Cloud
Data Center 6.0
Versions

Running Confluence behind NGINX with SSL

Configuring Confluence Security

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

This page describes how to set up NGINX as a reverse proxy for Confluence. 

The configuration described on this page results in a scenario where:

  • External client connections with NGINX are secured using SSL. Connections between NGINX and Confluence Server are unsecured.
  • Confluence Server and NGINX run on the same machine.

On this page

We assume that you already have a running instance of NGINX. If not, refer to the NGINX documentation for instructions on downloading and installing NGINX. SSL certificates must be installed on the server machine.  You'll an NGINX version that supports WebSockets (1.3 or later). 

Note that the Atlassian Support does not cover NGINX integration. Assistance with NGINX may be obtained through the Atlassian community from answers.atlassian.com or from an Atlassian Expert.

Step 1: Set the context path

Set your Confluence application path (the part after hostname and port) in Tomcat.  Edit <installation-directory>/conf/server.xml, locate the "Context" definition:

<Context path="" docBase="../confluence" debug="0" reloadable="false">

and change it to:

<Context path="/confluence" docBase="../confluence" debug="0" reloadable="false">

Restart Confluence, and check you can access it at http://example:8090/confluence

Step 2: Configure the Tomcat connector

Next, in the same <installation-directory>/conf/server.xml file, locate this code segment:

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
                maxThreads="48" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol"/>

And add the last line as follows:

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
                maxThreads="48" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" 
                proxyName="www.example.com" proxyPort="443" scheme="https" secure="true"/>

Make sure you've included correct values for protocol and proxyName

Step 3: Configure NGINX

You will need to specify a listening server in NGINX, as in the example below. Add the following to your NGINX configuration.  

Replace your server name and the location of your SSL certificate and key. 

server {
    listen www.example.com:80;
    server_name www.example.com;
 
    listen 443 default ssl;
    ssl_certificate     /usr/local/etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /usr/local/etc/nginx/ssl/nginx.key;
 
    ssl_session_timeout  5m;
 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-
AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-
ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-
RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-
SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-
SHA:!DSS';
    ssl_prefer_server_ciphers   on;

    location /confluence {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8090/confluence;
    }
    location /synchrony {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8091/synchrony;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
}

See http://nginx.org/en/docs/http/ngx_http_proxy_module.html for more information.

Note: do not include ssl on; if you are configuring SSL and Confluence on the same server as in this example.

If you're not sure what to include for ssl_ciphershttps://mozilla.github.io/server-side-tls/ssl-config-generator/ is a useful resource.

If you plan to use a reverse proxy and Confluence's internal Synchrony proxy together

If you choose to use a reverse proxy and Confluence's internal Synchrony proxy together (for example, you do not want to open port 8091 for Synchrony) you will need to substitute the Synchrony location in the example above with the following. 

location /synchrony-proxy {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8090/synchrony-proxy;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }

You will also need to manually enable Confluence's internal Synchrony proxy

To do this, set the synchrony.proxy.enabled system property to true. See Configuring System Properties for more information on how to set this system property. 

You can see a diagram explaining this approach on Administering Collaborative Editing

Step 4: Restart Confluence and NGINX

  1. Restart Confluence and NGINX for all the changes to take affect.  
  2. Update Confluence's base URL to include the context path you set earlier - see Configuring the Server Base URL
Last modified on Jun 5, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.