|
This document describes how to configure Confluence to use a HTTPS encrypted secure socket layer for user logins and page data. Unencrypted confidential data within Confluence may be intercepted by an attacker. To secure user logins, you can enable access via HTTPS (HTTP over SSL), and require its use for pages where passwords are sent. In some cases where issue data is sensitive, all pages can be set to be accessed over HTTPS. Enabling SSL access is different for each application server, but specifying which pages to require protection for is generic. This document is specific to Tomcat, the default application server shipped with Confluence. Adding Secure User LoginsAdding HTTPS requires a valid SSL certificate. If you have a Certificate prepared, skip to the 'Modify the <INSTALL>/conf/server.xml File' section. Creating A New SSL CertificateOn Windows, perform the following at the command prompt: "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA
Or on other platforms, perform the following at the command prompt: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA Some questions will be asked, including a password for the certificate (the default is 'changeit'). Please note down what you choose, as it will be used in the next step. Modify the <INSTALL>/conf/server.xml FileIn the confluence directory, open the conf/server.xml file and insert one of the following just after the closing </Engine> tag:
Verify Certificate in Correct LocationBy default, Tomcat will look for the certificates in the file C:\Documents and Settings\\#CURRENT_USER#\.keystore on Windows or ~/.keystore on Unix. If your Certificate is not in this location, you will need to update your <INSTALL>/conf/server.xml file as outlined below, so that Tomcat can find it. Advanced users who require an official CA-issued key pair for their Certificate can find instructions in the Tomcat documentation.
Testing SSLRestart Tomcat and access your instance on https://<MY_BASE_URL>:8443/. For more detailed information on setting up SSL with Tomcat (including additional configuration options), have a look at Tomcat 4 SSL Howto or Tomcat 5.5 SSL Howto. Although HTTPS is now activated and available, the old HTTP URLs (http://localhost:8080) are still available. In most situations one wants these URLs to continue working, but for some to redirect to their HTTPS equivalent.
If security is a concern, we recommend using SSL encryption site wide, for the reasons listed here: CONF-4116. To do this: Edit the confluence/WEB-INF/web.xml file and add the following declaration to the end, before the </web-app> tag: <security-constraint> <web-resource-collection> <web-resource-name>Restricted URLs</web-resource-name> <url-pattern>*.action</url-pattern> <url-pattern>/display/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Once this change is made, restart Confluence and access http://localhost:8080. You should be redirected to https://localhost:8443/login.action. IE and HTTPS for the whole site with a '/' as the url-patternIf you have enabled SSL for the whole site and are accessing Confluence using Internet Explorer, you will not be able to download attachments. <url-pattern>/</url-pattern> This is because IE will not download attachments into its Temporary Internet Files folder when in SSL mode. Securing the site using the *.action url pattern like the above should be fine.
|
Comments (17)
Sep 21, 2006
Aaron Sachs says:
ust wanted to share this tip about creating SSL certificates. This issues caused...ust wanted to share this tip about creating SSL certificates.
This issues caused me hours of headache... so read and heed:
When you create your certificate with java's keytool, you are ABLE to specify one password for the "storepass" and one password for the "keypass". DO NOT, i repeat DO NOT make these different. THEY SHOULD USE THE SAME PASSWORD.
There you are, that's it... just saved you hours of headache...
You will never experience the joy of getting this error:
"LifecycleException: service.getName(): "Tomcat-Standalone"; Protocol handler start failed: java.io.IOException: Cannot recover key" REF: http://forum.java.sun.com/thread.jspa?threadID=728744
Another great resource:
http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
Sep 21, 2006
Ivan Benko says:
Thanks for that info Aaron.Thanks for that info Aaron.
Dec 30, 2006
Larry Masinter says:
Note that behavior of Internet Explorer is different for http and https because ...Note that behavior of Internet Explorer is different for http and https because the standard main.vmd sets up HTTP-EQUIV headers that (some) web servers pay attention to. See
http://support.microsoft.com/default.aspx/kb/234067
It means that you can't go 'back' to a previous page result from a POST operation (such as the administration forms) and other inconveniences.
(I think the #standardHeader use of <META HTTP-EQUIV ...> is wrong, but that's a different issue.)
Jan 24, 2007
M. Dale says:
I am accessing Tomcat via Apache using the mod_jk connector. I also set SSL up f...I am accessing Tomcat via Apache using the mod_jk connector. I also set SSL up for Apache on port 443 and created a VirtualHost with the JkMount to my confluence instance. Just changing the seraph-config.xml to point to
https://my-server.domain.com:443/login.action?os_destination=${originalurl}didn't force the https login (my confluence instance is located under webapps/ROOT so there is no contextpath - maybe that is part of the problem?) but instead went to the http login. To redirect to https, I ended up adding the following security-constraint to web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>login</web-resource-name> <url-pattern>/login.action</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>This was causing the redirect to https but still didn't quite work because the AJP connector by default was pointing to 8443 (and Apache was using 443). So I had to adjust $tomcat/conf/server.xml (I have Confluence running as a webapp under my own Tomcat - not the standalone confluence container):
Jan 30, 2007
Keith Van Cleave says:
I'm using 2.3.1 and can access my localhost:8443. However, I want SSL only for l...I'm using 2.3.1 and can access my localhost:8443. However, I want SSL only for login and find that modifying the link.url parameter in the seraph_config.xml file as described in the doucmentation does nothing and seems to by default append &os_destination=%2Fdashboard.action to the end of the login url. (even if I delete the parameter).
I find that the link.login.url parameter can be modified to generate the appropriate :8443/login.action url but doing so causes the entire session to be SSL.
I've also found that I can do the following to create https for login and then http for the remainder of session:
https://host:8443/confluence/login.action?os_destination=http://host:8080/confluence/dashboard.action
I'm not sure if this is secure and can't seem to generate the url after numerous attempts at modifying the seraph_config.xml parameters as the link.url parameter always adds its own default os_destination.
Feb 06, 2007
Samuel Le Berrigaud says:
Hi Keith, you may want to open a support ticket for that. Attach the different ...Hi Keith,
you may want to open a support ticket for that. Attach the different seraph_config.xml you tried as well as a precise explanation of what you are trying to achieve. Someone will help you there.
SaM
Feb 27, 2007
Ricardo Sueiras says:
Silly question. If you front Confluence with Apache via a reverse proxy, d...Silly question. If you front Confluence with Apache via a reverse proxy, do you still need to do this? The scenario I am thinking of is that Apache manages the connection with the browser, and here, we could use mod_rewrite or the standard Redirect directive to ensure that all requests are converted (via client side redirects) to SSL. As you are hitting the proxy, you cannot bypass this (i.e. if you half way through a session, and type http instead of https, the mod_rewrite rule would just convert back to SSL).
Would this work, and would this solution require no modification to the WEB.XML?
Feb 27, 2007
Matthew Jensen says:
Ricardo, You can set up Apache to terminate the SSL connection and use the Prox...Ricardo,
You can set up Apache to terminate the SSL connection and use the ProxyPass and ProxyPassReverse directives to pass the connection through to (say) tomcat which is running confluence.
I tried it this morning and it was pretty simply to set up.
Because of how the ProxyPass and ProxyPassReverse directives work, you should not need to modify the tomcat installation at all.
Most of the relevant Apache Config:
Listen 443 NameVirtualHost *:443 <VirtualHost *:443> SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ </VirtualHost>Feb 28, 2007
Ricardo Sueiras says:
Matt - thanks, I am familiar with this config. However, the question I was askin...Matt - thanks, I am familiar with this config. However, the question I was asking is if the requests are proxies to the application server (in our case, WebSphere) over SSL, would there be any impact on the application configuration - i.e. any need to change the WEB.XML.
What I am trying to get away from is modifying the WEB.XML if at all possible, and retaining the application configuration "as is" (with the exception of the base URL of course). If I proxy the request via the Apache server, this takes care of the control element (assuming no-one can access the app server directly, which they cannot in our case) will all subsequent SSL requests to the app work without any tweaks?
Mar 04, 2007
Matthew Jensen says:
Yes, as long as the reverse proxy server (or ssl accelerator) is configured corr...Yes, as long as the reverse proxy server (or ssl accelerator) is configured correctly, the tomcat instance behind it should not need to be changed at all.
Aug 19, 2007
infinity says:
When I use "ProxyPass /wiki http://localhost:8080/" (and reverse), I get redirec...When I use "ProxyPass /wiki http://localhost:8080/" (and reverse), I get redirectoed to: "https://secure.domain.com/wikihomepage.action"
I'm trying to have it be secure.domain.com/[app1,app2,etc]. In this case, secure.domain.com/wiki.
Apr 23
Anonymous says:
You may have to turn ProxyPreserveHost to Off to get this working.You may have to turn ProxyPreserveHost to Off to get this working.
Jul 17, 2007
Kirk Mook says:
Once this change is made, restart Confluence and access http://localhost:8080. Y...Once this change is made, restart Confluence and access http://localhost:8080. You should be redirected to https://localhost:8443/login.action.
Actually, you won't be redirected unless you change the redirect section of server.xml to reflect the 8443 or 443 port number. Banged my head for a while to resolve that issue.
Sep 28, 2007
Srinivasa says:
We are running confluence and Jira behind apache with SSL. Everything ...We are running confluence and Jira behind apache with SSL. Everything works fine as the configuration is specified in this thread. Now we need to upgrade our confluence to cluster version and use Apache as load balancer as well. is there any instructions on how to do this without impacting the other applications running behind Apache.. We have tested confluence cluster using mod_jk without SSL just by itself...But wondering how to achieve the same with SSL and other tomcat instances running behind the same Apache. Thanks.
We found an issue with this configuration... Attaching a file to a page is not working..it is going to page notfound error. Another issue is...When I edit the page content and
try to swith between richtext and wikimarkup tabs, before saving my change, the browser simply hanging up. If I save and then switch it works fine. Any suggestions would be much appreciated. Thanks
**************************
The issue ended up as Internet Explorer 6.0 and prior versions . interaction between SSL and HTTP/1.1 features are problematic in some MSIE versions. This seems to be fixed in IE-7.0 as I am not able get the issue that I am getting on IE-6.0
I have added below lines in virtualhost section and things started working
SetEnvIf User-Agent ".MSIE." \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Feb 13, 2008
Peter R. says:
We encountered the same thing with Apache and SSL v2.0. Our web person put this ...We encountered the same thing with Apache and SSL v2.0. Our web person put this into the config:
Not sure exactly what differs from your version; yours actually looks cleaner.
Any Apache experts out there that can tell me the differences? Did my guy just make it more complicated than it needed to be? Thanks!
Peter
Feb 21, 2008
Choy Li Tham says:
Hi Peter, It would be appreciated that if you could raise a support request at ...Hi Peter,
It would be appreciated that if you could raise a support request at the following Issue Tracker so that we can further investigate the problem from there:
Meanwhile, you can also post your queries to our forum or mailing list. From there, others developer/user who have experience in similar situation could share their idea with you.
Regards,
Choy Li
May 13
Jeremy Largman says:
It appears a new parameter SSLEnabled="true" is REQUIRED for tomcat 6.016It appears a new parameter SSLEnabled="true" is REQUIRED for tomcat 6.016
Add Comment