How to allow or deny certain hosts to have access to Confluence

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Purpose

The content on this page relates to platforms that are not supported for Confluence. Consequently, Atlassian can not guarantee providing any support for the steps described on this page. Please be aware that this material is provided for your information only, and that you use it at your own risk.

You can allow and/or deny certain hosts to access Confluence via the following catalina classes:

  • org.apache.catalina.valves.RemoteAddrValve
  • org.apache.catalina.valves.RemoteCIDRValve

Solution 1: Remote Address Valve

The remote address valve supports the following attributes:

AttributeDescription
classNameJava class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteAddrValve.
allowA regular expression (using java.util.regex) that the remote client's IP address is compared to. If this attribute is specified, the remote address MUST match for this request to be accepted. If this attribute is not specified, all requests will be accepted UNLESS the remote address matches a deny pattern.
deny

A regular expression (using java.util.regex) that the remote client's IP address is compared to. If this attribute is specified, the remote address MUST NOT match for this request to be accepted. If this attribute is not specified, request acceptance is governed solely by the allow attribute.

Example:

Add the following in Confluence server.xmlfile:

        <Engine name="Standalone" defaultHost="localhost" debug="0">
            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
                    <Manager pathname=""/>
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
					<!-- To allow access only for the clients connecting from localhost -->
					<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
                </Context>

                <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
                         reloadable="false" useHttpOnly="true">
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
                </Context>
            </Host>
        </Engine>

Solution 2: Remote CIDR Valve

The remote CIDR valve allows you to use the IP address of the client. It supports the following configuration attributes:

AttributeDescription
classNameJava class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteCIDRValve.
allowA comma-separated list of IPv4 or IPv6 netmasks or addresses that the remote client's IP address is matched against. If this attribute is specified, the remote address MUST match for this request to be accepted. If this attribute is not specified, all requests will be accepted UNLESS the remote IP is matched by a netmask in the deny attribute.
denyA comma-separated list of IPv4 or IPv6 netmasks or addresses that the remote client's IP address is matched against. If this attribute is specified, the remote address MUST NOT match for this request to be accepted. If this attribute is not specified, request acceptance is governed solely by the accept attribute.

Example:

Add the following in Confluence server.xmlfile:

        <Engine name="Standalone" defaultHost="localhost" debug="0">
            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
                    <Manager pathname=""/>
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
					<!-- To allow access only for the clients connecting from localhost -->
					<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
      allow="127.0.0.1, ::1"/>
                </Context>

                <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
                         reloadable="false" useHttpOnly="true">
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
                </Context>
            </Host>
        </Engine>


For more information, please visit the Apache Tomcat Documentation.


DescriptionThis is tomcat level solution, so may apply to all Atlassian products.
ProductConfluence
Last modified on Dec 24, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.