Switching Confluence to HTTPS is possible by configuring the underlying Tomcat to use HTTPS, but …

  • you cannot use the standard port 443
  • the changes to the Tomcat configuration isn’t simple
  • you have to do all these changes again after an update

So it is best to use a “reverse proxy” in front of the Conflucence server, e.g. Nginx or Apache. This document describes how to configure Nginx for that task.

Overview

Overview who Nginx Confluence and the Synologie Server interact

Nginx as reverse proxy

Requirements / Assumptions

Nginx virtual host configurations

  • HTTP to HTTPS redirect configured in /etc/nginx/sites-available/myconfluence.mydomain.tld_http: 
    server {
    # Make site accessible from http://myconfluence.mydomain.tld
    server_name myconfluence.mydomain.tld;

    listen   80; ## listen for ipv4; this line is default and implied
    #listen   [::]:80 default_server ipv6only=on; ## listen for ipv6

    root /usr/share/nginx/www;
    index index.html index.htm;

    access_log /var/log/nginx/access_myconfluence.mydomain.tld_http.log;
    error_log /var/log/nginx/error_myconfluence.mydomain.tld_http.log;

        # Status monitoring for check_mk
        location /nginx_status {
                stub_status on;
                access_log off;
                allow 127.0.0.1;
                allow 10.0.0.0/8;
                allow 172.16.0.0/12;
                allow 192.168.0.0/16;
                deny all;
        }

    location / {
        return 301 https://myconfluence.mydomain.tld$request_uri;
    }
}
  • HTTPS reverse proxy to Tomcat configured in /etc/nginx/sites-available/myconfluence.mydomain.tld_https: 
    server {
    # Make site accessible from https://myconfluence.mydomain.tld
    server_name myconfluence.mydomain.tld;

    listen   443 ssl;

    # NGINX usually only allows 1M per request.
    # Increase this to Confluence's / JIRA's maximum attachment size
    # (10M by default)
    client_max_body_size 250M;

    root /usr/share/nginx/www;
    index index.html index.htm;

    access_log /var/log/nginx/access_myconfluence.mydomain.tld_https.log;
    error_log /var/log/nginx/error_myconfluence.mydomain.tld_https.log;

    ssl on;
    ssl_certificate     myconfluence.mydomain.tld-chain.crt;
    ssl_certificate_key myconfluence.mydomain.tld.key.pem;

    ssl_session_timeout 5m;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
    ssl_prefer_server_ciphers on;

        # fuer die Ueberwachung durch check_mk
        location /nginx_status {
                stub_status on;
                access_log off;
                allow 127.0.0.1;
                allow 10.0.0.0/8;
                allow 172.16.0.0/12;
                allow 192.168.0.0/16;
                deny all;
        }

    location / {
        proxy_pass            http://127.0.0.1:8090/;
        proxy_set_header      Host $host;
        proxy_set_header      X-Forwarded-Host $host;
        proxy_set_header      X-Forwarded-Server $host;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header      X-Forwarded-Ssl $https;
        proxy_set_header      X-Forwarded-Proto $scheme;
        proxy_set_header      X-Forwarded-Port $server_port;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_redirect        off;
                # the default timeout of 60s is often too low
        proxy_connect_timeout 120;
        proxy_send_timeout    120;
        proxy_read_timeout    120;
        send_timeout          120;
    }
}

Changes to Confluence’s Tomcat configuration

Assuming Confluence is installed in the default location /opt/atlassian/confluence/conf/server.xml, change follow these instructions. Otherwise change the path accordingly.

  1. Change the configuration in /opt/atlassian/confluence/conf/server.xml that it looks like: 
    <Server port="8000" shutdown="SHUTDOWN" debug="0">
    <Service name="Tomcat-Standalone">
        <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
                   maxThreads="48" minSpareThreads="10"
                   enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                   protocol="org.apache.coyote.http11.Http11NioProtocol"
                   />
        <Engine name="Standalone" defaultHost="localhost" debug="0">
            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
                    <Manager pathname=""/>
                    <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" />
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
                </Context>
                <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
                         reloadable="false" useHttpOnly="true">
                    <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" />
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
                </Context>
            </Host>
        </Engine>
    </Service>
</Server>
  2. Restart Confluence (= the Tomcat server)