jwilder NGINX proxy issue with Confluence Edited

Installed Confluence in Dockerise enviroment .

  • Using jwilder nginx proxy

  • Let's Encrypt
  • Postgres 6.9 Docker
  • Confluence in Docker






https redirection working fine secure connection when base url is http://confluence.domain.com


Problem is when i set base url to https://confluence.domain.com Confluence displays the following message to administrators:

Can't check your base URL
There may be a problem with your proxy configuration.

If set to
http://confluence.domain.com no warning message working fine
Everything is working fine . Accepting some thing which i found till now .

  • Plugin not able to install
  • Not able to set base URL to https , only working fine when set to http



Warning logs
WARN [http-nio-8090-exec-58] [common.security.jersey.XsrfResourceFilter] passesAdditionalBrowserChecks Additional XSRF checks failed for request: http://confluence.domain.com/rest/analytics/1.0/publish/bulk , origin: https://confluence.domain.com , referrer: https://confluence.domain.com/ , credentials in request: true , allowed via CORS: false

Proxy Setting in Confluence
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
proxyName="confluence.domain.com" proxyPort="443" scheme="https"/>
jwilder-nginx proxy setting
# confluence.domain.com
upstream confluence.domain.com {
## Can be connect with "docker_intranet" network
# confluence
server 172.19.0.6:8090;
}
server {
server_name confluence.domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name confluence.domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-R$
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/confluence.domain.com.crt;
ssl_certificate_key /etc/nginx/certs/confluence.domain.com.key;
ssl_dhparam /etc/nginx/certs/confluence.domain.com.dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000";
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://confluence.domain.com;
}
}

 

1 answer

0 vote
Ann Worley Atlassian Team Sep 11, 2017

Hi Gaurav,

I understand you are getting XSRF errors when you access Confluence over https through your NGINX proxy. Please see this article for conditions that cause XSRF errors: Cross Site Request Forgery (CSRF) protection changes in Atlassian REST

For an example of how to set up the NGINX proxy to work with Confluence, please refer to Running Confluence behind NGINX with SSL.

I look forward to hearing how it goes.

Thanks,

Ann

PS - I think there is a typo on your PostgreSQL version, as 9.6 is commonly used and 6.9 is quite old.

Thanks, @[deleted]
I did a fresh install with all recommendation.

Install Confluence in Production with Docker everything is was working fine.

First thing I did was change proxy in server.xml.
Updated base URL in Confluence https://confluence.domain.com/
The problem which I troubleshoot is from NGINX configuration.


Postgres 9.6 is on different docker.
Confluence is on different docker.

But both are on the same server. so I used network so that they can talk. But problem is when updating Nginx with suggested configuration it is not working problem is
nginx: [emerg] upstream "confluence.domain.com" may not have port 8091 in /etc/nginx/conf.d/default.conf:123

updated Nginx configuration
# confluence.domain.com 8091
upstream confluence.domain.com {
## Can be connect with "docker_intranet" network
# confluence
server 172.19.0.8:8090;
}
server {
server_name confluence.domain.com;
listen confluence.domain.com:80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name confluence.domain.com;
listen 443 default ssl;
access_log /var/log/nginx/access.log vhost;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/confluence.domain.com.crt;
ssl_certificate_key /etc/nginx/certs/confluence.domain.com.key;
ssl_dhparam /etc/nginx/certs/confluence.domain.com.dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000";
location / {
client_max_body_size 100m;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://confluence.domain.com;
}
location /synchrony {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://confluence.domain.com:8091/synchrony;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Apr 13, 2018 in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

450 views 21 10
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you