SSL Confluence & letsencrypt

We’re utilizing Tomcat Davin

I think you are going to have the best success if you set it up to reverse proxy through IIS. We are on Windows in our organization as well and we saw about 15%-20% performance boost when we switched where we terminate the SSL connection. I think IIS is just better about handling SSL than Tomcat is. Plus there is lots of information on how to setup Let's Encrypt with IIS. I don't really have any gems for you with regards to Tomcat, but maybe consider using IIS for that. It's actually pretty easy to setup and it took me less than an hour to do.

That’s interesting, I think I’m going to look at going that route, didn’t even think about doing it that way. You didn’t happen to follow https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-microsoft-internet-information-services-iis-833931378.html did you? 

Sure did. Honestly, I think it makes doing SSL with Confluence a bit easier anyway. I'm not fond of having to go to the command line to create java keystores and generating CSRs. If you are on Confluence 6.5 or above this web.config works. If you are below 6.5 there are some changes that need to be made due to a bug that causes synchrony to stop working when large amounts of text are pasted into the editor window.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <system.webServer>
  <rewrite>
   <rules>
    <clear />
    <rule name="Force HTTPS" enabled="true" stopProcessing="true">
     <match url="(.*)" />
     <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
      <add input="{HTTPS}" pattern="off" />
     </conditions>
     <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
    </rule>
    <rule name="Synchrony HTTP" stopProcessing="true">
     <match url="synchrony/(.*)" />
     <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
     <action type="Rewrite" url="http://localhost:8091/synchrony/{R:1}" />
    </rule>
    <rule name="Synchrony Web Sockets Reverse Proxy" stopProcessing="true">
     <match url="ws://(.*)" />
     <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
     <action type="Rewrite" url="ws://localhost:8091/{R:1}" />
    </rule>
    <rule name="Confluence Reverse Proxy" stopProcessing="true">
     <match url="(.*)" />
     <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
     <action type="Rewrite" url="http://localhost:8090/{R:1}" />
    </rule>
   </rules>
  </rewrite>
  <security>
   <requestFiltering allowDoubleEscaping="true">
    <!-- This value must be in bytes. Set it a little higher than what Confluence's max upload size is. -->
    <requestLimits maxAllowedContentLength="62914560" />
   </requestFiltering>
  </security>
 </system.webServer>
 <system.web>
  <!-- The attribute "requestPathInvalidCharacters" keeps IIS from complaining about special characters in the url. The attribute "maxRequestLength" controls the max upload size. Set to the equivalent of the above, but in kilobytes instead of bytes. -->
  <httpRuntime executionTimeout="20" maxRequestLength="61440" requestPathInvalidCharacters="" requestValidationMode="2.0" />
  <pages validateRequest="false" />
 </system.web>
</configuration>

Thanks Davin, I'm going through that process now with adding the site into IIS, what would you enter into the Physical Path area? And I'm assuming with the SSL Certificate portion you would have to add the certificate in somewhere in order for it to show up. Also, I've been looking for the web.config but can't seem to locate it, unless you have to create it? Thanks for the help & guidance I really appreciate it!

You will need to setup the Let's Encrypt stuff first to get the cert on your server and then you will be able to select it in the first screenshot. As for the second that is the physical path of the website on the server that will respond to port 80 and 443 requests. By default there is already a site in IIS that is bound to 80 and 443 and its default directory is C:\inetpub\wwwroot. As for the web.config file you will need to create it in the root of your IIS website.

Just hung up here on the physical path portion - I'd have to create a folder/directory for the path? 

If you have IIS on the system you should already have a default site setup in IS and the path for that default site is C:\inetpub\wwwroot. That's the default. If that default site was removed, then you will need to create a new site and point it to a physical path that will be the site's root folder. That can be wherever you want it to be, but IIS will need the appropriate NTFS permissions to read the files in the folder and execute serverside code.

Is Confluence the only application running on this server?

Hi Davin - yes this is the only application that would be running on the server, in looking at the documentation Atlassian is going through creating a new site instead of using the default. 

Yeah, I think they are just covering the bases in case you are already running a site on the default site or you deleted the default site. If you have the default site and you are not using it there is no reason you can't use that site.

Gents,

I have just managed to setup my Jira & Confluence instances with HTTPS using the details discussed here.

Many, many thanks to @Davin Studer for the invaluable help and to @Kevin Decker for treading the path before me and of course the link to the page on Proxying with IIS.

Couldn't have done it without you both, much appreciated.