Searching in Confluence with version 6.14 and higher fails silently on specific browsers
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
Confluence 6.14 and higher versions were shipped with a new, expanded search panel.
However, attempting to search in Firefox and Internet Explorer does not seem to work.
Hovering the search bar will give (g, gor /), and entering text will trigger the infinite spinning wheels
The following appears in the atlassian-confluence.log
2019-02-18 17:09:22,192 WARN [http-nio-26141-exec-7] [common.security.jersey.XsrfResourceFilter] passesAdditionalBrowserChecks Additional XSRF checks failed for request: http://localhost:8090/rest/analytics/1.0/publish/bulk , origin: null , referrer: http://mycompany/ , credentials in request: true , allowed via CORS: false
-- referer: http://mycompany/ | url: /c6141/rest/analytics/1.0/publish/bulk | traceId: 2ddf5db016174aa4 | userName: admin
Diagnosis
The error message shows XSRF (Cross-Site Request Forgery) warnings. This is logged when the request's origin does not match its target. More information about this here: Cross-Site Request Forgery (CSRF) protection changes in Atlassian REST
Confluence may be running behind a proxy, or SSL, or even port forwarding.
Cause
When running Confluence behind a reverse proxy, Tomcat must be made aware of the reverse proxy - this ensures that responses from Tomcat have the correct hostname information. During the upgrade of Confluence, the HTTP ports used in server.xml
are migrated, but nothing else is - so the reverse proxy information will have been lost.
From the Upgrading Confluence notes:
During the upgrade the wizard will migrate following from your existing Confluence installation:
- TCP port values in your server.xml file.
- Custom values in your confluence-init.properties (confluence.home property) and setenv.sh / setenv.bat files (CATALINA_OPTS or JAVA_OPTS parameters)
Other configurations or customisations (including any other modifications in the server.xml file) are not migrated during the upgrade and need to be reapplied manually. See below for more information.
As a part of the upgrade process, you should ensure that all changes from the defaults are re-applied to the instance for correct operation.
Resolution
Ensure that Confluence has been configured to be aware of the reverse proxy. At a minimum, the proxyName
and proxyPort
parameters are required. If using HTTPS, the scheme="https"
parameter should be included as well. These parameters will need to be added to the HTTP connector that is serving requests.
Example:
This is the default HTTP connector in Confluence 5.8:
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="200" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol" />
If you were configuring this proxy to be used at https://mycompany.com/ you would configure it like this:
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="200" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
proxyName="mycompany.com" proxyPort="443" scheme="https" />
Other issues that's caused by XSRF Check Failed: