Configuration with SSL reverse proxy

Is there any documentation to configure Confluence behind SSL reverse proxy server? Currently I use the following scheme:

user<-(https)->nginx<-(http)->conluence

All work fine but whet 'Server Base Url' is set to https:// prefix then UPM warns me with 'The base URL configuration of your instance is inconsistent with the URL in your browser'. How can I get rid of this warning?

Best regards,

Alexander Afonyashin

5 answers

This widget could not be displayed.

The solution is as follows. Edit server.xml file and find Connector port= element. At the end of it, before /> symbols add: proxyName="external_https_server_name" proxyPort="443" scheme="https"

This works both for JIRA and Confluence.

This does work fine... until... a user clicks on a link in Confluence with an incomplete URL like:

https://confluence.example.com/display/ABCD/

in which case Confluence issues a 302 for the correct page BUT uses http instead:

http://confluence.example.com/display/ABCD/this+is+the+intended+page

Since my server does not accept connections on 80 it times out and dies.

Wes,

Can you provide more info? How did you create such 'incomplete' links?

Alex

Hi Alexander, sure. By incomplete, I mean URLs that don't point to documents but instead point to the directory that contains the document. These URLs appear in the dashboard view and represent the 'spaces'.

This widget could not be displayed.

Change the base url in Confluence to be consistent with the one Apache is presenting to the outside world.

Really??

This could make the links presented to users not functioning, right?

We use https://docs.netic.dk through a Traffic Manager - and this is base URL in confluence, so I also have the warning. Confluence actually runs on port http://host:8080

Changing the base Url to http://docs.netic.dk/ could make links end up being http://docs.netic.dk/display/spacename, which is not accessible

Absolutely, otherwise your urls in the emails and links are broken, not to mention reporting and other stuff.

Our system:

Confluence runs on a host called server011, presenting SSL connections on port 8999. The url https://server011:8999 is the base address, but is actually only accessible on that one server, the port is blocked to remote interfaces.

Apache proxies that to https://confluence.somewhere.co.uk and a user lands on the dashboard if they use that url, so we set the base url to https://confluence.somewhere.co.uk hso that emails, gadgets, reports and so-on all refer to the correct, externally accessible url. We don't use server011:8999 for anything other than the Apache connection.

If you've got a different base url, I actually suspect it's wrong, and your http://docs.netic.dk/display/spacename is right - that's where your users should be landing, and it is accessible if your proxies are set up correctly and permissions right.

This widget could not be displayed.

Hi Alexander, sure. By incomplete, I mean URLs that don't point to documents but instead point to the directory that contains the document. These URLs appear in the dashboard view and represent the 'spaces'.

This widget could not be displayed.

Hi Wes,

(second try - the previos post failed) I wonder if got this problem. I would like you to check your proxy settings (or even better) check if it rewrites answers from upstreams in Headers section.

Alex

I've turned on mod_log_forensics on the proxy server, and I see a log entry similar to this:

GET /display/SRUD HTTP/1.1|User-Agent:...

I can't see the response headers with mod_log_forensics but I'm sure that it is Confluence that is responding to this request with a 302. Here are my full request and response headers with a few things obfuscated to protect the innocent:

Request URL:https://help.example.com/display/SRUD
Request Method:GET
Status Code:302 Found
---Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:PHPSESSID=xxxxxxxxxxxxxx; JSESSIONID=xxxxxxxxxxxxxx
Host:help.example.com
Referer:https://help.example.com/
User-Agent:Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/32.0.1700.107 Chrome/32.0.1700.107 Safari/537.36
---Response Headersview source
Cache-Control:no-cache, must-revalidate
Connection:close
Content-Length:0
Content-Type:text/html;charset=UTF-8
Date:Mon, 10 Mar 2014 19:29:38 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Location:http://help.example.com/display/SRUD/Stocks+Registration
Pragma:no-cache
Server:Apache/2.2.15 (CentOS)
X-Ausername:supplier_read
X-Confluence-Request-Time:1394479778339
X-Content-Type-Options:nosniff
X-Powered-By:PHP/5.5.7 ZendServer/6.3.0
X-Seraph-Loginreason:OK
X-Xss-Protection:1; mode=block

I'm sorry. We figured out that it was our reverse proxy that was rewriting the urls.

This widget could not be displayed.

Hi Wes,

Good news, since I was unable to catch such redirect at our servers.

Regards,

Alex

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 17, 2018 in Confluence

Why start from scratch? Introducing four new templates for Confluence Cloud

Hi my Community friends!  For those who don't know me, I'm a product marketer on the Confluence Cloud team - nice to meet you! For those of you who do, you know that I've been all up in your Co...

571 views 7 6
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you