Confluence Apache HTTPS reverse Proxy "Too many redirects" Edited

System: Ubuntu 16.04

Apache: 2.4.33 MPM-Worker PHP-FPM

 

Im grinding since days my teeths on my Apache HTTPS proxy to Confluence. I wish to have my scheme like this:

Request -> Apache HTTP redirect to HTTPS -> Apache HTTPS reverse proxy to port 8090 -> Confluence HTTP 8090

 

I want to run Confluence on a Subdomain https://sub.domain.com on Linux/Ubuntu.


Sadly I always get the error "Too many redirects". I already checked the ports and they are all open. Checked multiple times over the configs and Guides, but everything looks alright. The site is accesible over port 8090. I think that tomcat causes the redirect loop.

Nothing gets written in the Apache Logs, so Apache is alright.

 

I tried my custom configs and also the atlassian suggested once, none worked.

 

Apache SSL Conf:

<IfModule mod_ssl.c>

<VirtualHost *:443>

ServerName sub.domain.com
ServerAlias www.sub.domain.com
ServerAdmin webmaster@localhost
Protocols h2 http/1.1

ProxyRequests Off
ProxyPreserveHost On

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/sub.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.com/privkey.pem


RewriteEngine On
RewriteCond %{REQUEST_URI} !^/synchrony
RewriteRule ^/(.*) http://domain.com:8090/$1 [P]

<Proxy *>
Require all granted
</Proxy>

ProxyPass /synchrony http://domain.com:8091/synchrony

<Location /synchrony>
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://domain.com:8091%{REQUEST_URI} [P]
</Location>

ProxyPass / http://domain.com:8090/
ProxyPassReverse / http://domain.com:8090/

<Location />
Require all granted
</Location>
</VirtualHost>

</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

 server.xml in /opt/atlassian/confluence/conf (using the forth connector at the bottom)

<Server port="8000" shutdown="SHUTDOWN" debug="0">
<Service name="Tomcat-Standalone">
<!--
==============================================================================================================
DEFAULT - Direct connector with no proxy, for unproxied HTTP access to Confluence.

If using a http/https proxy, comment out this connector.
==============================================================================================================
-->
<!--
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"/>
-->
<!--
==============================================================================================================
HTTP - Proxying Confluence via Apache or Nginx over HTTP

If you're proxying traffic to Confluence over HTTP, uncomment the connector below and comment out the others.
Make sure you provide the right information for proxyName and proxyPort.

For more information see:
Apache - https://confluence.atlassian.com/x/4xQLM
nginx - https://confluence.atlassian.com/x/TgSvEg

==============================================================================================================
-->

<!--
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="http" proxyName="<subdomain>.<domain>.com" proxyPort="80"/>
-->

<!--
==============================================================================================================
HTTPS - Direct connector with no proxy, for unproxied HTTPS access to Confluence.

For more info see https://confluence.atlassian.com/x/s3UC
==============================================================================================================
-->

<!--
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
protocol="org.apache.coyote.http11.Http11NioProtocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
-->

<!--
==============================================================================================================
HTTPS - Proxying Confluence via Apache or Nginx over HTTPS

If you're proxying traffic to Confluence over HTTPS, uncomment the connector below and comment out the others.
Make sure you provide the right information for proxyName and proxyPort.

For more information see:
Apache - https://confluence.atlassian.com/x/PTT3MQ
nginx - https://confluence.atlassian.com/x/cNIvMw
==============================================================================================================
-->

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" proxyName="sub.domain.com" proxyPort="443"/>

<Engine name="Standalone" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="false">
<!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname=""/>
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
</Context>

<Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
reloadable="false" useHttpOnly="false">
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
</Context>
</Host>
</Engine>
</Service>
</Server>

  

Can anybody tell me what I'm doing wrong? Im sitting since a week on this like a mad men, checking over troubleshoot guides...

3 answers

1 accepted

1 vote
Accepted answer

Guys found the Problem. Was a Problem with Certbot. Generated a SSL Config in Apache besides the Confluence one.

 

Deleted the wrong vhost and Confluence started to work.

Thanks guys for your support!

That looks like what I tried too and had similar issues. I ended up doing this:

https://lastcallmedia.com/blog/how-use-cloudflares-free-flexible-ssl-jira-and-confluence-server-apache-and-proxypass

While troubleshooting, I also removed all of those synchrony lines for Confluence 6.9, which seemed to help.

@Erkan Isik, do you have any other vhosts enabled?

also, is there a reason your proxypass directives act on domain.com and not sub.domain.com?

@Kelly Albrecht That's a good question. I set up Confluence on a root server with one ip only. The DNS for domain.com and sub.domain.com point to the same host, so I also could just write localhost, that would also work.

Yes I have other vhosts enabled, but they are all configured on seperated files and the main file (vhost port 80) only has a redirect to https.

Can you share the error line you noticed. I guess it is because of the maxThread value define in the server.xml file. Can you increase int to 150 and see the error is still exist. As I mentioned earlier please share the whole log line/s. 

I tried it with maxThread 150, but that didnt work. I don't know how that would help, can you explain that one?

 

Also Apache redirect is working fine, so there is also nothing written in the Apache Log. The redirect is clearly caused by Tomcat

 

Here is the catalina.out log:

https://pastebin.com/EvwGKggj

 

I also gernerated a full Apache Debug log for my confluence domain "wiki.domain.com":

https://pastebin.com/pYUdGbUj

For me the log looks alright and the redirection gets passed.

I just want try MaxThread parameter since your question is relates to redirects & lack of information to troubleshoot this.

Unfortunately I cannot access above provided two URLs.

Anyway, It seems like both apache and tomcat redirects. Can you apply following configurations and see whether what is going on. I saw that there are some configs in apache config file which is I do not use. 

 

1. Modify httpd.conf Redirect http to https - 

#add following lines to httpd.conf end of the file
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 1. Your ssl.conf file should like this. 

Please note that sometimes you don't want to load below added proxy modules. It depends on the OS you are using. I'm using suse and it requires to load these modules. Path to the proxy module may change based on your OS.

Listen 443
<VirtualHost *:443>

# General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
ServerName confluence.example.com:443
#ServerAdmin webmaster@example.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log


LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so
LoadModule proxy_http_module /usr/lib64/apache2/mod_proxy_http.so
LoadModule proxy_wstunnel_module /usr/lib64/apache2/mod_proxy_wstunnel.so
LoadModule rewrite_module /usr/lib64/apache2/mod_rewrite.so
LoadModule proxy_connect_module /usr/lib64/apache2/mod_proxy_connect.so

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
ProxyRequests Off
ProxyPreserveHost On

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite !RC4-SHA:HIGH:MEDIUM:!SSLv2:!ADH:!NULL:!EDH:!RC4-MD5
SSLHonorCipherOrder on
# You can use per vhost certificates if SNI is supported.
SSLCertificateFile /etc/apache2/ssl.crt/your_certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/your_certificate.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/Chain.crt

# Reverse Proxy config
<Proxy *>
Require all granted
</Proxy>

ProxyPass /synchrony http://confluence.example.com:8091/synchrony
<Location /synchrony>
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://confluence.example.com:8091%{REQUEST_URI} [P]
</Location>

ProxyPass / http://confluence.example.com:8080/
ProxyPassReverse / http://confluence.example.com:8080/



<Location />
Require all granted
</Location>

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined

</VirtualHost>

 

3. Add following line to server.xml file

useBodyEncodingForURI="true"

So your connector in server.xml file should like this

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
useBodyEncodingForURI="true"

scheme="https" secure="true" proxyName="confluence.example.com" proxyPort="443"/>

 

See whether how it goes. 

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Dec 18, 2018 in Confluence Cloud

Happy holidays from our team to yours!

Hi Community!  2018 was filled with changes for our team, both big and small, and we've taken a lot of time to both celebrate our wins and recognize areas of improvement. One thing that we're a...

475 views 3 18
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you