD/Stocks+Registration
Pragma:no-cache
Server:Apache/2.2.15 (CentOS)
X-Ausername:supplier_read
X-Confluence-Request-Time:1394479778339
X-Content-Type-Options:nosniff
X-Powered-By:PHP/5.5.7 ZendServer/6.3.0
X-Seraph-Loginreason:OK
X-Xss-Protection:1; mode=block

Wesley Grant March 12, 2014

I'm sorry. We figured out that it was our reverse proxy that was rewriting the urls.

0 votes
Wesley Grant March 6, 2014

Hi Alexander, sure. By incomplete, I mean URLs that don't point to documents but instead point to the directory that contains the document. These URLs appear in the dashboard view and represent the 'spaces'.

0 votes
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
August 12, 2012

Change the base url in Confluence to be consistent with the one Apache is presenting to the outside world.

B_ Normann P_ Nielsen
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 27, 2012

Really??

This could make the links presented to users not functioning, right?

We use https://docs.netic.dk through a Traffic Manager - and this is base URL in confluence, so I also have the warning. Confluence actually runs on port http://host:8080

Changing the base Url to http://docs.netic.dk/ could make links end up being http://docs.netic.dk/display/spacename, which is not accessible

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 27, 2012

Absolutely, otherwise your urls in the emails and links are broken, not to mention reporting and other stuff.

Our system:

Confluence runs on a host called server011, presenting SSL connections on port 8999. The url https://server011:8999 is the base address, but is actually only accessible on that one server, the port is blocked to remote interfaces.

Apache proxies that to https://confluence.somewhere.co.uk and a user lands on the dashboard if they use that url, so we set the base url to https://confluence.somewhere.co.uk hso that emails, gadgets, reports and so-on all refer to the correct, externally accessible url. We don't use server011:8999 for anything other than the Apache connection.

If you've got a different base url, I actually suspect it's wrong, and your http://docs.netic.dk/display/spacename is right - that's where your users should be landing, and it is accessible if your proxies are set up correctly and permissions right.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events