Using Apache to limit access to the Confluence administration interface

As well as limiting access to the Confluence administration console to users who really need it, and using strong passwords, you can consider limiting access to certain machines on the network or internet. If you are using Apache web server, this can be done with Apache's Location functionality. 

To limit access to admin screens to specific IP addresses in Apache:

  1. Create a file that defines permission settings. This file can be in the Apache configuration directory or in a system-wide directory. For this example we'll call it "sysadmin_ips_only.conf". The file should contain the following.

    Order Deny,Allow
    Deny from All
    
    # Mark the Sysadmin's workstation
    Allow from 192.168.12.42
  2. In your Apache Virtual Host, add the following lines to restrict the administration actions to the Systems Administrator. 

    Define segmentregex (?:;[^/]*)?(?:/)?(?:(?:;[^/]*)?(?:/)?)*
    <LocationMatch (?i)/confluence${segmentregex}/admin>
      Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/plugins${segmentregex}/servlet${segmentregex}/oauth${segmentregex}/consumers${segmentregex}/list>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/plugins${segmentregex}/servlet${segmentregex}/oauth${segmentregex}/view-consumer-info>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/plugins${segmentregex}/servlet${segmentregex}/oauth${segmentregex}/service-providers${segmentregex}/list>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/plugins${segmentregex}/servlet${segmentregex}/oauth${segmentregex}/service-providers${segmentregex}/add>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/plugins${segmentregex}/servlet${segmentregex}/oauth${segmentregex}/consumers${segmentregex}/add>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/plugins${segmentregex}/servlet${segmentregex}/oauth${segmentregex}/consumers${segmentregex}/add-manually>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/plugins${segmentregex}/servlet${segmentregex}/oauth${segmentregex}/update-consumer-info>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/pages${segmentregex}/templates${segmentregex}/listpagetemplates.action>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/pages${segmentregex}/templates${segmentregex}/createpagetemplate.action>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/spaces${segmentregex}/spacepermissions.action>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/pages${segmentregex}/listpermissionpages.action>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/spaces${segmentregex}/removespace.action>
            Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/spaces${segmentregex}/importmbox.action>
            Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/spaces${segmentregex}/viewmailaccounts.action>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/spaces${segmentregex}/addmailaccount.action?>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/spaces${segmentregex}/importpages.action>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/spaces${segmentregex}/flyingpdf${segmentregex}/flyingpdf.action>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/spaces${segmentregex}/exportspacehtml.action>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/spaces${segmentregex}/exportspacexml.action>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/plugins${segmentregex}/servlet${segmentregex}/embedded-crowd>
       Include sysadmin_ips_only.conf
    </LocationMatch>
    <LocationMatch (?i)/confluence${segmentregex}/plugins${segmentregex}/servlet${segmentregex}/upm>
       Include sysadmin_ips_only.conf
    </LocationMatch>

    This configuration assumes you're running Confluence with the context path '/confluence'. If you are running with a different context path, or no context path, adjust the sample above accordingly.


Last modified on Jan 7, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.