This documentation relates to Confluence 3.1.x
If you are using an earlier version, please view the previous versions of the Confluence documentation and select the relevant version.

Configure Web Proxy Support for Confluence

Some of Confluence's macros, such as {rss} and {jiraissues} need to make web requests to remote servers in order to retrieve data. If Confluence is deployed within a data-centre or DMZ, it may not be able to access the Internet directly to make these requests. If you find that the {rss} macro does not work, ask your network administrator if Confluence needs to access the Internet through a web proxy.

Configuring an outbound HTTP proxy in Confluence

Proxy support is configured by passing certain system properties to the Java Virtual Machine on startup. These properties follow the conventions defined by Sun:

  • http.proxyHost
  • http.proxyPort (default: 80)
  • http.nonProxyHosts (default: <none>)

At a minimum, you need to define http.proxyHost to configure an HTTP proxy. System property configuration is described on the Configuring System Properties page.

Properties http.proxyHost and http.proxyPort indicate the proxy server and port that the http protocol handler will use. 

-Dhttp.proxyHost=proxy.example.org -Dhttp.proxyPort=8080

Property http.nonProxyHosts indicates the hosts which should be connected to directly and not through the proxy server. The value can be a list of hosts, each separated by a |, and in addition a wildcard character (*) can be used for matching. For example:

-Dhttp.nonProxyHosts=*.foo.com|localhost

Note: You may need to escape the pipe character (|) in some command-line environments.

If the http.nonProxyHosts property is not configured, all web requests will be sent to the proxy.

Configuring HTTP proxy authentication

Proxy authentication is also configured by providing system properties to Java in your application server's configuration file. Specifically, the following two properties:

  • http.proxyUser – username
  • http.proxyPassword – secret

Authentication has a few more options in Confluence 2.10 and later, as documented below.

HTTP proxy (Microsoft ISA) NTLM authentication (2.10 and later)

Confluence 2.10 and later supports NTLM authentication for outbound HTTP proxies when Confluence is running on a Windows server.

To clarify, this means the {rss} and {jiraissues} macro will be able to contact external websites if requests have to go through a proxy that requires Windows authentication. This support is not related to logging in Confluence users automatically with NTLM, for which there is a user-contributed authenticator available.

To configure NTLM authentication for your HTTP proxy, you need to define a domain system property, http.auth.ntlm.domain, in addition to the properties for host, port and username mentioned above:

-Dhttp.auth.ntlm.domain=MYDOMAIN

Configuring authentication order (2.10 and later)

Sometimes multiple authentication mechanisms are provided by an HTTP proxy. If you have proxy authentication failure messages, you should first check your username and password, then you can check for this problem by examining the HTTP headers in the proxy failure with a packet sniffer on the Confluence server. (Describing this is outside the scope of this document.)

To set the order for multiple authentication methods, you can set the system property http.proxyAuth to a comma-separated list of authentication methods. The available methods are: ntlm, digest and basic; this is also the default order for these methods.

For example, to attempt Basic authentication before NTLM authentication, and avoid Digest authentication entirely, you can set the http.proxyAuth property to this value:

-Dhttp.proxyAuth=basic,ntlm

Troubleshooting

  1. There's a diagnostic jsp file in CONF-9719 for assessing the connection parameters.
  2. 'Status Code [407]' errors are described in APR-160.
  3. Autoproxies are not supported yet. See CONF-16941.

Labels

appserver appserver Delete
configuring configuring Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (8)

 

  1. Jan 22, 2009

    Anonymous says:

    The patch for system info doesn't work in 2.10.  It would be much better if...

    The patch for system info doesn't work in 2.10.  It would be much better if system info printed all the system info by default.

    1. Jan 26, 2009

      Matt Ryall (Atlassian) says:

      Thanks for pointing that out. There's an existing issue you can vote for to see ...

      Thanks for pointing that out. There's an existing issue you can vote for to see this in Confluence properly: CONF-9719.

  2. Feb 02, 2009

    Anonymous says:

    The patch for system info doesn't work in 2.8.2.

    The patch for system info doesn't work in 2.8.2.

  3. Sep 24

    Anonymous says:

    Confluence 3.0.1 Hello. I hope you can help me. Our proxy server has two ports ...

    Confluence 3.0.1

    Hello. I hope you can help me. Our proxy server has two ports 80 for HTTP and 3128 for HTTPS.

    This is quite normal and if you open, say, the advanced proxy preferences of Firefox you'll see it's quite straight forward.

    I click on You can find and install more plugins from the plugin repository. and it fails to find:

    http://confluence.atlassian.com/plugin-repository/proxy.action?profile=confluence&decorator=none&buildNumber=1634&repoClientVer=2.1.4&os=i386&javaVer=1.6.0_15&javaVendor=Sun+Microsystems+Inc.
    confluence.atlassian.com

    So, I edit setenv.sh and add my proxy server and port:

    JAVA_OPTS="-Xms256m -Xmx512m -XX:MaxPermSize=256m $JAVA_OPTS -Djava.awt.headless=true -Dhttp.proxyHost=<IP address> -Dhttp.proxyPort=80"
    However, the above link does a redirect to the following HTTPS site (xml stuff): https://plugins.atlassian.com/server/legacy/confluence/xml/1634?&profile=confluence&decorator=none&buildNumber=1634&repoClientVer=2.1.4&os=i386&javaVer=1.6.0_15&javaVendor=Sun+Microsystems+Inc.
    And so the screen doesn't work because our proxy allows HTTPS traffic only on port 3128, not 80.
    Q1. Are there options for the use of two different ports ? One for HTTP and one for HTTPS ?
    Q2. If not, is there a config file I can edit and, perhaps, change the HTTP link to the HTTPS link ?
    Any help would be greatly appreciated, Dave

  4. Sep 24

    Anonymous says:

    Solution - go to the section '2.2) HTTPS', here: http://java.sun.com/javase/6/...

    Solution - go to the section '2.2) HTTPS', here:

    http://java.sun.com/javase/6/docs/technotes/guides/net/proxies.html

    Careful if you cut and paste the examples -- there's one 't' too many in the word: 'htttps.proxyHost'  

    Thanks, Dave

  5. Dec 18

    Stacy Shenker says:

    I am getting this error: Error downloading: [http://confluence.atlassian.com/p...

    I am getting this error: 

    Error downloading: [http://confluence.atlassian.com/plugin-repository/proxy.action?profile=confluence&decorator=none&decorator=none&buildNumber=1636&repoClientVer=2.1.4&os=x86&javaVer=1.6.0_07&javaVendor=Sun+Microsystems+Inc].
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    It is not an ssl issue with our system because we use ldap ssl for authentication and have no issue with that.

    1. Jan 26

      Sashidaran Jayaraman [Atlassian] says:

      Hi Stacy, I believe the issue you are encountering is related to this KB. Pleas...

      Hi Stacy,

      I believe the issue you are encountering is related to this KB. Please try the resolution suggested in the KB. If the problem persists, I would recommend you to raise a support ticket to https://support.atlassian.com, so that your issue can be further investigated

      Cheers
      JSashi

  6. Jan 09

    Anonymous says:

    Thanks for this coverage. To easily switch the proxy in the browsers I'm using ...

    Thanks for this coverage.

    To easily switch the proxy in the browsers I'm using a free software named: IE Proxy Switch its easy to use and free.

Add Comment