I followed the following doc: https://confluence.atlassian.com/doc/running-confluence-over-ssl-or-https-161203.html?RunningConfluenceOverSSLorHTTPS-Step5.AddasecurityconstrainttoredirectallURLstoHTTPS
and Executed Step 5:
I added the following to my web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted URLs</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
However, when I hit http://confluence:80, it redirects to https://confluence:8443, instead of http://confluence:443 (this is my confluence base url).
I have the following port mappings:
host:80->confluence-container:8090
host:443->confluence-container:8443
When I hit https://confluence it correctly uses the host's port 443 and maps to the containers port 8443. However, when I use http://confluence, I believe it is going to the containers port 8090 and then redirecting to port 8443 in the browser. This causes a confluence issue with the base path being incorrect.
I am not sure if the solution provided for forcing HTTPS in confluence will work with Docker, but I wanted to post this here in case anyone has any advise or has already done this.
Preferably, I want to continue not using a proxy.
I had the same requirements and got exactly the same issue described above. Here is what I had done to overcome this:
1. Keep all the port mapping rules (80 to 8090, 443 to 8443) using iptables
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8090
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8090
iptables -t nat -A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 8443
2. Update server.xml in 2 places:
- Change Connector port 8090, redirectPort from 8443 to 443
<Connector port="8090" connectionTimeout="20000" redirectPort="443"
maxThreads="200" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol" />
- Change Connector port 8443, to add proxyPort and proxyName, (change the "<...>" to match yours)
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tomcat" keystoreFile="<path_to_confluence.jks>" keystorePass="<certificate_password>"
proxyPort="443" proxyName="<confluence.yourdomain.com>"
/>
3. Restart Confluence.
We should see all the URLs would not have any port specified, regardless whether we navigated from http or https.
Hope this helps
Hi Colin,
Indeed, the security constraint in web.xml will redirect to the port defined in the secure connector directive in server.xml.
The Confluence Base URL should not include a port number if it is on a default https or http port like 443 or 80.
To avoid issues with the base URL, please try redirecting port 80 to port 443 using the same mechanism you are using to map port 80 to port 8090 now.
Despite not using a proxy per se, if Tomcat is set up on a different port (8443) than the requests that are sent to it (port 443), we need to make sure and include the proxyPort, proxyName and scheme to the connector in server.xml, so it is something like:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
protocol="org.apache.coyote.http11.Http11NioProtocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" proxyPort="443" proxyName="domain.com" scheme="https"/>
This Tomcat doc explains the proxy support: Proxy Support
Thanks,
Ann
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the response Ann.
My Confluence Base URL does not include a port number. It is just https://<confluence_domain>.com
I tried mapping port 80 straight to 8443 but confluence didn't like that. It made the browser attempt to download a stream file. When I mapped 80 to 443, confluence errors out.
I added the proxyPort and the proxyName but I'm still not 100% sure what it is doing. I'll read up on that, but I don't believe I need them since confluence is still running on 8443.
I thought confluence needed http:// (e.g. 8090) to run the synchrony application?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Colin,
Confluence doesn't need the http connector to run Synchrony. Please see Administering Collaborative Editing:
Synchrony runs on port 8091 by default, and an internal Synchrony proxy means that you shouldn't need to open this additional port.
The port for Tomcat proxy support is the one you use to access Confluence from the browser, so in your case, 443.
When you map port 80 to port 443, what is the error you see? You may need to enable the synchrony proxy for your setup. Please see the diagrams and instructions under Proxies for more details.
To tell Confluence that you want to use the internal proxy, set the synchrony.proxy.enabled system property to true. (This is optional, but will prevent Confluence from trying to reach Synchrony via /synchrony first, before retrying via the internal proxy).
Thanks,
Ann
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.