Hi!
We have recently upgraded our Confluence to run encrypted by means of a Let's Encrypt certificate, however there is a small issue that I would like to see resolved.
We have a few old links going to pages like confluence.ourwebsite.com:8090/specific_page, however the browser will then give me the following error: SSL_ERROR_RX_RECORD_TOO_LONG. The page can be manually accessed by changing 8090 to 8443, but I would like it to reroute to 8443 automatically.
According to step 5 of this guide, I need to add some constraints to my web.xml file, which I have done, but it does not seem to work.
According to other sources on the web, I should add SSLEnabled="true" to the 8090 port, however this is counter intuitive in my opinion because the guide states that it will route all non-SSL links to 8443. If I enable SSL for the 8090, it wouldn't route to 8443, right?
Any suggestions?
My server.xml file is as follows:
<Server port="8000" shutdown="SHUTDOWN" debug="0">
<Service name="Tomcat-Standalone">
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" acceptCount="100" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol" />
<Engine name="Standalone" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
<!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname="" />
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
</Context>
<Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
</Context>
</Host>
</Engine>
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
URIEncoding="UTF-8" keystoreFile="..."
keystorePass="..."/>
</Service>
</Server>
You can handle all the old ports too.
In apache, you'd listen and set up virtualhosts and redirects for each of your old ports. Confluence would need to listen on an off port, let's say 8092 for Confluence and leave Synchrony on 8091.
apache httpd.conf
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://confluence.yourcompany.com%{REQUEST_URI} [NE]
</VirtualHost>
<VirtualHost *:8443>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://confluence.yourcompany.com%{REQUEST_URI} [NE]
</VirtualHost>
<VirtualHost *:8090>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://confluence.yourcompany.com%{REQUEST_URI} [NE]
</VirtualHost>
SSL.conf:
<VirtualHost *:443>
ServerName confluence.yourcompany.com
ProxyRequests Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://localhost:8092/
ProxyPassReverse / http://localhost:8092/
SSLEngine On
SSLCertificateFile /path/to/your/cert.pem
SSLCertificateKeyFile /path/to/your/privkey.pem
SSLCertificateChainFile /path/to/your/chain.pem
<Location />
Require all granted
</Location>
ProxyPass /synchrony http://localhost:8091/synchrony
<Location /synchrony>
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:8091%{REQUEST_URI} [P]
</Location>
</VirtualHost>
Server.xml (connector only):
<Connector port="8092" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
proxyName="confluence.yourcompany.com" proxyPort="443" scheme="https" />
Thank you for your detailed reply! We do not use Apache right now and it looks fairly complicated for what I want to solve right now. However, I did find UrlRewriteFilter for TomCat, Apache's mod_rewrite. Looks like it could work, what do you think?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You could rewrite and redirect using tomcat. Those changes would have to be re-applied every time you upgrade, so concider using nginx instead.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
My recommendation is to use apache or nginx for the purpose, but why expose port numbers to your users at all?!
You should configure a simple URl like https://confluence.yourcompany.com or https://wiki.yourcompany.com
-Lars
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We redirect https://confluence.yourcompany.com to https://confluence.yourcompany.com:8443 right now with nginx and that works fine. However like I said, we have old links running directly to https://confluence.yourcompany.com:8090/specific_page and I do not quite get how to redirect those to 8443. Are you suggesting nginx for this purpose as well?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Make nxinx listen on 8090 (and remove 8090 from tomcat), then redirect users to where you want them with nginx.
Why redirect users to https://confluence.yourcompany.com:8443 a "clean" URL without port numbers are much better in my mind.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for your help Lars, however it's a little more complicated than I may have described. The problem is that there is more than one link with this problem, let's say 50. That's not possible with nginx as far as I know?
As for the link, I agree with you. Is there a guide that you can recommend? I don't want to use port 80 for this, but it's probably possible to hide the port number, right?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Look at Josh`s answer. :)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.