It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Confluence Behind IIS Reverse Proxy

Michael Cote Apr 17, 2018

Hello all,

Recently the company I work for finished evaluating Confluence for several months and decided that we wanted to purchase.  Unfortunately, during this time I was unable to test setting up the server to run behind IIS which is a requirement now.  I've spent hours mulling over my setup, and after following all the guides I'm conceding defeat.  The Apache application server was working fine on HTTP hitting confluence.domain.com:8090 .  The Server Base URL is still set to that.  Originally I was just getting the IIS splashpage, and never got to the point of seeing the actual Confluence page via IIS.  At this point I'm getting error 502

Web server received an invalid response while acting as a gateway or proxy server. 

when navigating to confluence.domain.com  I'm running Conflunece 6.8 on Windows Server 2012 R2 with IIS 8.5.  Below is what I have in my C:\ajp_iis\

isapi_redirect.properties

# Configuration file for the Jakarta ISAPI Redirector

# The path to the ISAPI Redirector Extension, relative to the website
# This must be in a virtual directory with execute privileges
extension_uri=/jakarta/isapi_redirect.dll

# Full path to the log file for the ISAPI Redirector
log_file=C:\ajp_iis\isapi_redirect.log

# Log level (debug, info, warn, error or trace)
log_level=debug

# Full path to the workers.properties file
worker_file=C:\ajp_iis\workers.properties

# Full path to the uriworkermap.properties file
worker_mount_file=C:\ajp_iis\uriworkermap.properties

rewrite_rule_file=C:\ajp_iis\rewrites.properties

rewrites.properties

EMPTY

uriworkermap.properties

# uriworkermap.properties - IIS

/*=ajp13w

workers.properties

# workers.properties
#
# This file provides minimal jk configuration properties needed to
# connect to Tomcat.
#
# The workers that jk should create and work with
#

worker.list=ajp13w,jkstatus

#
# Defining a worker named ajp13w and of type ajp13
# Note that the name and the type do not have to match.
#
worker.ajp13w.type=ajp13
worker.ajp13w.host=localhost
worker.ajp13w.port=8090

#
# Define status worker
#

worker.jkstatus.type=status

web.config

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Synchrony HTTP" stopProcessing="true">
<match url="synchrony/(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="http://localhost:8091/synchrony/{R:1}" />
</rule>
<rule name="Synchrony Web Sockets Reverse Proxy" stopProcessing="true">
<match url="ws://(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="ws://localhost:8091/{R:1}" />
</rule>
<rule name="Confluence Reverse Proxy" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="http://localhost:8090/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
<system.web>
<!-- This keeps IIS from complaining about special characters in the url. Also has some controls for max upload size. Set to the equivalent of the above, but in kilobytes instead of bytes. (ex. 61440 = 60MB) -->
<httpRuntime executionTimeout="20" maxRequestLength="xxxxx" requestPathInvalidCharacters="" requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
</configuration>

 

This is my server.xml file:

server.xml

<Server port="8000" shutdown="SHUTDOWN" debug="0">
<Service name="Tomcat-Standalone">
<Connector port="8090" enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" URIEncoding="UTF-8" proxyName="confluence.domain.com" proxyPort="80" scheme="http" />

<Engine name="Standalone" defaultHost="localhost" debug="0">

<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
<Context path="" docBase="../confluence" debug="0" reloadable="false">
<!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname="" />
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
</Context>

<Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
</Context>
</Host>

</Engine>

</Service>
</Server>

 

IIS Setup

 

Microsoft Application Request Routing 3.0

IIS URL Rewrite Module 2

Web Socket Support

Have the isapi_redirect.dll added under ISAPI and CGI Restrctions.

Default Web Site with isapi_redirect.dll added under ISAPI Filters.

Default Web Site has confluence virtual directory (which I don't think I need because I don't have a context path defined), and jakarta virtual directory that points to C:\ajp_iis\.

I have URL Rewrite configured as described in the last article below, but I'm thinking I might not need this because I'm not accessing the server on a context path?  If I disabled the URL Rewrite rule I just get an IIS splashpage again...

Started this process with:

https://confluence.atlassian.com/conf210/configuration-guide/setting-up-confluence-with-iis

Then moved to:

https://confluence.atlassian.com/conf210/configuration-guide/setting-up-confluence-with-iis/connecting-confluence-with-iis-7

Followed up and got confused by the differences in:

https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-microsoft-internet-information-services-iis-833931378.html

 

I have logs, but I'm not sure which ones you'd want.  Please let me know if there is something else I can provide.

1 answer

0 votes
Ann Worley Atlassian Team Apr 17, 2018

Hi Michael,

We use this doc for IIS now Proxying Atlassian server applications with Microsoft Internet Information Services (IIS). I saw how Google finds those other articles you posted, if you search for Confluence and IIS, but those docs are for confluence 2.1.

Please start over just working off that one doc, I am sure you will have a better experience.

Thanks,

Ann

Michael Cote Apr 17, 2018

Thank you for the reply Ann!  I am up and running in terms of IIS and Confluence now.  The next issue is Synchrony.  I have websocket support installed and enabled in IIS, and I've edited my web.config to contain the rules explained at the end of that document you sent.  I've also added the line: 

CATALINA_OPTS=-Dorg.apache.tomcat.websocket.DISABLE_BUILTIN_EXTENSIONS=true %CATALINA_OPTS%

to my Java Options for the Confluence install.  I added "-D" to the front of that line from what I've read that is required for it to be recognized as a system proptery, and if I open up my System Info on the Confluence server I can see the line there.  If I open a page and wait it says the editor didn't start and give me the link to this page: https://confluence.atlassian.com/confkb/confluence-throws-the-editor-didn-t-load-this-time-error-when-trying-to-edit-a-page-840796639.html.  I've tried websockets.org's tool and it appears that websockets are being processed.  My next move is to go to HTTPS, but I want to get Synchrony situated first.

Michael Cote Apr 17, 2018

I was able to get this working.  I BELIEVE what finally made it work was deleting the synchrony.pid in the C:/Program Files/Atlassian/Confluence/temp/ directory.  which I read about in a very hard to find post that I've linked below.  The only other change that I made before it started working was adding a line to the system properties: 

-Dsynchrony.proxy.enabled=false  which from what I understood should tell Tomcat not to use the internal proxy for Synchrony.  I deleted the line and restarted again and it still works which tells me the below fix was what I needed.  I don't know if this is intentional or not, but this issue cost me hours and hours of circling around and quintuple checking everything. 

Synchrony issue.png

Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Published in Confluence

Confluence CVEs and common questions

Two vulnerabilities have been published for Confluence Server and Data Center recently: March 20, 2019 CVE-2019-3395 / CVE-2019-3396 April 17, 2019 CVE-2019-3398 The goal of this article is...

968 views 0 19
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you