Configure Apache SSL for Confluence

I need some help on configuring my Confluence with Apache HTTPs. I use mod_proxy to redirect from http://mypage/wiki to http://localhost:8090/ (while blocking direct access from the outside to :8090) and so far it works like a charm.

Now I want to use https (and eventually shut down http for authenticated users). I did see the following Atlasian URLs, but they don't cover Confluence:

https://answers.atlassian.com/questions/19716/apache-ssl-terminiation-with-mod_proxy-after-update-jira-4-4-0-to-4-4-3

https://answers.atlassian.com/questions/19361/apache-ssl-for-jira

https://confluence.atlassian.com/display/JIRA044/Integrating+JIRA+with+Apache#IntegratingJIRAwithApache-TerminatinganSSLconnectionathttpd

and this doesn't cover SSL:

https://confluence.atlassian.com/display/DOC/Running+Confluence+behind+Apache

I want to use SSL on the Apache server (since there are some more components) rather on the Confluence instance. How do I do that? (I can configure https with Apache as of such).

3 answers

1 accepted

2 votes
Accepted answer

The document here (https://confluence.atlassian.com/display/DOC/Using+Apache+with+mod_proxy) has a 1000 foot view of doing everything under the heading of "adding SSL". We did this on our install but, used mod_jk instead of mod_proxy. The basic idea is to setup the ssl for apache (http://httpd.apache.org/docs/2.2/ssl/) and then add you proxy setting to the ssl enabled vhost in apache. The encryption is terminated at the apache webserver and then apache sents unencrypted traffic to the jira server.

We run windows 2K8 so for us this ment enableing the mod_ssl module in the main httpd.conf file and then editing extra/httpd-ssl.conf for the ssl setup and adding the mod_jk (or mod_proxy) to the vhost at the bottom of the config file.

For the jira side of the equation we ran the apache and jira server on the same machine so I added
"address=127.0.0.1" to connector string in my server.xml to force tomcat to listen only on connections from the localhost to tomcat:8009. If you are running apache and jira on seprate machines you may want to encrypt traffic between the two machines depending on if you can trust your network to be secure or not. For example, if they are two diffrent machines that were colocated (or rented) in a datacenter I would encrypt the traffic between them.

That document decribes how to configure Confluence for SSL, but not Apache to Confluence. My question is: do I need to SSL enable both 8090 and 443 or only 443 and leave Confluence as it is? (We can block 8090 on the firewall if needed).

I'm sure it is a small step I'm missing...

You can just configure SSL fo Confluence and then redirect from http://mypage/wiki to http://localhost:8443 or http://localhost:443 using apache, depending on the port.

Bumping an old question; sorry.. but I thought a 2016 era answer here may help..

I've just set up both JIRA and Confluence to talk through the same apache proxy server (different vhosts) and I wanted to enforce ssl on both. My apache server has a catchall vhost for any port 80 traffic which rewrites to ssl, as described in the doc linked below.

For JIRA there is this handy document: https://confluence.atlassian.com/adminjiraserver071/integrating-jira-with-apache-using-ssl-802593043.html, Which is what I used to set up our JIRA instance.

For Confluence I copied everything from the JIRA vhost to the Confluence one, but set the port# to 8090

I decided to rewrite the tomcat config/server.xml as follows:

        <!-- Provide a new connector that forces proxy/https mode to all traffic; 
see https://confluence.atlassian.com/adminjiraserver071/integrating-jira-with-apache-using-ssl-802593043.html -->

        <!-- Apache Proxy Connector with values for scheme, proxyName and proxyPort -->
        <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
                maxThreads="96" minSpareThreads="20"
                enableLookups="false" acceptCount="20" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                scheme="https" proxyName="confluence.ourfinecompany.com" proxyPort="443"/>

        <!-- Standard HTTP Connector on port 8091 -->
        <Connector port="8091" connectionTimeout="20000" redirectPort="8443"
                maxThreads="96" minSpareThreads="20"
                enableLookups="false" acceptCount="20" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />

        <!-- ORIGINAL:
        <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
                maxThreads="48" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />
        -->

This makes a 8090 connector with the same additional parameter as the JIRA one in the JIRA doc. It also makes a non-ssl connector on port 8091 (though I think it is superfluous I left it there just in case, the JIRA guide does this too.)

I set the Base URL in confluence itself to begin with https:// of course.

This seems to work well for us: Both JIRA and Confluence deliver fully secured content and seamlessly redirect any http requests to https.

Final note; if the proxy is on Linux, selinux will by default (in most distros) prevent Apache from opening any outbound connections; and the proxying can fail if this stops apache passing on the requests, it was pretty obvious what was happening in apache error logs.. The solution is to enable apache outbound connections (`sudo /usr/sbin/setsebool -P httpd_can_network_connect 1`  will set this permanently), rather than taking the lazy pill and disabling selinux laugh.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Oct 24, 2018 in Confluence

Atlassian Research opportunity with Confluence templates

Do you use templates with Confluence? Take part in a remote 1-hr workshop. You'll receive USD $100 for your time!   We're looking for people to participate in a   remote 1-hr workshop...

1,143 views 20 14
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you