Confluence in Docker Container behind Apache reverse proxy

Hello,

While looking for another problem's solution I came up with a new problem I'm unable to solve.

I had problems accessing templates, deleting or moving pages inside Confluence even when working as Confluence admin:

https://community.atlassian.com/t5/Confluence-questions/Problems-accessing-templates-and-moving-deleting-pages-after/qaq-p/678648?utm_campaign=&utm_content=post&utm_medium=email&utm_source=atlcomm#U679366

 

As a solution I came up with reversing everything to a state before reverse proxying.

But I really need to run Confluence behind that reverse proxy. And thats the problem:

 

Our Confluence instance is running inside a docker container. Both port 8090 and 8091 are accessible from the host (e.g. http://localhost:8090)

In front of this docker container the reverse proxy is running, configured as described here. Apache version is 2.4.25

This is the actual server.xml file (removed some domain info for security reason)

<Server port="8000" shutdown="SHUTDOWN" debug="0">
    <Service name="Tomcat-Standalone">
        <Connector port="8090" secure="true" scheme="https" proxyName="wiki.xxxxx.tld" proxyPort="443" connectionTimeout="20000" redirectPort="8443"
                maxThreads="48" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />

        <Engine name="Standalone" defaultHost="localhost" debug="0">

            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
                    <Manager pathname="" />
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
                </Context>

                <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
                </Context>
            </Host>

        </Engine>

        <!--
            To run Confluence via HTTPS:
             * Uncomment the Connector below
             * Execute:
                 %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
                 $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA  (Unix)
               with a password value of "changeit" for both the certificate and the keystore itself.
             * Restart and visit https://localhost:8443/

             For more info, see https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS
        -->
<!--
        <Connector port="8443" maxHttpHeaderSize="8192"
                   maxThreads="150" minSpareThreads="25"
                   protocol="org.apache.coyote.http11.Http11NioProtocol"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
                   URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
-->
    </Service>
</Server>

 I think the best option is running confluence behind the reverse proxy without SSL, so the connection between reverse proxy and docker container is not encrypted. That is why the last part in server.xml is commented out (beginning from "To run confluence via HTTPS:")

I believe the magic is happening in line 3 "<Connector ...". But how about the redirectPort? It is set by default to port 8443, but I do not use it because of no HTTPS. Can I change it to 8090 to make it work? And is proxyPort="443" necessary when setting scheme="https"?

((Confluence) Docker) --- http:// --- (Apache reverse proxy) --- https:// --- (I-NET)

Any ideas?

 

Regards

Olaf

1 answer

1 accepted

The most common configuration is to terminate SSL at the proxy and use the http connector in Confluence's server.xml. The connector directive should keep all the defaults, including the redirect port, but add proxyName, proxyPort and scheme. 

This article explains the function of the connector support for the proxy: Proxy Support

The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request.

In this example, the proxy is not serving SSL so the scheme and proxyPort are http and 80. If you do use https to access Confluence then you would use https and port 443.  3. Configure the Connector directive

Hello Ann,

 

I followed your post above and changed the connector settings for proxyName and ProxyPort:

proxyName="<external site name>"

proxyPort="443"

Generally, just changing these two directives did not work...

But there still was this redirectPort="8443" coming from default settings. Since I wanted to connect to a non-SSL port behind the reverse proxy I set redirectPort="" (empty) to supress redirecting. I believe redirectPort="8090" should also work here.

I found that some URLs seen in apache log files show up with "http://wiki.xxxx.tld:443" instead of "https://...". So I also change scheme="http" to scheme="https" and secure="false" to secure="true".

So the absolute URLs created by tomcat server seem to be correct now.

Finally my connector settings in server.xml look like this:

<Connector port="8090" secure="true" scheme="https" proxyName="wiki.xxxx.tld" proxyPort="443" connectionTimeout="20000" redirectPort=""
                maxThreads="48" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />

I've checked everything we discussed before (access to templates and also moving/copying pages) and all seem to work now.

 

And just to say that again:

Make sure to modify the baseline URL insinde Confluence and change http:// to https://

If you dont do so this could lead to partitially insecure data transfers as using http in baseline URL will send some pieces of content via unencrypted connections

 

Regards,

Olaf

Ann Worley Atlassian Team Nov 30, 2017

Thanks for the detailed follow-up post!

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Apr 13, 2018 in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

345 views 20 10
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you