Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Configure Apache SSL for Confluence

St__Wissel
St__Wissel October 7, 2012

I need some help on configuring my Confluence with Apache HTTPs. I use mod_proxy to redirect from http://mypage/wiki to http://localhost:8090/ (while blocking direct access from the outside to :8090) and so far it works like a charm.

Now I want to use https (and eventually shut down http for authenticated users). I did see the following Atlasian URLs, but they don't cover Confluence:

https://answers.atlassian.com/questions/19716/apache-ssl-terminiation-with-mod_proxy-after-update-jira-4-4-0-to-4-4-3

https://answers.atlassian.com/questions/19361/apache-ssl-for-jira

https://confluence.atlassian.com/display/JIRA044/Integrating+JIRA+with+Apache#IntegratingJIRAwithApache-TerminatinganSSLconnectionathttpd

and this doesn't cover SSL:

https://confluence.atlassian.com/display/DOC/Running+Confluence+behind+Apache

I want to use SSL on the Apache server (since there are some more components) rather on the Confluence instance. How do I do that? (I can configure https with Apache as of such).

Answer
Watch
Like Be the first to like this
6350 views

3 answers

1 accepted

2 votes
Answer accepted
Jason Hensler1
Jason Hensler
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 7, 2012

The document here (https://confluence.atlassian.com/display/DOC/Using+Apache+with+mod_proxy) has a 1000 foot view of doing everything under the heading of "adding SSL". We did this on our install but, used mod_jk instead of mod_proxy. The basic idea is to setup the ssl for apache (http://httpd.apache.org/docs/2.2/ssl/) and then add you proxy setting to the ssl enabled vhost in apache. The encryption is terminated at the apache webserver and then apache sents unencrypted traffic to the jira server.

We run windows 2K8 so for us this ment enableing the mod_ssl module in the main httpd.conf file and then editing extra/httpd-ssl.conf for the ssl setup and adding the mod_jk (or mod_proxy) to the vhost at the bottom of the config file.

For the jira side of the equation we ran the apache and jira server on the same machine so I added
"address=127.0.0.1" to connector string in my server.xml to force tomcat to listen only on connections from the localhost to tomcat:8009. If you are running apache and jira on seprate machines you may want to encrypt traffic between the two machines depending on if you can trust your network to be secure or not. For example, if they are two diffrent machines that were colocated (or rented) in a datacenter I would encrypt the traffic between them.

Reply
2 votes
Jobin Kuruvilla [Adaptavist]
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 7, 2012

See if this helps : https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS

View More Comments
St__Wissel
St__Wissel October 7, 2012

That document decribes how to configure Confluence for SSL, but not Apache to Confluence. My question is: do I need to SSL enable both 8090 and 443 or only 443 and leave Confluence as it is? (We can block 8090 on the firewall if needed).

I'm sure it is a small step I'm missing...

Like
Jobin Kuruvilla [Adaptavist]
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 7, 2012

You can just configure SSL fo Confluence and then redirect from http://mypage/wiki to http://localhost:8443 or http://localhost:443 using apache, depending on the port.

Like
Reply
1 vote
Owen Carter
Owen Carter January 19, 2017

Bumping an old question; sorry.. but I thought a 2016 era answer here may help..

I've just set up both JIRA and Confluence to talk through the same apache proxy server (different vhosts) and I wanted to enforce ssl on both. My apache server has a catchall vhost for any port 80 traffic which rewrites to ssl, as described in the doc linked below.

For JIRA there is this handy document: https://confluence.atlassian.com/adminjiraserver071/integrating-jira-with-apache-using-ssl-802593043.html, Which is what I used to set up our JIRA instance.

For Confluence I copied everything from the JIRA vhost to the Confluence one, but set the port# to 8090

I decided to rewrite the tomcat config/server.xml as follows:

        <!-- Provide a new connector that forces proxy/https mode to all traffic; 
          see https://confluence.atlassian.com/adminjiraserver071/integrating-jira-with-apache-using-ssl-802593043.html -->

        <!-- Apache Proxy Connector with values for scheme, proxyName and proxyPort -->
        <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
                maxThreads="96" minSpareThreads="20"
                enableLookups="false" acceptCount="20" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                scheme="https" proxyName="confluence.ourfinecompany.com" proxyPort="443"/>

        <!-- Standard HTTP Connector on port 8091 -->
        <Connector port="8091" connectionTimeout="20000" redirectPort="8443"
                maxThreads="96" minSpareThreads="20"
                enableLookups="false" acceptCount="20" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />

        <!-- ORIGINAL:
        <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
                maxThreads="48" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />
        -->

This makes a 8090 connector with the same additional parameter as the JIRA one in the JIRA doc. It also makes a non-ssl connector on port 8091 (though I think it is superfluous I left it there just in case, the JIRA guide does this too.)

I set the Base URL in confluence itself to begin with https:// of course.

This seems to work well for us: Both JIRA and Confluence deliver fully secured content and seamlessly redirect any http requests to https.

Final note; if the proxy is on Linux, selinux will by default (in most distros) prevent Apache from opening any outbound connections; and the proxying can fail if this stops apache passing on the requests, it was pretty obvious what was happening in apache error logs.. The solution is to enable apache outbound connections (`sudo /usr/sbin/setsebool -P httpd_can_network_connect 1`  will set this permanently), rather than taking the lazy pill and disabling selinux laugh.

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events