Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Confluence Apache HTTPS reverse Proxy "Too many redirects"

Erkan Isik
Erkan Isik June 29, 2018

System: Ubuntu 16.04

Apache: 2.4.33 MPM-Worker PHP-FPM

 

Im grinding since days my teeths on my Apache HTTPS proxy to Confluence. I wish to have my scheme like this:

Request -> Apache HTTP redirect to HTTPS -> Apache HTTPS reverse proxy to port 8090 -> Confluence HTTP 8090

 

I want to run Confluence on a Subdomain https://sub.domain.com on Linux/Ubuntu.


Sadly I always get the error "Too many redirects". I already checked the ports and they are all open. Checked multiple times over the configs and Guides, but everything looks alright. The site is accesible over port 8090. I think that tomcat causes the redirect loop.

Nothing gets written in the Apache Logs, so Apache is alright.

 

I tried my custom configs and also the atlassian suggested once, none worked.

 

Apache SSL Conf:

<IfModule mod_ssl.c>

<VirtualHost *:443>

 ServerName sub.domain.com
 ServerAlias www.sub.domain.com
 ServerAdmin webmaster@localhost
 Protocols h2 http/1.1

 ProxyRequests Off
 ProxyPreserveHost On

 SSLEngine on
 SSLCertificateFile /etc/letsencrypt/live/sub.domain.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.com/privkey.pem

 
 RewriteEngine On
 RewriteCond %{REQUEST_URI} !^/synchrony
 RewriteRule ^/(.*) http://domain.com:8090/$1 [P]

 <Proxy *>
 Require all granted
 </Proxy>

 ProxyPass /synchrony http://domain.com:8091/synchrony

 <Location /synchrony>
 Require all granted
 RewriteEngine on
 RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
 RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
 RewriteRule .* ws://domain.com:8091%{REQUEST_URI} [P]
 </Location>

 ProxyPass / http://domain.com:8090/
 ProxyPassReverse / http://domain.com:8090/
 
 <Location />
 Require all granted
 </Location>
</VirtualHost>

</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

 server.xml in /opt/atlassian/confluence/conf (using the forth connector at the bottom)

<Server port="8000" shutdown="SHUTDOWN" debug="0">
 <Service name="Tomcat-Standalone">
 <!--
 ==============================================================================================================
 DEFAULT - Direct connector with no proxy, for unproxied HTTP access to Confluence.

 If using a http/https proxy, comment out this connector.
 ==============================================================================================================
 -->
 <!--
 <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
 maxThreads="48" minSpareThreads="10"
 enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 protocol="org.apache.coyote.http11.Http11NioProtocol"/>
 -->
 <!--
 ==============================================================================================================
 HTTP - Proxying Confluence via Apache or Nginx over HTTP

 If you're proxying traffic to Confluence over HTTP, uncomment the connector below and comment out the others.
 Make sure you provide the right information for proxyName and proxyPort.

 For more information see:
 Apache - https://confluence.atlassian.com/x/4xQLM
 nginx - https://confluence.atlassian.com/x/TgSvEg

 ==============================================================================================================
 -->

 <!--
 <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
 maxThreads="48" minSpareThreads="10"
 enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 scheme="http" proxyName="<subdomain>.<domain>.com" proxyPort="80"/>
 -->
 
 <!--
 ==============================================================================================================
 HTTPS - Direct connector with no proxy, for unproxied HTTPS access to Confluence.

 For more info see https://confluence.atlassian.com/x/s3UC
 ==============================================================================================================
 -->

 <!--
 <Connector port="8443" maxHttpHeaderSize="8192"
 maxThreads="150" minSpareThreads="25"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 enableLookups="false" disableUploadTimeout="true"
 acceptCount="100" scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
 URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
 -->

 <!--
 ==============================================================================================================
 HTTPS - Proxying Confluence via Apache or Nginx over HTTPS

 If you're proxying traffic to Confluence over HTTPS, uncomment the connector below and comment out the others.
 Make sure you provide the right information for proxyName and proxyPort.

 For more information see:
 Apache - https://confluence.atlassian.com/x/PTT3MQ
 nginx - https://confluence.atlassian.com/x/cNIvMw
 ==============================================================================================================
 -->

 <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
 maxThreads="48" minSpareThreads="10"
 enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 scheme="https" secure="true" proxyName="sub.domain.com" proxyPort="443"/>

 <Engine name="Standalone" defaultHost="localhost" debug="0">
 <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
 <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="false">
 <!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
 <Manager pathname=""/>
 <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
 </Context>

 <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
 reloadable="false" useHttpOnly="false">
 <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
 </Context>
 </Host>
 </Engine>
 </Service>
</Server>

  

Can anybody tell me what I'm doing wrong? Im sitting since a week on this like a mad men, checking over troubleshoot guides...

Answer
Watch
Like ANDRZEJ J_ likes this
18745 views

3 answers

1 accepted

1 vote
Answer accepted
Erkan Isik
Erkan Isik July 12, 2018

Guys found the Problem. Was a Problem with Certbot. Generated a SSL Config in Apache besides the Confluence one.

 

Deleted the wrong vhost and Confluence started to work.

Thanks guys for your support!

View More Comments
phaniraju
phaniraju October 25, 2019

Could you please help me to integrate bitbucket 5.16 with apache 2.4 over SSL ?

Like
Reply
1 vote
Heshan Manamperi
Heshan Manamperi
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 30, 2018

Can you share the error line you noticed. I guess it is because of the maxThread value define in the server.xml file. Can you increase int to 150 and see the error is still exist. As I mentioned earlier please share the whole log line/s. 

View More Comments
Erkan Isik
Erkan Isik June 30, 2018

I tried it with maxThread 150, but that didnt work. I don't know how that would help, can you explain that one?

 

Also Apache redirect is working fine, so there is also nothing written in the Apache Log. The redirect is clearly caused by Tomcat

 

Here is the catalina.out log:

https://pastebin.com/EvwGKggj

 

I also gernerated a full Apache Debug log for my confluence domain "wiki.domain.com":

https://pastebin.com/pYUdGbUj

For me the log looks alright and the redirection gets passed.

Like
Heshan Manamperi
Heshan Manamperi
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 1, 2018

I just want try MaxThread parameter since your question is relates to redirects & lack of information to troubleshoot this.

Unfortunately I cannot access above provided two URLs.

Anyway, It seems like both apache and tomcat redirects. Can you apply following configurations and see whether what is going on. I saw that there are some configs in apache config file which is I do not use. 

 

1. Modify httpd.conf Redirect http to https - 

#add following lines to httpd.conf end of the file
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 1. Your ssl.conf file should like this. 

Please note that sometimes you don't want to load below added proxy modules. It depends on the OS you are using. I'm using suse and it requires to load these modules. Path to the proxy module may change based on your OS.

Listen 443
<VirtualHost *:443>

# General setup for the virtual host
 DocumentRoot "/srv/www/htdocs"
 ServerName confluence.example.com:443
 #ServerAdmin webmaster@example.com
 ErrorLog /var/log/apache2/error_log
 TransferLog /var/log/apache2/access_log

 
 LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so
 LoadModule proxy_http_module /usr/lib64/apache2/mod_proxy_http.so
 LoadModule proxy_wstunnel_module /usr/lib64/apache2/mod_proxy_wstunnel.so
 LoadModule rewrite_module /usr/lib64/apache2/mod_rewrite.so
 LoadModule proxy_connect_module /usr/lib64/apache2/mod_proxy_connect.so

# SSL Engine Switch:
 # Enable/Disable SSL for this virtual host.
 SSLEngine on
 ProxyRequests Off
 ProxyPreserveHost On

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite !RC4-SHA:HIGH:MEDIUM:!SSLv2:!ADH:!NULL:!EDH:!RC4-MD5
 SSLHonorCipherOrder on
 # You can use per vhost certificates if SNI is supported.
 SSLCertificateFile /etc/apache2/ssl.crt/your_certificate.crt
 SSLCertificateKeyFile /etc/apache2/ssl.key/your_certificate.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/Chain.crt

# Reverse Proxy config
 <Proxy *>
 Require all granted
 </Proxy>

ProxyPass /synchrony http://confluence.example.com:8091/synchrony
 <Location /synchrony>
 Require all granted
 RewriteEngine on
 RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
 RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
 RewriteRule .* ws://confluence.example.com:8091%{REQUEST_URI} [P]
 </Location>

ProxyPass / http://confluence.example.com:8080/
 ProxyPassReverse / http://confluence.example.com:8080/



 <Location />
 Require all granted
 </Location>

# Per-Server Logging:
 # The home of a custom SSL log file. Use this when you want a
 # compact non-error SSL logfile on a virtual host basis.
 CustomLog /var/log/apache2/ssl_request_log ssl_combined

</VirtualHost>

 

3. Add following line to server.xml file

useBodyEncodingForURI="true"

So your connector in server.xml file should like this

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
 maxThreads="48" minSpareThreads="10"
 enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 useBodyEncodingForURI="true"
 scheme="https" secure="true" proxyName="confluence.example.com" proxyPort="443"/>

 

See whether how it goes. 

Like ryan.scheel likes this
Reply
1 vote
Kelly Albrecht
Kelly Albrecht June 29, 2018

That looks like what I tried too and had similar issues. I ended up doing this:

https://lastcallmedia.com/blog/how-use-cloudflares-free-flexible-ssl-jira-and-confluence-server-apache-and-proxypass

While troubleshooting, I also removed all of those synchrony lines for Confluence 6.9, which seemed to help.

View More Comments
Kelly Albrecht
Kelly Albrecht July 1, 2018

@Erkan Isik, do you have any other vhosts enabled?

also, is there a reason your proxypass directives act on domain.com and not sub.domain.com?

Like
Erkan Isik
Erkan Isik July 3, 2018

@Kelly Albrecht That's a good question. I set up Confluence on a root server with one ip only. The DNS for domain.com and sub.domain.com point to the same host, so I also could just write localhost, that would also work.

Yes I have other vhosts enabled, but they are all configured on seperated files and the main file (vhost port 80) only has a redirect to https.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events