Confluence redirectPort Change Not Redirecting

Hi Stephen,

Happy New Year!

I followed the instructions to a T and have everything running, the only error I have now is the below:

Tomcat config is incorrect

The Tomcat server.xml has an incorrect configuration:

scheme should be 'https'
proxyName should be 'confluence.example.com'
proxyPort should be '443'

I read the help guide and the link from the troubleshoot item in the dialog box, I seem to have everything properly inserted.

Everything else is working great. I have the exact server.xml for confluence as posted here, I've looked over it multiple times but cannot seem to find any errors:

 <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
 maxThreads="48" minSpareThreads="10"
 enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 proxyName="confluence.example.com" proxyPort="443" scheme="https" />
 <Engine name="Standalone" defaultHost="localhost" debug="0">

Spot anything out of place with the above item?

Thanks,

Bill

Bill,

What version of Confluence are you running and can I get a look at your full Confluence server.xml?

Version - 6.6.0

<Server port="8000" shutdown="SHUTDOWN" debug="0">
 <Service name="Tomcat-Standalone">
 <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
 maxThreads="48" minSpareThreads="10"
 enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 proxyName="confluence.example.com" proxyPort="443" scheme="https" />
 <Engine name="Standalone" defaultHost="localhost" debug="0">

<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
 <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
 <!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
 <Manager pathname="" />
 <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
 </Context>

<Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
 <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
 </Context>
 </Host>

</Engine>

<!--
 To run Confluence via HTTPS:
 * Uncomment the Connector below
 * Execute:
 %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
 $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
 with a password value of "changeit" for both the certificate and the keystore itself.
 * Restart and visit https://localhost:8443/

For more info, see https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS
 -->
<!--
 <Connector port="8443" maxHttpHeaderSize="8192"
 maxThreads="150" minSpareThreads="25"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 enableLookups="false" disableUploadTimeout="true"
 acceptCount="100" scheme="https" secure="true"
 clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
 URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
-->
 </Service>
</Server> 

Bill,

I believe the message you're seeing is from a health check in Confluence. Specifically, the one described in Can't check base URL warning in Confluence 6.6 or later.

This indicates that Confluence doesn't believe Tomcat is configured correctly, but I can confirm your server.xml looks like it should work.

The only way this makes any sense is if Confluence hasn't loaded the current configuration.

Please try stopping and starting Confluence.

From an external source it seems to be fine without the error, intranet is experiencing the error.

I'm pretty sure that it's all setup properly now, wish I could disable that prompt, it's annoying to close it every time.

Bill,

Are you using a different fully qualified domain name (something other than confluence.example.com) to access Confluence internally?

It's also worth checking the base URL to make sure it's HTTPS (didn't see any mention of this elsewhere in the thread yet). Because of the 301 redirect in nginx your requests are still getting served if it's just http, but Confluence isn't getting the address it's expecting during a healthcheck. We've seen that warning in the past when tweaking settings, always good to take a peek and rule that out!

Thanks Guys,

So it was late when I posted about external not receiving the error, I tested externally today from my laptop with fresh browser cache and received the misconfigured proxy error.

Is it possible to do a screen share with someone to see the behavior I'm experiencing?

I double checked the base url and it was set to https. I altered the domain to mask it here, but it is correct.

I restarted the server and let everything come up fresh, the confluence error is now gone.

This solves the problem I had and I am very thankful for the assistance.

I'll open a new ticket for the application links issues I'm experiencing now. I added the certificate to the trust but that only fixed bitbucket. 

Fun stuff here :)

Hi Ann,

The NGINX with SSL link you provided was the original link I used to configure the proxy, again this is already working fine with JIRA and bitbucket. I added a stanza for Confluence listening on the custom 'redirectPort' assigned in the server.xml file.

The remaining links you sent me do not go into any specific detail with the 'redirectPort' except for a one liner explanation. It's not giving me any direction to find out why it's not redirecting appropriately.

Since NGINX is handling the SSL portion, there is no need to configure confluence for Step 5. Add a Security... [The redirect works fine as well from the proxy side.]

So, I'm still landing at the original question. Why does the redirectPort not trigger appropriately?

From your description it sounds like the desired behavior is:

• NGINX to terminate SSL and listen to the connector on port 8090. 
• The proxy then directs requests for https://guide.example.com or http://guide.example.com to http://server:8090, while showing https://guide.example.com in the browser.

The redirect port in server.xml is only useful if you are using a security constraint in the web.xml file. This is only configured when the redirect is happening at the Tomcat level. It is my understanding that you are redirecting requests via NGINX and not Tomcat.

Some tips on redirecting http to https in NGINX are on this page: I want to rewrite all http requests on my web server to be https requests

Please let me know if I am missing anything about your case.

Hi Ann,

Thank you so much for your patience. I took some time to go over each link you've sent my way. All the information is correct, and I've went over the configuration line by line.

I'm currently running JIRA and Bitbucket behind the NGINX Proxy without any issues, they both use the redirectPort of 8445 and 9443 respectively.

nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
 worker_connections 768;
 # multi_accept on;
}

http {
 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 '$status $body_bytes_sent "$http_referer" '
 '"$http_user_agent" "$http_x_forwarded_for"';

 access_log /var/log/nginx/access.log main;

 sendfile on;
 tcp_nopush on;
 tcp_nodelay on;
 keepalive_timeout 65;
 types_hash_max_size 2048;
 client_max_body_size 100m;

 include /etc/nginx/mime.types;
 default_type application/octet-stream;

 # Load modular configuration files from the /etc/nginx/conf.d directory.
 # See http://nginx.org/en/docs/ngx_core_module.html#include
 # for more information.
 include /etc/nginx/conf.d/*.conf;

server {
 listen 80 default_server;
 listen [::]:80 default_server ipv6only=on;

 # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
 return 301 https://$host$request_uri;
}

server {
 listen 443 ssl http2;
 listen [::]:443 ssl http2;

 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
 ssl_certificate /var/www/ssl-cert/example.com_ssl_certificate.cer;
 ssl_certificate_key /var/www/ssl-cert/example.com_private_key.key;
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;

 # modern configuration. tweak to your needs.
 ssl_protocols TLSv1.2 SSLv2 SSLv3;
 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA$
 ssl_prefer_server_ciphers on;

 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
 add_header Strict-Transport-Security max-age=15768000;

 # OCSP Stapling ---
 # fetch OCSP records from URL in ssl_certificate and cache them
 ssl_stapling on;
 ssl_stapling_verify on;

 ## verify chain of trust of OCSP response using Root CA and Intermediate certs
 ssl_trusted_certificate /var/www/ssl-cert/example.com.chained.pem;

 resolver 10.10.1.3;
}

server {
 listen 10.10.1.5:8445 ssl;
 server_name jira.example.com;

 ssl_certificate /var/www/ssl-cert/example.com_ssl_certificate.cer;
 ssl_certificate_key /var/www/ssl-cert/example.com_private_key.key;

 location / {
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_pass http://localhost:8080/;
 client_max_body_size 10M;
 }
}

server {
 listen 10.10.1.5:9443 ssl;
 server_name git.example.com;

 ssl_certificate /var/www/ssl-cert/example.com_ssl_certificate.cer;
 ssl_certificate_key /var/www/ssl-cert/example.com_private_key.key;

 location / {
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_pass http://localhost:7990/;
 client_max_body_size 10M;
 }
}

server {
 listen 10.10.1.5:8443 ssl;
 server_name confluence.example.com;

 ssl_certificate /var/www/ssl-cert/example.com_ssl_certificate.cer;
 ssl_certificate_key /var/www/ssl-cert/example.com_private_key.key;

 location / {
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_pass http://localhost:8090/;
 client_max_body_size 100M;
 }
 location /synchrony {
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_pass http://localhost:8091/synchrony;
 proxy_http_version 1.1;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "Upgrade";
 }
}

 So, just like JIRA and BitBucket, I'd like Confluence to operate in the same manner.

Currently when I attempt to visit https://confluence.example.com I am re-directed to https://confluence.example.com:8443/login.action?os_destination=%2Findex.action&permissionViolation=true

Confluence server.xml

<Server port="8000" shutdown="SHUTDOWN" debug="0">
 <Service name="Tomcat-Standalone"> 
<Connector port="8090"

 maxThreads="48"
 minSpareThreads="10"
 connectionTimeout="20000"
 debug="0"
 enableLookups="false"
 maxHttpHeaderSize="8192"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 URIEncoding="UTF-8"
 useBodyEncodingForURI="true"
 redirectPort="8443"
 acceptCount="10"
 disableUploadTimeout="true"
 bindOnInit="false"
 proxyName="confluence.example.com"
 scheme="https"
 proxyPort="443"/>

 <Engine name="Standalone" defaultHost="localhost" debug="0">

 <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
 <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
 <!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
 <Manager pathname="" />
 <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
 </Context>

 <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
 <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
 </Context>
 </Host>

 </Engine>

 <!--
 To run Confluence via HTTPS:
 * Uncomment the Connector below
 * Execute:
 %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
 $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
 with a password value of "changeit" for both the certificate and the keystore itself.
 * Restart and visit https://localhost:8443/

 For more info, see https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS
 -->
<!--
 <Connector port="8443" maxHttpHeaderSize="8192"
 maxThreads="150" minSpareThreads="25"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 enableLookups="false" disableUploadTimeout="true"
 acceptCount="100" scheme="https" secure="true"
 clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
 URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
-->
 </Service>
</Server>

So, this is why I'm asking about the redirectPort, it's how JIRA and BitBucket operate and I didn't have to do anything extra with them for them to startup and function properly.

Please advise on what I may be missing?

Based on our docs the following:

server {
 listen 10.10.1.5:8443 ssl;
 server_name confluence.example.com;

should be:

server {
listen confluence.example.com:80;
server_name confluence.example.com

listen 443 default ssl;

I am curious how the connectors are set up in the server.xml file for Jira. If you have time to redact and post it, it may help me understand why it works when the Confluence setup does not.

Thanks Ann,

Default bind on port 80 redirects all requests to https.

 # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
 return 301 https://$host$request_uri;

So I can't bind port 80 as in your example, it would prevent nginx from starting.

JIRA Connector

<?xml version="1.0" encoding="utf-8"?>

<Server port="8005" shutdown="SHUTDOWN">
 <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
 <!-- Security listener. Documentation at /docs/config/listeners.html
 <Listener className="org.apache.catalina.security.SecurityListener" />
 -->
 <!--APR library loader. Documentation at /docs/apr.html -->
 <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
 <!-- Prevent memory leaks due to use of particular java/javax APIs-->
 <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
 <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
 <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
 
<Service name="Catalina">

 <Connector port="8080"

 maxThreads="150"
 minSpareThreads="25"
 connectionTimeout="20000"

 enableLookups="false"
 maxHttpHeaderSize="8192"
 protocol="HTTP/1.1"
 useBodyEncodingForURI="true"
 redirectPort="8445"
 acceptCount="100"
 disableUploadTimeout="true"
 bindOnInit="false"
 proxyName="jira.example.com"
 scheme="https"
 secure="true"
 proxyPort="443"/>

 <Engine name="Catalina" defaultHost="localhost">
 <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">

 <Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">


 <!--
 ====================================================================================

 Note, you no longer configure your database driver or connection parameters here.
 These are configured through the UI during application setup.

 ====================================================================================
 -->

 <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
 factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
 <Manager pathname=""/>
 <JarScanner scanManifest="false"/>
 </Context>

 </Host>
 <Valve className="org.apache.catalina.valves.AccessLogValve"
 pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.ass$

 </Engine>
 </Service>
</Server>

I've removed much of the commentary from the file to cut down on how much space it would take up here.