Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Confluence in Docker Container behind Apache reverse proxy

Olaf Koester
Olaf Koester November 27, 2017

Hello,

While looking for another problem's solution I came up with a new problem I'm unable to solve.

I had problems accessing templates, deleting or moving pages inside Confluence even when working as Confluence admin:

https://community.atlassian.com/t5/Confluence-questions/Problems-accessing-templates-and-moving-deleting-pages-after/qaq-p/678648?utm_campaign=&utm_content=post&utm_medium=email&utm_source=atlcomm#U679366

 

As a solution I came up with reversing everything to a state before reverse proxying.

But I really need to run Confluence behind that reverse proxy. And thats the problem:

 

Our Confluence instance is running inside a docker container. Both port 8090 and 8091 are accessible from the host (e.g. http://localhost:8090)

In front of this docker container the reverse proxy is running, configured as described here. Apache version is 2.4.25

This is the actual server.xml file (removed some domain info for security reason)

<Server port="8000" shutdown="SHUTDOWN" debug="0">
    <Service name="Tomcat-Standalone">
        <Connector port="8090" secure="true" scheme="https" proxyName="wiki.xxxxx.tld" proxyPort="443" connectionTimeout="20000" redirectPort="8443"
                maxThreads="48" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />

        <Engine name="Standalone" defaultHost="localhost" debug="0">

            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
                    <Manager pathname="" />
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
                </Context>

                <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
                </Context>
            </Host>

        </Engine>

        <!--
            To run Confluence via HTTPS:
             * Uncomment the Connector below
             * Execute:
                 %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
                 $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA  (Unix)
               with a password value of "changeit" for both the certificate and the keystore itself.
             * Restart and visit https://localhost:8443/

             For more info, see https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS
        -->
<!--
        <Connector port="8443" maxHttpHeaderSize="8192"
                   maxThreads="150" minSpareThreads="25"
                   protocol="org.apache.coyote.http11.Http11NioProtocol"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
                   URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
-->
    </Service>
</Server>

 I think the best option is running confluence behind the reverse proxy without SSL, so the connection between reverse proxy and docker container is not encrypted. That is why the last part in server.xml is commented out (beginning from "To run confluence via HTTPS:")

I believe the magic is happening in line 3 "<Connector ...". But how about the redirectPort? It is set by default to port 8443, but I do not use it because of no HTTPS. Can I change it to 8090 to make it work? And is proxyPort="443" necessary when setting scheme="https"?

((Confluence) Docker) --- http:// --- (Apache reverse proxy) --- https:// --- (I-NET)

Any ideas?

 

Regards

Olaf

Answer
Watch
Like Olivier Sinnaeve likes this
5782 views

1 answer

1 accepted

2 votes
Answer accepted
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 28, 2017

The most common configuration is to terminate SSL at the proxy and use the http connector in Confluence's server.xml. The connector directive should keep all the defaults, including the redirect port, but add proxyName, proxyPort and scheme. 

This article explains the function of the connector support for the proxy: Proxy Support

The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request.

In this example, the proxy is not serving SSL so the scheme and proxyPort are http and 80. If you do use https to access Confluence then you would use https and port 443.  3. Configure the Connector directive

View More Comments
Olaf Koester
Olaf Koester November 29, 2017

Hello Ann,

 

I followed your post above and changed the connector settings for proxyName and ProxyPort:

proxyName="<external site name>"

proxyPort="443"

Generally, just changing these two directives did not work...

But there still was this redirectPort="8443" coming from default settings. Since I wanted to connect to a non-SSL port behind the reverse proxy I set redirectPort="" (empty) to supress redirecting. I believe redirectPort="8090" should also work here.

I found that some URLs seen in apache log files show up with "http://wiki.xxxx.tld:443" instead of "https://...". So I also change scheme="http" to scheme="https" and secure="false" to secure="true".

So the absolute URLs created by tomcat server seem to be correct now.

Finally my connector settings in server.xml look like this:

<Connector port="8090" secure="true" scheme="https" proxyName="wiki.xxxx.tld" proxyPort="443" connectionTimeout="20000" redirectPort=""
                maxThreads="48" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />

I've checked everything we discussed before (access to templates and also moving/copying pages) and all seem to work now.

 

And just to say that again:

Make sure to modify the baseline URL insinde Confluence and change http:// to https://

If you dont do so this could lead to partitially insecure data transfers as using http in baseline URL will send some pieces of content via unencrypted connections

 

Regards,

Olaf

Like Kevin Sloboda likes this
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 30, 2017

Thanks for the detailed follow-up post!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events