Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Change Confluence to port 443

René D.
René D. March 20, 2019

Hello, everyone,

I just can't get Confluence switched to port 443. Every other port works without problems.Confluence is installed on Debian 9 Stretch.

I edited the Server.xml as follows:

<Server port="8000" shutdown="SHUTDOWN" debug="0">
<Service name="Tomcat-Standalone">


<Connector port="8090" connectionTimeout="20000" redirectPort="443"
           maxThreads="48" minSpareThreads="10"
           enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
           protocol="org.apache.coyote.http11.Http11NioProtocol"/>


<Connector port="443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
           URIEncoding="UTF-8" keystorePass="******"
           keystoreFile="******"/>

<Engine name="Standalone" defaultHost="localhost" debug="0">
     <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
          <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
               <!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
               <Manager pathname=""/>
               <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
         </Context>

         <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
                  reloadable="false" useHttpOnly="true">
               <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
         </Context>
    </Host>
</Engine>
</Service>
</Server>

 Then I restart the Confluence service.

The browser now displays the error message "ERR_CONNECTION_REFUSED".

When I enter netstat -ntpl on the server, the following ports are displayed:

root@Server:~# netstat -ntpl
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 614/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 486/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 462/cupsd
tcp 1 0 0.0.0.0:8090 0.0.0.0:* LISTEN 1327/java
tcp 0 0 0.0.0.0:8091 0.0.0.0:* LISTEN 1566/java
tcp6 0 0 :::22 :::* LISTEN 486/sshd

There is no 443 port visible. If I change the config back to 8443, netstat will also display port 8443:

root@vmConfluence19:~# netstat -ntpl
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 614/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 486/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 462/cupsd
tcp 0 0 0.0.0.0:8090 0.0.0.0:* LISTEN 666/java
tcp 0 0 0.0.0.0:8091 0.0.0.0:* LISTEN 929/java
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 666/java
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 666/java
tcp6 0 0 :::22 :::* LISTEN 486/sshd

Does anyone have any idea what else I can do here? 

Answer
Watch
Like Be the first to like this
5695 views

1 answer

1 accepted

0 votes
Answer accepted
René D.
René D. March 20, 2019

I found out that I can't use any port below 1024. I can use all ports above it without any problems. Very strange....

View More Comments
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 20, 2019

Most Unix-like systems consider ports below 1024 to be "privileged" and also known attack vectors - most cracks will attack 1-1024 because most people stick standard services on the recommended addresses (so if I have a good SSH crack, I'll try it on port 22, Whois on 43, LDAP 389, and so-on).

Three options:

  • Run Jira as root.  (Actually, don't, it's a horrid security risk and dangerous attack vector.  I mention it for completion - it'll work, but it could allow attackers complete system access, especially on older Jira systems)
  • Run the Tomcat behind Jira with a setuid (this is how web servers like Apache run on privileged ports without exposing the risk of running anything else as root)
  • Run behind a proxy (most web-servers can do proxying and it's not hard to set up, and has other useful functions)
Like
René D.
René D. March 21, 2019

Hey, Nic,

thank you for your answer.
because of the security risk I have now found another solution.

with iptables I entered the following commands:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8090
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8090 

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 84430
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8443

After that I changed the redirect port in the server.xml

<Connector port="8090" connectionTimeout="20000" redirectPort="443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"/>

 Finally the Confluence service is restarted and everything works as desired.

Like # people like this
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 21, 2019

I've always struggled with doing it with firewall routing, mostly because it's inside a complex network - chucking up a proxy and telling the network team to deal with routing is a default for me!

Nicely fixed, I've added this to my bookmarks!

Like René D. likes this
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events