Good Day Atlassian Community,
We have a Wildcard SSL Cert that Certifies all of our sub-domains.
We have Confluence running on a Windows Server 2016 Instance using the supplied .exe to install Confluence.
I would like to use SSL on said Instance since we will be using Confluence in Production and therefore need to secure the site.
I have seen various guides, but none that apply to my Instance (Windows OS, Wildcard Cert, Confluence)
I need advice on how to properly Implement this.
I have
private.key
private_key.pfx
certificate.cer
Please advise.
Kind Regards,
Hi Marcel,
best practice is to install an Apache HTTPD server as a proxy for Confluence. This gives you several advantages:
* Easy SSL termination (even with wildcard certificates). We're using them, too & it works.
* Provide a single URL for all your (Atlassian-) web tools (Confluence, Jira, Bitbucket,...)
* Failover page, if Confluence is in maintenance or down
* Set up a second fail-over Confluence server for switch-over
* Possible caching modules on the Apache side for faster performance
* Use http/2 for faster connections
You can setup the Apache on the same server with packages from:
https://www.apachelounge.com/download/
or
https://www.apachehaus.com/cgi-bin/download.plx
Alexis already posted the documentation for the setup.
I post a configuration we use for ssl connections:
<VirtualHost YOUR-IP:443>
Protocols h2 http/1.1
DocumentRoot "C:/Apache/htdocs"
ServerName your.confluenceserver.url
ServerAdmin admin@yourdomain.com
ErrorLog C:/Apache/Apache24/logs/ssl_error.log
TransferLog C:/Apache/Apache24/logs/ssl_access.log
LogLevel warn
SSLEngine On
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLCertificateFile C:/Apache/Apache24/conf/ssl/wildcard.yourpubliccert.crt
SSLCertificateKeyFile C:/Apache/Apache24/conf/ssl/wildcard.yourprivatecert.key
SSLCACertificateFile C:/Apache/Apache24/conf/ssl/wildcard.intermediate.crt
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
RewriteEngine On
#LogLevel notice rewrite:trace8
RewriteCond %{REQUEST_URI} !^/confluence [NC]
RewriteCond %{REQUEST_URI} !^/confluence/.* [NC]
RewriteCond %{REQUEST_URI} !^/synchrony [NC]
RewriteCond %{REQUEST_URI} !^/synchrony/.* [NC]
RewriteCond %{REQUEST_URI} !^/jira [NC]
RewriteCond %{REQUEST_URI} !^/jira/.* [NC]
RewriteCond %{REQUEST_URI} !^/bitbucket [NC]
RewriteCond %{REQUEST_URI} !^/bitbucket/.* [NC]
RewriteRule ^(.*)$ https://your.server.url/confluence [R=301,L]
# Atlassian Proxy Configuration:
ProxyRequests Off
ProxyPreserveHost On
#SSLProxyEngine Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass /synchrony http://your.confluenceserver.url:8091/synchrony
<Location /synchrony>
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://your.confluenceserver.url:8091%{REQUEST_URI} [P]
</Location>
RemoteIPHeader X-Forwarded-For
# Jira over http
ProxyPass "/jira" "http://your.jiraserver.url:8090/jira"
ProxyPassReverse "/jira" "http://your.jiraserver.url:8090/jira"
# Confluence over http
ProxyPass "/confluence" "http://your.confluenceserver.url:8080/confluence"
ProxyPassReverse "/confluence" "http://your.confluenceserver.url:8080/confluence"
# Bitbucket over http
ProxyPass "/bitbucket" "http://your.bitbucketserver.url:7990/bitbucket"
ProxyPassReverse "/bitbucket" "http://your.bitbucketserver.url:7990/bitbucket"
</VirtualHost>
This gives you an idea, how to configure a wildcard intermediate certificate with Apache. We actually prefer running Jira & Conflunce with an AJP Tomcat connector, but this is another subject.
Best
JP
Hi @Marcel Heelein,
this documentation explains how to install certificates on Confluence with Windows, it should have all the information you need to use keytool.exe to import the cert in Tomcat.
The fact that you have a wildcard cert doesn't change anything to the procedure as far as I know.
Depending on the format of your key and crt you might need to perform some kind of export/import step in addition to what's described in the documentation.
On a side note, I usually recommend delegating SSL/HTTPS handling to the proxy instead of Tomcat as this is much easier to configure (see this documentation for example).
Let me know if you have any questions,
--Alexis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.