Hi Marcel,
best practice is to install an Apache HTTPD server as a proxy for Confluence. This gives you several advantages:
* Easy SSL termination (even with wildcard certificates). We're using them, too & it works.
* Provide a single URL for all your (Atlassian-) web tools (Confluence, Jira, Bitbucket,...)
* Failover page, if Confluence is in maintenance or down
* Set up a second fail-over Confluence server for switch-over
* Possible caching modules on the Apache side for faster performance
* Use http/2 for faster connections
You can setup the Apache on the same server with packages from:
https://www.apachelounge.com/download/
or
https://www.apachehaus.com/cgi-bin/download.plx
Alexis already posted the documentation for the setup.
I post a configuration we use for ssl connections:
<VirtualHost YOUR-IP:443>
Protocols h2 http/1.1
DocumentRoot "C:/Apache/htdocs"
ServerName your.confluenceserver.url
ServerAdmin admin@yourdomain.com
ErrorLog C:/Apache/Apache24/logs/ssl_error.log
TransferLog C:/Apache/Apache24/logs/ssl_access.log
LogLevel warn
SSLEngine On
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLCertificateFile C:/Apache/Apache24/conf/ssl/wildcard.yourpubliccert.crt
SSLCertificateKeyFile C:/Apache/Apache24/conf/ssl/wildcard.yourprivatecert.key
SSLCACertificateFile C:/Apache/Apache24/conf/ssl/wildcard.intermediate.crt
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
RewriteEngine On
#LogLevel notice rewrite:trace8
RewriteCond %{REQUEST_URI} !^/confluence [NC]
RewriteCond %{REQUEST_URI} !^/confluence/.* [NC]
RewriteCond %{REQUEST_URI} !^/synchrony [NC]
RewriteCond %{REQUEST_URI} !^/synchrony/.* [NC]
RewriteCond %{REQUEST_URI} !^/jira [NC]
RewriteCond %{REQUEST_URI} !^/jira/.* [NC]
RewriteCond %{REQUEST_URI} !^/bitbucket [NC]
RewriteCond %{REQUEST_URI} !^/bitbucket/.* [NC]
RewriteRule ^(.*)$ https://your.server.url/confluence [R=301,L]
# Atlassian Proxy Configuration:
ProxyRequests Off
ProxyPreserveHost On
#SSLProxyEngine Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass /synchrony http://your.confluenceserver.url:8091/synchrony
<Location /synchrony>
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://your.confluenceserver.url:8091%{REQUEST_URI} [P]
</Location>
RemoteIPHeader X-Forwarded-For
# Jira over http
ProxyPass "/jira" "http://your.jiraserver.url:8090/jira"
ProxyPassReverse "/jira" "http://your.jiraserver.url:8090/jira"
# Confluence over http
ProxyPass "/confluence" "http://your.confluenceserver.url:8080/confluence"
ProxyPassReverse "/confluence" "http://your.confluenceserver.url:8080/confluence"
# Bitbucket over http
ProxyPass "/bitbucket" "http://your.bitbucketserver.url:7990/bitbucket"
ProxyPassReverse "/bitbucket" "http://your.bitbucketserver.url:7990/bitbucket"
</VirtualHost>
This gives you an idea, how to configure a wildcard intermediate certificate with Apache. We actually prefer running Jira & Conflunce with an AJP Tomcat connector, but this is another subject.
Best
JP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.