It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Confluence Apache HTTPS reverse Proxy "Too many redirects" Edited

System: Ubuntu 16.04

Apache: 2.4.33 MPM-Worker PHP-FPM

 

Im grinding since days my teeths on my Apache HTTPS proxy to Confluence. I wish to have my scheme like this:

Request -> Apache HTTP redirect to HTTPS -> Apache HTTPS reverse proxy to port 8090 -> Confluence HTTP 8090

 

I want to run Confluence on a Subdomain https://sub.domain.com on Linux/Ubuntu.


Sadly I always get the error "Too many redirects". I already checked the ports and they are all open. Checked multiple times over the configs and Guides, but everything looks alright. The site is accesible over port 8090. I think that tomcat causes the redirect loop.

Nothing gets written in the Apache Logs, so Apache is alright.

 

I tried my custom configs and also the atlassian suggested once, none worked.

 

Apache SSL Conf:

<IfModule mod_ssl.c>

<VirtualHost *:443>

ServerName sub.domain.com
ServerAlias www.sub.domain.com
ServerAdmin webmaster@localhost
Protocols h2 http/1.1

ProxyRequests Off
ProxyPreserveHost On

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/sub.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.com/privkey.pem


RewriteEngine On
RewriteCond %{REQUEST_URI} !^/synchrony
RewriteRule ^/(.*) http://domain.com:8090/$1 [P]

<Proxy *>
Require all granted
</Proxy>

ProxyPass /synchrony http://domain.com:8091/synchrony

<Location /synchrony>
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://domain.com:8091%{REQUEST_URI} [P]
</Location>

ProxyPass / http://domain.com:8090/
ProxyPassReverse / http://domain.com:8090/

<Location />
Require all granted
</Location>
</VirtualHost>

</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

 server.xml in /opt/atlassian/confluence/conf (using the forth connector at the bottom)

<Server port="8000" shutdown="SHUTDOWN" debug="0">
<Service name="Tomcat-Standalone">
<!--
==============================================================================================================
DEFAULT - Direct connector with no proxy, for unproxied HTTP access to Confluence.

If using a http/https proxy, comment out this connector.
==============================================================================================================
-->
<!--
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"/>
-->
<!--
==============================================================================================================
HTTP - Proxying Confluence via Apache or Nginx over HTTP

If you're proxying traffic to Confluence over HTTP, uncomment the connector below and comment out the others.
Make sure you provide the right information for proxyName and proxyPort.

For more information see:
Apache - https://confluence.atlassian.com/x/4xQLM
nginx - https://confluence.atlassian.com/x/TgSvEg

==============================================================================================================
-->

<!--
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="http" proxyName="<subdomain>.<domain>.com" proxyPort="80"/>
-->

<!--
==============================================================================================================
HTTPS - Direct connector with no proxy, for unproxied HTTPS access to Confluence.

For more info see https://confluence.atlassian.com/x/s3UC
==============================================================================================================
-->

<!--
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
protocol="org.apache.coyote.http11.Http11NioProtocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
-->

<!--
==============================================================================================================
HTTPS - Proxying Confluence via Apache or Nginx over HTTPS

If you're proxying traffic to Confluence over HTTPS, uncomment the connector below and comment out the others.
Make sure you provide the right information for proxyName and proxyPort.

For more information see:
Apache - https://confluence.atlassian.com/x/PTT3MQ
nginx - https://confluence.atlassian.com/x/cNIvMw
==============================================================================================================
-->

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" proxyName="sub.domain.com" proxyPort="443"/>

<Engine name="Standalone" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="false">
<!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname=""/>
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
</Context>

<Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
reloadable="false" useHttpOnly="false">
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
</Context>
</Host>
</Engine>
</Service>
</Server>

  

Can anybody tell me what I'm doing wrong? Im sitting since a week on this like a mad men, checking over troubleshoot guides...

3 answers

1 accepted

1 vote
Answer accepted

Guys found the Problem. Was a Problem with Certbot. Generated a SSL Config in Apache besides the Confluence one.

 

Deleted the wrong vhost and Confluence started to work.

Thanks guys for your support!

That looks like what I tried too and had similar issues. I ended up doing this:

https://lastcallmedia.com/blog/how-use-cloudflares-free-flexible-ssl-jira-and-confluence-server-apache-and-proxypass

While troubleshooting, I also removed all of those synchrony lines for Confluence 6.9, which seemed to help.

@Erkan Isik, do you have any other vhosts enabled?

also, is there a reason your proxypass directives act on domain.com and not sub.domain.com?

@Kelly Albrecht That's a good question. I set up Confluence on a root server with one ip only. The DNS for domain.com and sub.domain.com point to the same host, so I also could just write localhost, that would also work.

Yes I have other vhosts enabled, but they are all configured on seperated files and the main file (vhost port 80) only has a redirect to https.

Can you share the error line you noticed. I guess it is because of the maxThread value define in the server.xml file. Can you increase int to 150 and see the error is still exist. As I mentioned earlier please share the whole log line/s. 

I tried it with maxThread 150, but that didnt work. I don't know how that would help, can you explain that one?

 

Also Apache redirect is working fine, so there is also nothing written in the Apache Log. The redirect is clearly caused by Tomcat

 

Here is the catalina.out log:

https://pastebin.com/EvwGKggj

 

I also gernerated a full Apache Debug log for my confluence domain "wiki.domain.com":

https://pastebin.com/pYUdGbUj

For me the log looks alright and the redirection gets passed.

I just want try MaxThread parameter since your question is relates to redirects & lack of information to troubleshoot this.

Unfortunately I cannot access above provided two URLs.

Anyway, It seems like both apache and tomcat redirects. Can you apply following configurations and see whether what is going on. I saw that there are some configs in apache config file which is I do not use. 

 

1. Modify httpd.conf Redirect http to https - 

#add following lines to httpd.conf end of the file
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 1. Your ssl.conf file should like this. 

Please note that sometimes you don't want to load below added proxy modules. It depends on the OS you are using. I'm using suse and it requires to load these modules. Path to the proxy module may change based on your OS.

Listen 443
<VirtualHost *:443>

# General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
ServerName confluence.example.com:443
#ServerAdmin webmaster@example.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log


LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so
LoadModule proxy_http_module /usr/lib64/apache2/mod_proxy_http.so
LoadModule proxy_wstunnel_module /usr/lib64/apache2/mod_proxy_wstunnel.so
LoadModule rewrite_module /usr/lib64/apache2/mod_rewrite.so
LoadModule proxy_connect_module /usr/lib64/apache2/mod_proxy_connect.so

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
ProxyRequests Off
ProxyPreserveHost On

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite !RC4-SHA:HIGH:MEDIUM:!SSLv2:!ADH:!NULL:!EDH:!RC4-MD5
SSLHonorCipherOrder on
# You can use per vhost certificates if SNI is supported.
SSLCertificateFile /etc/apache2/ssl.crt/your_certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/your_certificate.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/Chain.crt

# Reverse Proxy config
<Proxy *>
Require all granted
</Proxy>

ProxyPass /synchrony http://confluence.example.com:8091/synchrony
<Location /synchrony>
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://confluence.example.com:8091%{REQUEST_URI} [P]
</Location>

ProxyPass / http://confluence.example.com:8080/
ProxyPassReverse / http://confluence.example.com:8080/



<Location />
Require all granted
</Location>

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined

</VirtualHost>

 

3. Add following line to server.xml file

useBodyEncodingForURI="true"

So your connector in server.xml file should like this

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
useBodyEncodingForURI="true"

scheme="https" secure="true" proxyName="confluence.example.com" proxyPort="443"/>

 

See whether how it goes. 

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Confluence

Introducing Confluence Cloud and Jira Software Cloud Premium

Wherever you are in your team’s journey , our goal is to support your big ambitions. We’re a cloud-first company with the mission of unleashing the potential of every team, and to address the range ...

653 views 4 18
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you