Running Confluence behind NGINX with SSL

This page describes how to set up NGINX as a reverse proxy for Confluence. 

The configuration described on this page results in a scenario where:

  • External client connections with NGINX are secured using SSL. Connections between NGINX and Confluence Server are unsecured.
  • Confluence Server and NGINX run on the same machine.

On this page

We assume that you already have a running instance of NGINX. If not, refer to the NGINX documentation for instructions on downloading and installing NGINX. SSL certificates must be installed on the server machine.  You'll an NGINX version that supports WebSockets (1.3 or later). 

If your team plans to use the Confluence Server mobile app, you'll need a certificate issued by a trusted Certificate Authority.  You can't use the app with a self-signed certificate, or one from an untrusted or private CA. 

Atlassian Support can't provide assistance with configuring third-party tools like NGINX. If you have questions, check the NGINX documentation, ask the Atlassian Community, or get help from a Solution Partner.


Step 1: Set the context path

(warning) If you want to access Confluence without a context path (www.example.com), or via a sub-domain (confluence.example.com)  skip this step.

Set your Confluence application path (the part after hostname and port) in Tomcat.  Edit <installation-directory>/conf/server.xml, locate the "Context" definition:

<Context path="" docBase="../confluence" debug="0" reloadable="false">

and change it to:

<Context path="/confluence" docBase="../confluence" debug="0" reloadable="false">

In this example we've used /confluence as the context path. Note that you can't use /resources as your context path, as this is used by Confluence, and will cause problems later on.  

Restart Confluence, and check you can access it at http://example:8090/confluence

Step 2: Configure the Tomcat connector

In the same <installation-directory>conf/server.xml file, use the example connectors as a starting point.  

Comment out the default connector (for unproxied access). 

Show me how to do this...

In XML a comment starts with  <!-- and ends with -->, and is used to make sure only the relevant portions of the file are read by the application.

Add <!-- and --> around the default connector. It should now look like this.

<!--
========================================================
DEFAULT - Direct connector with no proxy, for unproxied HTTP access to Confluence.
========================================================
-->
<!--
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
   maxThreads="48" minSpareThreads="10"
   enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
   protocol="org.apache.coyote.http11.Http11NioProtocol"/>
-->

Uncomment the connector listed under the HTTPS - Proxying Confluence via Apache or Nginx over HTTPS heading.   

Show me how to do this...

To uncomment a section, remove the <!-- and --> surrounding the connector.

Here's an example showing the default connector commented out, and the HTTPS connector uncommented. The headings remain commented out.

<!--
========================================================
DEFAULT - Direct connector with no proxy, for unproxied HTTP access to Confluence.
========================================================
-->
<!--
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
   maxThreads="48" minSpareThreads="10"
   enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
   protocol="org.apache.coyote.http11.Http11NioProtocol"/>
-->
...
<!--
========================================================
HTTPS - Proxying Confluence via Apache or Nginx over HTTPS
========================================================
-->
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
   maxThreads="48" minSpareThreads="10"
   enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
   protocol="org.apache.coyote.http11.Http11NioProtocol"
   scheme="https" secure="true" proxyName="<subdomain>.<domain>.com" proxyPort="443"/>

Insert your proxyName and proxyPort as shown in the last line below:

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
   maxThreads="48" minSpareThreads="10"
   enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
   protocol="org.apache.coyote.http11.Http11NioProtocol"
   scheme="https" secure="true" proxyName="www.example.com" proxyPort="443"/>

Make sure you've included correct values for protocol and proxyName

Step 3: Configure NGINX

You will need to specify a listening server in NGINX, as in the example below. Add the following to your NGINX configuration.  

Replace your server name and the location of your SSL certificate and key. 

In this example, users will connect to Synchrony, which is required for collaborative editing, directly.

server {
    listen www.example.com:80;
    server_name www.example.com;
 
    listen 443 default ssl;
    ssl_certificate     /usr/local/etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /usr/local/etc/nginx/ssl/nginx.key;
 
    ssl_session_timeout  5m;
 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-
AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-
ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-
RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-
SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-
SHA:!DSS';
    ssl_prefer_server_ciphers   on;

    location /confluence {
        client_max_body_size 100m;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8090/confluence;
    }
    location /synchrony {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8091/synchrony;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
}

See https://nginx.org/en/docs/http/ngx_http_proxy_module.html for more information.

Note: do not include ssl on; if you are configuring SSL and Confluence on the same server, as in this example.

If you're not sure what to include for ssl_ciphershttps://mozilla.github.io/server-side-tls/ssl-config-generator/ is a useful resource.

If you experience 413 Request Entity Too Large errors, make sure that the client_max_body_size in the /confluence location block matches Confluence's maximum attachment size. You may also need to increase the client_max_body_size in the /synchrony location block if you experience errors when editing large pages. 

If you plan to use the Confluence mobile app...

If you plan to allow users to use the Confluence mobile app with your site, and you have configured a context path, as in the example above, you may also need to add the following line to your nginx configuration.

location /server-info.action { 
     proxy_pass   http://localhost:8090/confluence/server-info.action;
}
If you're accessing Confluence via a sub-domain...

If you're accessing Confluence via a sub-domain, your config will look like this:

server {
    listen confluence.example.com:80;
    server_name confluence.example.com;
 
    listen 443 default ssl;
    ssl_certificate     /usr/local/etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /usr/local/etc/nginx/ssl/nginx.key;
 
    ssl_session_timeout  5m;
 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-
AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-
ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-
RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-
SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-
SHA:!DSS';
    ssl_prefer_server_ciphers   on;

    location / {
        client_max_body_size 100m;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8090;
    }
    location /synchrony {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8091/synchrony;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
}


Step 4: Restart Confluence and NGINX

  1. Restart Confluence and NGINX for all the changes to take affect.  
  2. Update Confluence's base URL to include the context path you set earlier - see Configuring the Server Base URL
Last modified on Oct 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.