Confluence in Docker Container behind Apache reverse proxy


While looking for another problem's solution I came up with a new problem I'm unable to solve.

I had problems accessing templates, deleting or moving pages inside Confluence even when working as Confluence admin:


As a solution I came up with reversing everything to a state before reverse proxying.

But I really need to run Confluence behind that reverse proxy. And thats the problem:


Our Confluence instance is running inside a docker container. Both port 8090 and 8091 are accessible from the host (e.g. http://localhost:8090)

In front of this docker container the reverse proxy is running, configured as described here. Apache version is 2.4.25

This is the actual server.xml file (removed some domain info for security reason)

<Server port="8000" shutdown="SHUTDOWN" debug="0">
    <Service name="Tomcat-Standalone">
        <Connector port="8090" secure="true" scheme="https" proxyName="wiki.xxxxx.tld" proxyPort="443" connectionTimeout="20000" redirectPort="8443"
                maxThreads="48" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />

        <Engine name="Standalone" defaultHost="localhost" debug="0">

            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/ -->
                    <Manager pathname="" />
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />

                <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />


            To run Confluence via HTTPS:
             * Uncomment the Connector below
             * Execute:
                 %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
                 $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA  (Unix)
               with a password value of "changeit" for both the certificate and the keystore itself.
             * Restart and visit https://localhost:8443/

             For more info, see
        <Connector port="8443" maxHttpHeaderSize="8192"
                   maxThreads="150" minSpareThreads="25"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
                   URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>

 I think the best option is running confluence behind the reverse proxy without SSL, so the connection between reverse proxy and docker container is not encrypted. That is why the last part in server.xml is commented out (beginning from "To run confluence via HTTPS:")

I believe the magic is happening in line 3 "<Connector ...". But how about the redirectPort? It is set by default to port 8443, but I do not use it because of no HTTPS. Can I change it to 8090 to make it work? And is proxyPort="443" necessary when setting scheme="https"?

((Confluence) Docker) --- http:// --- (Apache reverse proxy) --- https:// --- (I-NET)

Any ideas?




1 answer

1 accepted

2 votes
Answer accepted

The most common configuration is to terminate SSL at the proxy and use the http connector in Confluence's server.xml. The connector directive should keep all the defaults, including the redirect port, but add proxyName, proxyPort and scheme. 

This article explains the function of the connector support for the proxy: Proxy Support

The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request.

In this example, the proxy is not serving SSL so the scheme and proxyPort are http and 80. If you do use https to access Confluence then you would use https and port 443.  3. Configure the Connector directive

Hello Ann,


I followed your post above and changed the connector settings for proxyName and ProxyPort:

proxyName="<external site name>"


Generally, just changing these two directives did not work...

But there still was this redirectPort="8443" coming from default settings. Since I wanted to connect to a non-SSL port behind the reverse proxy I set redirectPort="" (empty) to supress redirecting. I believe redirectPort="8090" should also work here.

I found that some URLs seen in apache log files show up with "http://wiki.xxxx.tld:443" instead of "https://...". So I also change scheme="http" to scheme="https" and secure="false" to secure="true".

So the absolute URLs created by tomcat server seem to be correct now.

Finally my connector settings in server.xml look like this:

<Connector port="8090" secure="true" scheme="https" proxyName="wiki.xxxx.tld" proxyPort="443" connectionTimeout="20000" redirectPort=""
                maxThreads="48" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />

I've checked everything we discussed before (access to templates and also moving/copying pages) and all seem to work now.


And just to say that again:

Make sure to modify the baseline URL insinde Confluence and change http:// to https://

If you dont do so this could lead to partitially insecure data transfers as using http in baseline URL will send some pieces of content via unencrypted connections




Ann Worley Atlassian Team Nov 30, 2017

Thanks for the detailed follow-up post!

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Mar 12, 2019 in Confluence

Confluence Admin Certification now $150 for Community Members

More and more people are building their careers with Atlassian, and we want you to be at the front of this wave! Important Dates Start the Certification Prep Course by 2 April 2019 Take your e...

276 views 2 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you