Documentation for Confluence 5.8 (Server).
Documentation for Confluence Cloud and earlier versions of Confluence is available too.

Skip to end of metadata
Go to start of metadata

Limiting administration to specific IP addresses

The Confluence administration interface is a critical part of the application; anyone with access to it can potentially compromise not only the Confluence instance but the entire machine. As well as limiting access to users who really need it, and using strong passwords, you should consider limiting access to it to certain machines on the network or internet. If you are using an Apache web server, this can be done with Apache's Location functionality as follows:


(warning) The information on this page does not apply to Confluence Cloud.

1. Create a file that defines permission settings

This file can be in the Apache configuration directory or in a system-wide directory. For this example we'll call it "sysadmin_ips_only.conf". The file should contain the following:

2. Add the file to your Virtual Host

In your Apache Virtual Host, add the following lines to restrict the administration actions to the Systems Administrator:

This configuration assumes you've installed Confluence under '/confluence'. If you have installed under '/' or elsewhere, adjust the paths accordingly.


  1. We've had a request to lock down a space for access only on our internal network (the wiki is available to the public only if you have a login, but there are some concerns that this isn't enough). Do you think that a similar approach could work?

    1. Hi there Sam,

      Unfortunately I can't help you with this particular request.

      For more information, you can post a question on Atlassian Answers or create a feature request on our issue tracker for the Confluence developers.

      Alternatively, you could always open a support request at, where our support engineers will be able to get back to you quickly.

      I hope this helps.

      Best Regards,

      Edwin Dawson
      Technical Writing Team Leader

  2. Anonymous

    I think it will, if you add to your config something like:

    <Location /confluence/spaces/viewmailaccounts.action>
      Include sysadmin_ips_only.conf
    1. Anonymous

      My mistake, not <Location /confluence/spaces/viewmailaccounts.action> but <Location /confluence/>

      1. Anonymous

        We just want to do one space though. Because there are various ways to get to page content (including webservices), I ended up concluding that the only way to do it at the Apache level would be to hack together something using mod_security for vetting any references to space keys or page id's in all the various URLs that bring back page content. The mechanism used by mod_security to do the vetting would have to tap into Confluence either via webservice (safest but probably requires multiple requests, so way too slow) or directly via the database. Huge margin for error -> too hard basket.

  3. Can I use

    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="ip_host_regexp"/>

    in server.xml of Tomcat to allow only trusted networks to see my wiki? I think it can be useful for corp. networks only access.

    1. I tried this and it works with the default Confluence Tomcat, it's not a regex though it seems. I had to put something like "nnn.nnn.*.*" as the ip address filter (which contradicts the documentation I found for RemoteAddrValve, so maybe the documentation is for a newer version of Tomcat).

      Just put this within either the Engine, Host, or Context elements of server.xml. That's a nice solution that can add an extra layer of security and save the need to run up Apache just to lock down the entire wiki, but you'll have to remember to carry this across to future upgrades of Confluence.