Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Route website through 80/443

daryl patino
daryl patino May 9, 2013

Hello,

I need my confluence website to go through ports 80 and 443. I am using Ubuntu 12.04 as the server and read that only privileged users are able to use ports below 1024. I am not going to give the confluence user root privileges and I found several people saying that you can use an apache mod_proxy to accomplish this. None of the instructions I found are very descriptive and I could use some assistance.

Answer
Watch
Like Be the first to like this
1148 views

5 answers

1 vote
CelsoA
CelsoA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 9, 2013

Hi Daryl,

In this case you will need a webserver as a proxy.

To use this with apache for example, you just need to set a virtual host with mod_proxy enabled like this:

<VirtualHost *:443>

#Creating virtual host

ServerAdmin admin@domain.com

ServerName confluence.example.com

ServerAlias confluence.example.com

#enabling SSL (If you have a certificate)

SSLEngine On

SSLCertificateFile /path/to/file.crt

SSLCertificateKeyFile /path/to/file.key

ProxyRequests Off

ProxyPreserveHost On

<Proxy *>

Order deny,allow

Allow from all

</Proxy>

ProxyPass / http://your_confluence_original_url:8085/

ProxyPassReverse / http://your_confluence_original_url:8085/

<Location />

Order allow,deny

Allow from all

</Location>

ErrorLog /path/to/example.com-error.log

LogLevel debug

CustomLog /path/to/example.com-access.log combined

</VirtualHost>

Regards.

View More Comments
daryl patino
daryl patino May 9, 2013

I think I set this up correctly, but the URL displayed ends up showing http:\\website:8080, which will not work due to our restrictive firewall settings. Is there a way to have all external traffice go through 80?

Like
Reply
0 votes
C_ Faysal
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 9, 2013
Lets continue here....too much scrolling. Whats in your vhost conf now. Apache says SSLCertificateFile is none
View More Comments
daryl patino
daryl patino May 9, 2013

This is a self signed cert I made using some instructions I found

&lt;VirtualHost *:443&gt;

#Creating virtual host

ServerAdmin admin@domain.com

ServerName wiki.sylint.com

ServerAlias wiki.sylint.com

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ProxyRequests Off

ProxyPreserveHost On

&lt;Proxy *&gt;

Order deny,allow

Allow from all

&lt;/Proxy&gt;

ProxyPass / http://localhost:8080/

ProxyPassReverse / http://localhost:8080/

&lt;Location /&gt;

Order allow,deny

Allow from all

&lt;/Location&gt;

ErrorLog /logs/error.log

LogLevel debug

CustomLog /logs/access.log combined

&lt;/VirtualHost&gt;

Like
C_ Faysal
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 9, 2013

Please google this error. There are several hints availabe on this wich i really don't wanna post here to avoid blowing up this thread

Like
daryl patino
daryl patino May 14, 2013

It looks like I got this working. Thanks for your help.

Like
Reply
0 votes
daryl patino
daryl patino May 9, 2013

I don't think I'm doing this right at all. My knowledge of linux is fairly amateur. Do I leave the 000-default virtual host file alone? Or do I add all this to that file?

Reply
0 votes
C_ Faysal
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 9, 2013

hi daryl.

did you added a vhost like the example Celso posted?

<Proxy *>

Order deny,allow

Allow from all

</Proxy>

ProxyPass / http://your_confluence_original_url:8085/

ProxyPassReverse / http://your_confluence_original_url:8085/

this is the important part that will make it happen.

if you've configured it correctly your confluence will not respond if you enter "http://Your_website:8080" in your browser..if it still does something in your set up must be incorrect.

this is how it could look like (this works 100%)

please note i used ajp connector to seperate things here better

&lt;VirtualHost YOUR_URL_HERE:443&gt;

ErrorLog /var/log/httpd/YOU_NAME_IT/error_log
TransferLog /var/log/httpd/YOU_NAME_IT/access_log

#SSL Section
SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

  SSLCertificateFile /path/to/some/CRT 
  SSLCertificateKeyFile /path/to/some/KEY
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
   CustomLog /var/log/httpd/YOU_NAME_IT/ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

# /SSL Section

    ServerAdmin admin@somewhere
    ServerName YOUR_SERVER
    ServerAlias YOUR_SERVER

    ProxyRequests Off
    ProxyPreserveHost On

&lt;Proxy *&gt;
Order deny,allow
Allow from all
&lt;/Proxy&gt;
SSLProxyEngine On
ProxyRequests           Off
ProxyPreserveHost       On
ProxyPass           /       ajp://localhost:${confluence_PORT}/
ProxyPassReverse    /       ajp://localhost:${confluence_PORT}/

&lt;Location /&gt;
    Order allow,deny
    Allow from all
    &lt;/Location&gt;

&lt;/VirtualHost&gt;

View More Comments
daryl patino
daryl patino May 9, 2013

When I try this, apache doesn't even start. The error logs don't log anything either.

The original answer is working, just not the way I'd like. Using port 80, it redirects to 8080, which then redirects to 8443, but the URL changes to https://website:8443, which I can't use externally.

Like
C_ Faysal
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 9, 2013

what does apache log show?

there must be a reason it is not starting...

ErrorLog /var/log/httpd/YOU_NAME_IT/error_log
TransferLog /var/log/httpd/YOU_NAME_IT/access_log
it could be that the path does not exist...
try commenting out all log locations:
#ErrorLog /var/log/httpd/YOU_NAME_IT/error_log
#TransferLog /var/log/httpd/YOU_NAME_IT/access_log
#CustomLog /var/log/httpd/YOU_NAME_IT/ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


if you didn't set up the connector in server.xml to use ajp just replace it in this example:
ProxyPass           /       http://localhost:${confluence_PORT}/
ProxyPassReverse    /       http://localhost:${confluence_PORT}/
let me know how it goes
Like
C_ Faysal
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 9, 2013

hmm i got no idea whats in this file...for your confluence vhost i'd suggest creating a new conf file in the same folder where your 000-default is located.

but as you say celsos posting works for you but redirects to 8443...the setting must be somewhere else...

did you changed anything in

<CONFLUENCE_INSTALLATION>/confluence/WEB-INF/web.xml ?

you can see here

https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS#RunningConfluenceOverSSLorHTTPS-Step5.AddaSecurityConstrainttoCauseRedirectofAllURLstoHTTPS

that is what comes in my mind right now.

if you would like to we can go through it step by step..

Like
daryl patino
daryl patino May 9, 2013

I don't think I'm doing this right at all. My knowledge of linux is fairly amateur. Do I leave the 000-default virtual host file alone? Or do I add all this to that file?

Like
daryl patino
daryl patino May 9, 2013

This is the /etc/apache2/sites-enable/000-default

&lt;VirtualHost *:80&gt;
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www
	&lt;Directory /&gt;
		Options FollowSymLinks
		AllowOverride None
	&lt;/Directory&gt;
	&lt;Directory /var/www/&gt;
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	&lt;/Directory&gt;

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	&lt;Directory "/usr/lib/cgi-bin"&gt;
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	&lt;/Directory&gt;

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    &lt;Directory "/usr/share/doc/"&gt;
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    &lt;/Directory&gt;

The only thing changed in <CONFLUENCE_INSTALLATION>/confluence/WEB-INF/web.xml is

&lt;security-constraint&gt;
  &lt;web-resource-collection&gt;
    &lt;web-resource-name&gt;Restricted URLs&lt;/web-resource-name&gt;
    &lt;url-pattern&gt;/&lt;/url-pattern&gt;
  &lt;/web-resource-collection&gt;
  &lt;user-data-constraint&gt;
    &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt;
  &lt;/user-data-constraint&gt;
&lt;/security-constraint&gt;

Like
C_ Faysal
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 9, 2013

you also may want to update your server.xml to comment out unused connectors ?

can you take a look at "YOUR_CONFLUENCE_INSTALL/confluence/conf/server.xml"

this is how mine looks like:

&lt;Server port="8088" shutdown="SHUTDOWN" debug="0"&gt;
    &lt;Service name="Tomcat-Standalone"&gt;

        &lt;Engine name="Standalone" defaultHost="localhost" debug="0"&gt;

            &lt;Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false"&gt;

                &lt;Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true"&gt;
                    &lt;Manager pathname="" /&gt;
                &lt;/Context&gt;
            &lt;/Host&gt;

        &lt;/Engine&gt;

        
&lt;Connector port="8010" redirectPort="8443" enableLookups="false" protocol="AJP/1.3" URIEncoding="UTF-8" address="localhost" /&gt;
    &lt;/Service&gt;
&lt;/Server&gt;

you see i only use one connector that binds confluence to "ajp://localhost:8010" (last line)

if you want to use my server.xml just change the vhost config file.

replace:

replace:

with:

ProxyPass / ajp://localhost:8010/
ProxyPassReverse / ajp://localhost:8010/

don't forget to reload apache after every change to the vhost file. also restart confluence after making any change to its configuration files.

this should be it then. let me know how it goes
Like
C_ Faysal
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 9, 2013

that's what i've expected...

revert the changes you made in <CONFLUENCE_INSTALLATION>/confluence/WEB-INF/web.xml

this will stop redirecting to 8443.

do you only want to run confluence on that server?

then we can turn off the 000-default file (mv 000-default 000-default.OFF) after we created a new configuration for the confluence vhost that could look like the one from celso :

&lt;VirtualHost *:80&gt;

#Creating virtual host

ServerAdmin admin@domain.com

ServerName confluence.example.com #(put your hostname here)

ServerAlias confluence.example.com #(put your hostname here)

ProxyRequests Off

ProxyPreserveHost On

&lt;Proxy *&gt;

Order deny,allow

Allow from all

&lt;/Proxy&gt;

ProxyPass / http://localhost:8080/

ProxyPassReverse / http://localhost:8080/

&lt;Location /&gt;

Order allow,deny

Allow from all

&lt;/Location&gt;

 ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel debug

CustomLog ${APACHE_LOG_DIR}/access.log combined

&lt;/VirtualHost&gt;

Like
daryl patino
daryl patino May 9, 2013

So I did that, but it is still loading the default apache website in /var/www

Like
C_ Faysal
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 9, 2013

then /etc/apache2/sites-enable/000-default is still active.

did you rename it to /etc/apache2/sites-enable/000-default.OFF ?

use apache restart instead of reload and see if it works

Like
daryl patino
daryl patino May 9, 2013

Not sure what happened, but I restarted the whole server and it works now. It goes to the 8080 page without changing the URL. Now I need to have it force SSL on 443 and proxy that to 8443.

Like
C_ Faysal
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 9, 2013

no need to proxy to 8443

just change vhost config file:

<VirtualHost *:80>

must be:

<VirtualHost *:443>

then add this...and change the path to your cert and key files.

#enabling SSL (If you have a certificate)

SSLEngine On

SSLCertificateFile /path/to/file.crt

SSLCertificateKeyFile /path/to/file.key

Like
daryl patino
daryl patino May 9, 2013

When I do this, apache fails to start. I've tried this with both the certificate that I have, and a self signed certificate. Each time it gives me the following error

[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

Like
Reply
0 votes
daryl patino
daryl patino May 9, 2013

I think I set this up correctly, but the URL displayed ends up showing http:\\website:8080, which will not work due to our restrictive firewall settings. Is there a way to have all external traffice go through 80?

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events