Configure Web Proxy Support for Confluence

Some of Confluence's macros, such as {rss} and {jiraissues} need to make web requests to remote servers in order to retrieve data. If Confluence is deployed within a data-centre or DMZ, it may not be able to access the Internet directly to make these requests. If you find that the {rss} macro does not work, ask your network administrator if Confluence needs to access the Internet through a web proxy.

Configuring an outbound HTTP proxy in Confluence

Proxy support is configured by passing certain system properties to the Java Virtual Machine on startup. These properties follow the conventions defined by Sun:

• http.proxyHost
• http.proxyPort (default: 80)
• http.nonProxyHosts (default: <none>)

At a minimum, you need to define http.proxyHost to configure an HTTP proxy. System property configuration is described on the Configuring System Properties page.

Properties http.proxyHost and http.proxyPort indicate the proxy server and port that the http protocol handler will use.

-Dhttp.proxyHost=proxy.example.org -Dhttp.proxyPort=8080

Property http.nonProxyHosts indicates the hosts which should be connected to directly and not through the proxy server. The value can be a list of hosts, each seperated by a |, and in addition a wildcard character (*) can be used for matching. For example:

-Dhttp.nonProxyHosts=*.foo.com|localhost

Note: You may need to escape the pipe character (|) in some command-line environments.

If the http.nonProxyHosts property is not configured, all web requests will be sent to the proxy.

Configuring HTTP proxy authentication

Proxy authentication is also configured by providing system properties to Java in your application server's configuration file. Specifically, the following two properties:

• http.proxyUser – username
• http.proxyPassword – secret

Authentication has a few more options in Confluence 2.10 and later, as documented below.

HTTP proxy NTLM authentication (2.10 and later)

Confluence 2.10 and later supports NTLM authentication for outbound HTTP proxies when Confluence is running on a Windows server.

To clarify, this means the {rss} and {jiraissues} macro will be able to contact external websites if requests have to go through a proxy that requires Windows authentication. This support is not related to logging in Confluence users automatically with NTLM, for which there is a user-contributed authenticator available.

To configure NTLM authentication for your HTTP proxy, you need to define a domain system property, http.auth.ntlm.domain, in addition to the properties for host, port and username mentioned above:

-Dhttp.auth.ntlm.domain=MYDOMAIN

Configuring authentication order (2.10 and later)

Sometimes multiple authentication mechanisms are provided by an HTTP proxy. If you have proxy authentication failure messages, you should first check your username and password, then you can check for this problem by examining the HTTP headers in the proxy failure with a packet sniffer on the Confluence server. (Describing this is outside the scope of this document.)

To set the order for multiple authentication methods, you can set the system property http.proxyAuth to a comma-separated list of authentication methods. The available methods are: ntlm, digest and basic; this is also the default order for these methods.

For example, to attempt Basic authentication before NTLM authentication, and avoid Digest authentication entirely, you can set the http.proxyAuth property to this value:

-Dhttp.proxyAuth=basic,ntlm

Troubleshooting

To see if the values you've entered are picked up by Confluence:
1) Download ViewSystemInfoAction.class from this page.
2) Save it in <your Confluence installation>/confluence/WEB-INF/classes/com/atlassian/confluence/admin/actions/ViewSystemInfoAction. You may have to create some of those directories.
3) Restart Confluence.
4) Go to the Administration -> System Information page
5) Check the http.proxyHost and http.proxyPort values.