Best way to block external access to Confluence Tomcat port?

Graham Hannington May 17, 2012

I'm running Confluence 4.2 on Windows (this particular Confluence installation is running on Windows Server 2003).

I have followed the Atlassian documentation to configure Confluence and the Apache HTTP server so that I can access Confluence via the Apache HTTP server at the following URL (using the default HTTP port, 80):

http://myserver/wiki

rather than via the Tomcat port:

http://myserver:8090

(I feel slightly unclean quoting those URLs without a trailing slash. Feel free to read those URLs as if they have a trailing slash.)

I am "front-ending" Confluence like this - using the Apache HTTP server - because I am introducing some Ajax queries into Confluence pages (using <script> elements inside HTML macros) to a REST API served by a different host. To avoid cross-domain scripting errors, I have also configured the Apache HTTP server as a proxy for that other host.

When a user accesses Confluence via the Apache HTTP server - http://myserver/wiki - all is good, because the Ajax queries embedded in the Confluence pages refer to a path on the same domain - http://myserver/rest/... - thus avoiding cross-domain scripting errors. That is, to the browser - thanks to the Apache HTTP server acting as a proxy - both the Confluence page itself and the Ajax queries are using the same domain.

However, if a user accesses Confluence via the "direct Tomcat URL", those Ajax queries fail.

So, I want to block "external" access to http://myserver:8090 (that is, access from outside the server; I still want the Apache web server - running on that web server - to be able to redirect to port 8090).

Using the Windows Firewall to block access to port 8090 seems an obvious choice. Any other recommendations?

2 answers

1 accepted

1 vote
Answer accepted
Radu Dumitriu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 17, 2012

Make confluence to listen only on local interface (127.0.0.1). That's the safest way, if httpd runs on the same machine.

Graham Hannington April 24, 2018

I'm embarrassed to admit I don't even remember asking this question. That example makes sense to me, though. Thank you!

0 votes
parthiban subramaniam
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 17, 2012

On your connector settings add these following attributes

proxyName

proxyPort

http://tomcat.apache.org/tomcat-6.0-doc/config/http.html

think that should do, but i'm not sure check .. something i did looong back

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events