Using Apache to limit access to the Confluence administration interface

Limiting administration to specific IP addresses

The Confluence administration interface is a critical part of the application; anyone with access to it can potentially compromise not only the Confluence instance but the entire machine. As well as limiting access to users who really need it, and using strong passwords, you should consider limiting access to it to certain machines on the network or internet. If you are using an Apache web server, this can be done with Apache's Location functionality as follows:

1. Create a file that defines permission settings

This file can be in the Apache configuration directory or in a system-wide directory. For this example we'll call it "sysadmin_ips_only.conf". The file should contain the following:

2. Add the file to your Virtual Host

In your Apache Virtual Host, add the following lines to restrict the administration actions to the Systems Administrator:

This configuration assumes you've installed Confluence under '/confluence'. If you have installed under '/' or elsewhere, adjust the paths accordingly.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

7 Archived comments

  1. User avatar

    Sam Hall

    We've had a request to lock down a space for access only on our internal network (the wiki is available to the public only if you have a login, but there are some concerns that this isn't enough). Do you think that a similar approach could work?

    01 Jun 2011
    1. User avatar

      Edwin Dawson [Atlassian Technical Writer]

      Hi there Sam,

      Unfortunately I can't help you with this particular request.

      For more information, you can post a question on Atlassian Answers or create a feature request on our issue tracker for the Confluence developers.

      Alternatively, you could always open a support request at, where our support engineers will be able to get back to you quickly.

      I hope this helps.

      Best Regards,

      Edwin Dawson
      Technical Writing Team Leader

      07 Jun 2011
  2. User avatar


    I think it will, if you add to your config something like:

    <Location /confluence/spaces/viewmailaccounts.action>
      Include sysadmin_ips_only.conf
    18 Oct 2011
    1. User avatar


      My mistake, not <Location /confluence/spaces/viewmailaccounts.action> but <Location /confluence/>

      18 Oct 2011
      1. User avatar


        We just want to do one space though. Because there are various ways to get to page content (including webservices), I ended up concluding that the only way to do it at the Apache level would be to hack together something using mod_security for vetting any references to space keys or page id's in all the various URLs that bring back page content. The mechanism used by mod_security to do the vetting would have to tap into Confluence either via webservice (safest but probably requires multiple requests, so way too slow) or directly via the database. Huge margin for error -> too hard basket.

        19 Oct 2011
  3. User avatar

    Aleksey Grigoriev

    Can I use

    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="ip_host_regexp"/>

    in server.xml of Tomcat to allow only trusted networks to see my wiki? I think it can be useful for corp. networks only access.

    31 Oct 2011
    1. User avatar

      Sam Hall

      I tried this and it works with the default Confluence Tomcat, it's not a regex though it seems. I had to put something like "nnn.nnn.*.*" as the ip address filter (which contradicts the documentation I found for RemoteAddrValve, so maybe the documentation is for a newer version of Tomcat).

      Just put this within either the Engine, Host, or Context elements of server.xml. That's a nice solution that can add an extra layer of security and save the need to run up Apache just to lock down the entire wiki, but you'll have to remember to carry this across to future upgrades of Confluence.

      08 Nov 2011
Powered by Confluence and Scroll Viewport