Route website through 80/443

Hello,

I need my confluence website to go through ports 80 and 443. I am using Ubuntu 12.04 as the server and read that only privileged users are able to use ports below 1024. I am not going to give the confluence user root privileges and I found several people saying that you can use an apache mod_proxy to accomplish this. None of the instructions I found are very descriptive and I could use some assistance.

5 answers

Hi Daryl,

In this case you will need a webserver as a proxy.

To use this with apache for example, you just need to set a virtual host with mod_proxy enabled like this:

<VirtualHost *:443>

#Creating virtual host

ServerAdmin admin@domain.com

ServerName confluence.example.com

ServerAlias confluence.example.com

#enabling SSL (If you have a certificate)

SSLEngine On

SSLCertificateFile /path/to/file.crt

SSLCertificateKeyFile /path/to/file.key

ProxyRequests Off

ProxyPreserveHost On

<Proxy *>

Order deny,allow

Allow from all

</Proxy>

ProxyPass / http://your_confluence_original_url:8085/

ProxyPassReverse / http://your_confluence_original_url:8085/

<Location />

Order allow,deny

Allow from all

</Location>

ErrorLog /path/to/example.com-error.log

LogLevel debug

CustomLog /path/to/example.com-access.log combined

</VirtualHost>

Regards.

I think I set this up correctly, but the URL displayed ends up showing http:\\website:8080, which will not work due to our restrictive firewall settings. Is there a way to have all external traffice go through 80?

I think I set this up correctly, but the URL displayed ends up showing http:\\website:8080, which will not work due to our restrictive firewall settings. Is there a way to have all external traffice go through 80?

hi daryl.

did you added a vhost like the example Celso posted?

<Proxy *>

Order deny,allow

Allow from all

</Proxy>

ProxyPass / http://your_confluence_original_url:8085/

ProxyPassReverse / http://your_confluence_original_url:8085/

this is the important part that will make it happen.

if you've configured it correctly your confluence will not respond if you enter "http://Your_website:8080" in your browser..if it still does something in your set up must be incorrect.

this is how it could look like (this works 100%)

please note i used ajp connector to seperate things here better

&lt;VirtualHost YOUR_URL_HERE:443&gt;

ErrorLog /var/log/httpd/YOU_NAME_IT/error_log
TransferLog /var/log/httpd/YOU_NAME_IT/access_log

#SSL Section
SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

  SSLCertificateFile /path/to/some/CRT 
  SSLCertificateKeyFile /path/to/some/KEY
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
   CustomLog /var/log/httpd/YOU_NAME_IT/ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

# /SSL Section

    ServerAdmin admin@somewhere
    ServerName YOUR_SERVER
    ServerAlias YOUR_SERVER

    ProxyRequests Off
    ProxyPreserveHost On

&lt;Proxy *&gt;
Order deny,allow
Allow from all
&lt;/Proxy&gt;
SSLProxyEngine On
ProxyRequests           Off
ProxyPreserveHost       On
ProxyPass           /       ajp://localhost:${confluence_PORT}/
ProxyPassReverse    /       ajp://localhost:${confluence_PORT}/

&lt;Location /&gt;
    Order allow,deny
    Allow from all
    &lt;/Location&gt;

&lt;/VirtualHost&gt;

When I try this, apache doesn't even start. The error logs don't log anything either.

The original answer is working, just not the way I'd like. Using port 80, it redirects to 8080, which then redirects to 8443, but the URL changes to https://website:8443, which I can't use externally.

what does apache log show?

there must be a reason it is not starting...

ErrorLog /var/log/httpd/YOU_NAME_IT/error_log
TransferLog /var/log/httpd/YOU_NAME_IT/access_log
it could be that the path does not exist...
try commenting out all log locations:
#ErrorLog /var/log/httpd/YOU_NAME_IT/error_log
#TransferLog /var/log/httpd/YOU_NAME_IT/access_log
#CustomLog /var/log/httpd/YOU_NAME_IT/ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


if you didn't set up the connector in server.xml to use ajp just replace it in this example:
ProxyPass           /       http://localhost:${confluence_PORT}/
ProxyPassReverse    /       http://localhost:${confluence_PORT}/
let me know how it goes

hmm i got no idea whats in this file...for your confluence vhost i'd suggest creating a new conf file in the same folder where your 000-default is located.

but as you say celsos posting works for you but redirects to 8443...the setting must be somewhere else...

did you changed anything in

<CONFLUENCE_INSTALLATION>/confluence/WEB-INF/web.xml ?

you can see here

https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS#RunningConfluenceOverSSLorHTTPS-Step5.AddaSecurityConstrainttoCauseRedirectofAllURLstoHTTPS

that is what comes in my mind right now.

if you would like to we can go through it step by step..

I don't think I'm doing this right at all. My knowledge of linux is fairly amateur. Do I leave the 000-default virtual host file alone? Or do I add all this to that file?

This is the /etc/apache2/sites-enable/000-default

&lt;VirtualHost *:80&gt;
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www
	&lt;Directory /&gt;
		Options FollowSymLinks
		AllowOverride None
	&lt;/Directory&gt;
	&lt;Directory /var/www/&gt;
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	&lt;/Directory&gt;

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	&lt;Directory "/usr/lib/cgi-bin"&gt;
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	&lt;/Directory&gt;

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    &lt;Directory "/usr/share/doc/"&gt;
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    &lt;/Directory&gt;

The only thing changed in <CONFLUENCE_INSTALLATION>/confluence/WEB-INF/web.xml is

&lt;security-constraint&gt;
  &lt;web-resource-collection&gt;
    &lt;web-resource-name&gt;Restricted URLs&lt;/web-resource-name&gt;
    &lt;url-pattern&gt;/&lt;/url-pattern&gt;
  &lt;/web-resource-collection&gt;
  &lt;user-data-constraint&gt;
    &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt;
  &lt;/user-data-constraint&gt;
&lt;/security-constraint&gt;

you also may want to update your server.xml to comment out unused connectors ?

can you take a look at "YOUR_CONFLUENCE_INSTALL/confluence/conf/server.xml"

this is how mine looks like:

&lt;Server port="8088" shutdown="SHUTDOWN" debug="0"&gt;
    &lt;Service name="Tomcat-Standalone"&gt;

        &lt;Engine name="Standalone" defaultHost="localhost" debug="0"&gt;

            &lt;Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false"&gt;

                &lt;Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true"&gt;
                    &lt;Manager pathname="" /&gt;
                &lt;/Context&gt;
            &lt;/Host&gt;

        &lt;/Engine&gt;

        
&lt;Connector port="8010" redirectPort="8443" enableLookups="false" protocol="AJP/1.3" URIEncoding="UTF-8" address="localhost" /&gt;
    &lt;/Service&gt;
&lt;/Server&gt;

you see i only use one connector that binds confluence to "ajp://localhost:8010" (last line)

if you want to use my server.xml just change the vhost config file.

replace:

replace:

with:

ProxyPass / ajp://localhost:8010/
ProxyPassReverse / ajp://localhost:8010/

don't forget to reload apache after every change to the vhost file. also restart confluence after making any change to its configuration files.

this should be it then. let me know how it goes

that's what i've expected...

revert the changes you made in <CONFLUENCE_INSTALLATION>/confluence/WEB-INF/web.xml

this will stop redirecting to 8443.

do you only want to run confluence on that server?

then we can turn off the 000-default file (mv 000-default 000-default.OFF) after we created a new configuration for the confluence vhost that could look like the one from celso :

&lt;VirtualHost *:80&gt;

#Creating virtual host

ServerAdmin admin@domain.com

ServerName confluence.example.com #(put your hostname here)

ServerAlias confluence.example.com #(put your hostname here)

ProxyRequests Off

ProxyPreserveHost On

&lt;Proxy *&gt;

Order deny,allow

Allow from all

&lt;/Proxy&gt;

ProxyPass / http://localhost:8080/

ProxyPassReverse / http://localhost:8080/

&lt;Location /&gt;

Order allow,deny

Allow from all

&lt;/Location&gt;

 ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel debug

CustomLog ${APACHE_LOG_DIR}/access.log combined

&lt;/VirtualHost&gt;

So I did that, but it is still loading the default apache website in /var/www

then /etc/apache2/sites-enable/000-default is still active.

did you rename it to /etc/apache2/sites-enable/000-default.OFF ?

use apache restart instead of reload and see if it works

Not sure what happened, but I restarted the whole server and it works now. It goes to the 8080 page without changing the URL. Now I need to have it force SSL on 443 and proxy that to 8443.

no need to proxy to 8443

just change vhost config file:

<VirtualHost *:80>

must be:

<VirtualHost *:443>

then add this...and change the path to your cert and key files.

#enabling SSL (If you have a certificate)

SSLEngine On

SSLCertificateFile /path/to/file.crt

SSLCertificateKeyFile /path/to/file.key

When I do this, apache fails to start. I've tried this with both the certificate that I have, and a self signed certificate. Each time it gives me the following error

[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

I don't think I'm doing this right at all. My knowledge of linux is fairly amateur. Do I leave the 000-default virtual host file alone? Or do I add all this to that file?

Lets continue here....too much scrolling. Whats in your vhost conf now. Apache says SSLCertificateFile is none

This is a self signed cert I made using some instructions I found

&lt;VirtualHost *:443&gt;

#Creating virtual host

ServerAdmin admin@domain.com

ServerName wiki.sylint.com

ServerAlias wiki.sylint.com

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ProxyRequests Off

ProxyPreserveHost On

&lt;Proxy *&gt;

Order deny,allow

Allow from all

&lt;/Proxy&gt;

ProxyPass / http://localhost:8080/

ProxyPassReverse / http://localhost:8080/

&lt;Location /&gt;

Order allow,deny

Allow from all

&lt;/Location&gt;

ErrorLog /logs/error.log

LogLevel debug

CustomLog /logs/access.log combined

&lt;/VirtualHost&gt;

Please google this error. There are several hints availabe on this wich i really don't wanna post here to avoid blowing up this thread

It looks like I got this working. Thanks for your help.

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Friday in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

292 views 11 10
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you