Confluence via IIS is slow

I have set up Confluence via IIS redirection using port 80 as described in the many instructions. However, page access is about 10x slower now than if i connect directly to confluence via the 8090 port. Is there any way to make this fast again? If i deploy this, i'm sure i will catch a bunch of heck over the speed of the page loads.

System: Windows Server 2008 R2, IIS 7.5 (i think that is the right version, it's at least 7 obviously)

Confluence 4.3.2

Let me know if you have any suggestions or need more information to help. Thanks.

3 answers

1 accepted

Well, i was able to make the rewriting of the URL extremely fast, but it is completely different from the directions given by Atlassian. Anyone needing to use IIS or wanting the additional features of using IIS, should follow my directions below:

  1. Install IIS as in normal directions (https://confluence.atlassian.com/display/CONFKB/How+To+Setup+Confluence+with+IIS)
  2. Install Confluence if you haven’t already
  3. Do not change any of the config files in Confluence, it is not necessary (IIS will do the rest)
  4. Search google for “Microsoft Application Request Routing Version 2 for IIS 7”
    1. Since links change all the time, find the download link from Microsoft.
  5. Run downloaded file as Administrator by right clicking on the file.
  6. Close your IIS management window if you have it open still, then Open it again.
    1. This will ensure the new options are available from the ARR install
  7. Follow the directions on the following site: http://www.iisadmin.co.uk/?p=326&page=2
  8. Here are the directions that I followed if that site no longer works.
  9. Click the server heading in the IIS manager
  10. Double Click the Application Request Routing Cache
  11. On the right click on Server Proxy Settings
  12. Check the Enable Proxy box.
  13. If redirects are expected out of your application (Fisheye in particular) and you are sure they will redirect to the correct application URL:
    1. Uncheck “Reverse rewrite host in response headers” checkbox
  14. Click Apply
  15. Now here is where some people’s configurations may differ. I am going to use Host headers to separate my applications on the server instead of child folders
    1. E.G. http://confluence.company.com instead of http://www.company.com/confluence
    2. With some tweaks which I will point out this can be used either way.
  16. Create new blank site
    1. Give it a new home directory
    2. Type in your hostname (e.g. confluence)
    3. Click OK
  17. Add additional Bindings as necessary (e.g. confluence.vitalimages.com)
  18. Click on new site to view options
  19. Open URL Rewrite
  20. Click Add Rule(s) on right
    1. Easier Method:
      1. Select Reverse Proxy
      2. Click OK
      3. Enter your server name (e.g. srv-atlasdev1:8090)
      4. Click OK
      5. Rename Rule
    2. Manual Method:
      1. Select Blank Rule from the Inbound Rules section
      2. Click OK
      3. Name your rule (e.g. Confluence)
      4. Pattern = (.*)
      5. Under Action, in the Rewrite URL box:
        1. http://srv-atlasdev:8090/{R:1}
      6. Click Apply
  21. Click Add Rule(s) again
    1. Select Blank Rule from the Outbound Rules section
    2. Name your Rule (e.g. Handle Internal Redirects)
    3. Select <Create New Precondition…> from the drop down
    4. Name your Precondition (e.g. Redirects)
    5. Click Add
    6. Set Condition Input to {RESPONSE_STATUS}
    7. Set Pattern to 3[0-9][0-9] or 3\d\d (whatever you’re comfortable with
    8. Click OK
    9. Under the Match Section
      1. Matching scope: Server Variable
      2. Variable Name: RESPONSE_Location
      3. Pattern: use the same base URL as in your Inbound Rule (e.g. http://srv-atlasdev1:8090/(.*) )
    10. Under the Action Section
      1. Action Type: Leave as Rewrite
      2. Value: http://confluence.company.com/{R:1} or http://www.company.com/confluence/{R:1} depending on the method you configured your proxy above.
    11. Click Apply
  22. Allow double escaping:
    1. Globally: appcmd set config /section:requestfiltering /allowdoubleescaping:true
    2. Locally to your one site:
      1. Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True
    3. OR Add the following to your web.config:
      1. <security>
      2. <requestFiltering allowDoubleEscaping="true" />
      3. </security>
  23. Disable Output Caching
    1. On the Site Home screen in IIS Manager double click on "Output Caching"
    2. On the right side under Actions, click on Edit Feature Settings
    3. Uncheck Enable Cache and Enable kernel cache
    4. Click OK
  24. Increase URL and Request length limits:
    1. Double click on Request Filtering per site
    2. Click "Edit Feature Settings" on right side
    3. Set Request Limits section:
      1. Max allowed: 30000000
      2. Max URL: 16394
      3. Max Query: 8192
  25. FishEye Only:
    1. Remove File Name Extension Restrictions from Request Filtering:
      1. Double click on Request Filtering
      2. Right click each file extension
      3. Click Remove
      4. Alternate way is to add the values to the web.config file in the following pattern:
        1. <configuration>
          <system.webServer>
          <security>
          <requestFiltering allowDoubleEscaping="true">
          <fileExtensions>
          <remove fileExtension=".csproj" />
          </fileExtensions>
          </requestFiltering>
          </security>
  26. iisreset
  27. access site via new name

Special Notes:

  • Substitute fisheye in place of confluence anywhere needed and the fisheye ports for this to work with fisheye.
  • This also allows you to use IIS to control SSH communication and enforce SSH
  • If you want to use URLs such as http://www.company.com/confluence simply change your Pattern in your URL Rewrite Rule to (confluence.*)

I referenced some of the directions found here: http://www.iisadmin.co.uk/?p=326&page=2

However, they are not directly related to confluence or my configuration, so i included my exact method above.

Let me know if you have any questions.

Thanks for the instructions! Everything listed worked, but I had to perform one additional step... In the conf\server.xml file, I had to add the ProxyName="your.web.address" and ProxyPort="your proxy port" to the connector element. After that, it just worked.

Quick question - did you put your URL Rewrite rules at the global or site level, and what led you to do it one way over the other?

The Rewrite rules are at the site level. The only thing at the global level is turning on the proxy and unchecking the "Reverse rewrite host in response headers" checkbox. The reason we did it at the site level is so that we already can limit the traffic going into the Rewrite rules via host headers in IIS thus making the Rewrite rules easier to configure. We did this because we are running Confluence and Fisheye on the same machine running through IIS as a proxy. Then we just use host headers to split them out as href="https://confluence.company.com%20">https://confluence.company.com and http://fisheye.company.com.

I have added 3 additional sections to my guide

  1. Disable Output Caching --> we were seeing problems where users were suddenly logged in as other users and didn't know it, it was because IIS was caching output from the atlassian product, so if 2 people would log in at nearly the same time, one would get the tolken of the other.
  2. Increase URL and Request length limits --> saw an issue where Text gadgets in JIRA were not being displayed because they had a lot of information in them. It is still not perfect, it will still prevent some Extremely long gadgets from being displayed, but if you are documenting information in JIRA gadgets, you should probably use something else like Confluence.
  3. FishEye Only: File Extension Restrictions --> since the Fisheye web server is custom, it doesn't actually run file extensions that are in the URL, it displays them in the browser, but IIS doesn't know this, so you have to remove the restrictions so that it passes through fine and isn't blocked resulting in a 404 error.

Hope that helps some others.

Hi, I performed this config and it worked well. I was wondering if you have any idea on how to get it to work using https (SSL)

@Isaac, I have it working with SSL currently. All you have to do is set up SSL as per normal on the IIS site, and IIS will take care of all the SSL stuff. If you are using Host Headers to host multiple instances of Confluence or even other web services, then you will have to create a SAN (Subject Alternate Name) Cert or Wildcard cert to use with IIS. Also, you would then have to use the command line to set the host headers for the different sites in IIS because as of IIS7 it only allows a single Cert to be used for all sites, and does not allow the use of host headers.

Here is the command to set host headers with SSL on your IIS sites:

C:\Windows\System32\inetsrv\appcmd set site /site.name:"&lt;IISSiteName&gt;" /+bindings.[protocol='https',bindingInformation='*:443:&lt;hostHeaderValue&gt;']

Thanks for the quick response, currently we only have one instace per server, so I'm guessing it should be a simple task. I'm not familiar with IIS at all thats why is taking me a bit of an effort. thanks again for the help

If you haven't done SSL in IIS before, i would start with the following guide: http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis#IISManager

This only shows how to do a self-signed cert, which means that users will get a certificate error unless they install the cert into their trusted store.

If you get a CA signed cert, then you can probably start with this guide in order to get the Cert onto your server. Then it will be available in the SSL Certificate dropdown in IIS. http://technet.microsoft.com/en-us/library/cc754489.aspx

Hope that leads you in the right direction.

I followed the instructions, added the https bind. Still nothing. I'm able to access it via http but https no I get this

502 - Web server received an invalid response while acting as a gateway or proxy server.

There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

Did you do any other modification to the IIS settings or to the confluence server.xml??

You do have to tell Confluence Tomcat that you are accessing it via a proxy by adding the following lines to your Connector in your server.xml:

scheme="https"
proxyPort="443"
proxyName="confluence.company.com"

Other than that, i think i included everything in my guide above. Let me know if that helps.

Hello Adam,

Being honest with you, actually IIS is not a supported platform for Confluence so it will be a little hard to troubleshoot this. As a first approach I would suggest you to double-check the steps of this configuration based on the following article:

https://confluence.atlassian.com/display/CONFKB/How+To+Setup+Confluence+with+IIS

Maybe there's some detail in the configuration of the IIS itself that is causing this slowness, so this review would be interesting. I hope this helps.

Cheers,

LJ.

Yes, that is the documentation that i explicitely followed in order to get isapi redirection working for confluence. I have reviewed that documentation many times over to try to see if there were any differences or any reasons why the performance would be noticably different. However, i have no idea why the performance is different.

Let me know if i need to provide any more information to help diagnose this issue. Thanks.

Hey Adam,

Giving you another insight, it might be that you have already solved this, but in case you are still wondering, it could be Proxy or Firewall.

There are 2 pages where state the same behavior:

I understand that due some restrictions in your Company you might need to use IIS, but Apache could be a little faster then it. Might be worth it.

And watch about the Heck's!

Sincerely,

Guilherme Heck

p.s. Just kidding about the heck stuff :)

We explicitly turn off the windows firewall on our servers, and install a customized version of Symantec so that it does not monitor network traffic. The ISAPI redirection via IIS works, it is just extremely noticably slow. The reason we are needing to do this at all is because we have confluence and Fisheye on the same machine, and users of both systems want to access each via port 80. They also want an easily typed URL such as http://confluence or http://fisheye. Therefore, i would need to usehost headers in IIS to bind the separate sites to those names.

Even our own Engineers here don't know why this is slower, since they do the same process on our own software, and performance is as fast.

Any help would be appreciated. Thanks.

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Apr 13, 2018 in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

2,916 views 27 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you