Using Apache with mod_proxy

This page describes how to integrate Confluence into an Apache website using mod_proxy.

There are some common situations where you might use the configuration:

Note: This page documents a configuration of Apache, rather than of Confluence itself. Atlassian will support Confluence with this configuration, but we cannot guarantee to help you debug problems with Apache. Please be aware that this material is provided for your information only, and that you use it at your own risk.

Base configuration

In these examples, we use the following:

http://www.example.com/confluence - your intended URL

http://example:8090 - the hostname and port Confluence is currently installed to

/confluence - the intended context path (the part after hostname and port)

Please substitute the examples below with your intended URL's in your own server. Copy/pasting these suggestions will not work on your server.

Set the context path

Set your Confluence application path (the part after hostname and port). To do this in Tomcat (bundled with Confluence), edit conf/server.xml, locate the "Context" definition:

and change it to:

Then restart Confluence, and ensure you can access it at http://example:8090/confluence

Set the URL for redirection

Set the URL for redirection. In the same conf/server.xml file, locate this code segment:

And append the last line:

If this isn't working for you and you're using SSL, try adding a scheme attribute to your Connector tag: scheme="https".

Now we have two options:

Simple Configuration

Configure mod_proxy

Now enable mod_proxy in Apache, and proxy requests to the application server by adding the example below to your Apache httpd.conf (note: the files may be different on your system; the JIRA docs describe the process for Ubuntu/Debian layout):

Apache 2.2
Apache 2.4
  Note to Windows Users

It is recommended that you specify the absolute path to the mod_proxy.so and mod_proxy_http.so files.

Complex configuration

Complex configuration involves using the mod_proxy_html filter to modify the proxied content en-route. This is required if the Confluence path differs between Apache and the application server. For example:

Externally accessible (Apache) URL

http://confluence.example.com/

Application server URL

http://app-server.internal.example.com:8090/confluence/

Notice that the application path in the URL is different in each. On Apache, the path is /, and on the application server the path is /confluence.

For this configuration, you need to install the mod_proxy_html module, which is not included in the standard Apache distribution.

Alternative solutions are discussed below.

Apache 2.2
Apache 2.4

The ProxyHTMLURLMap configuration can become more complex if you have multiple applications running under this configuration. The mapping should also be placed in a Location block if the web server URL is a subdirectory and not on a virtual host. The Apache Week tutorial has more information how to do this.

Final Configuration Steps

Restart your Apache server

This is needed to pick up on the new configuration. This can be done by running the following on your command line/terminal/shell:

Disable HTTP Compression

Having compression run on both the proxy and Tomcat can cause problems integrating with other Atlassian applications, such as JIRA. Please disable HTTP compression as per our Compressing an HTTP Response within Confluence docs.

Set the Confluence Base URL

The last stage is to set the Base URL to the address you're using within the proxy. In this example, it would be http://www.example.com/confluence

Adding SSL

If you're running Apache in front of Tomcat, it's a good idea to terminate your SSL configuration at Apache, then forward the requests to Tomcat over HTTP. You can set up Apache to terminate the SSL connection and use the ProxyPass and ProxyPassReverse directives to pass the connection through to Tomcat (or the appropriate application server) which is running Confluence.

  1. Create a new SSL host by creating a virtual host on 443
  2. The standard http connection on apache could be used to redirect to https if you want or it could just be firewalled.
  3. Within the VirtualHost definition:
    1. define the SSL options (SSLEngin and SSLCertificateFile)
    2. define the ProxyPass and ProxyPassReverse directives to pass through to Tomcat.

Most of the relevant Apache Config:

Apart from the Apache configuration there are a couple of things you will need to do before you get your server working:

  1. You will have to change your base URL to point to https addresses. See the documentation on configuring the server base URL.
  2. We need to set up the connector to use https. In your installation directory, edit the file server.xml and add this attributes to your connector:

More information

Alternatives

If Tomcat is your application server, you have two options:

  • use mod_jk to send the requests to Tomcat
  • use Tomcat's virtual hosts to make your Confluence application directory the same on the app server and the web server, removing the need for the URL mapping.

If your application server has an AJP connector, you can:

  • use mod_jk to send the requests to your application server.

Was this helpful?

Thanks for your feedback!

65 Archived comments

  1. User avatar

    Thomas Peter Berntsen

    Hi Matt,

    Thanks for some really informative articles on setting up Tomcat and HTTPD with mod_proxy and mod_proxy_html.

    We've experienced some problems with the stability of this combo, though, which results in the proxying not working some time after a HTTPD start or restart.

    After doing a bit investigation, we found this section in the Apache HTTPD Documentation (version 2.2 in our case), which has helped us avoid more proxy errors (http://httpd.apache.org/docs/2.2/mod/mod_proxy.html):

    For circumstances where mod_proxy is sending requests to an origin server that doesn't properly implement keepalives or HTTP/1.1, there are two environment variables that can force the request to use HTTP/1.0 with no keepalive. These are set via the SetEnv directive.

    These are the force-proxy-request-1.0 and proxy-nokeepalive notes.

    <Location /buggyappserver/>
    ProxyPass http://buggyappserver:7001/foo/
    SetEnv force-proxy-request-1.0 1
    SetEnv proxy-nokeepalive 1
    </Location> 
    

    We have simply added SetEnv force-proxy-request-1.0 1 and SetEnv proxy-nokeepalive 1 to the <VirtualHost> directive in httpd.conf (or included configuration file) under which proxying should be perfomed and gone are any signs of mysterious proxy errors (smile)

    Cheers,
    Thomas

    10 Oct 2006
    1. User avatar

      Ivan Benko

      Thanks Thomas for your effort and the information provided.
      Ivan

      10 Oct 2006
  2. User avatar

    Anonymous

    Hi,

    I would like to change URL path (http://localhost:8080/confluence to http://localhost/wiki) but I never doing that. I'm absolutely crazy, could you check where I am doing mistake?

    PS: There is no any Apache Tomcat installation. The system working with http://localhost/confluence URL properly.

    Apache 2.2.6 X86
    confluence-std-2.6.0
    Win Environment CATALINA_HOME = D:\confluence\confluence-std-2.6.0
     

    Thanks,

    Oguz Celikdemir

    CONFIG INFOS:

    Apache httpd.conf 

    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so 

     # Confluence configuration
    ProxyRequests Off
    ProxyPreserveHost On

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    ProxyPass /confluence http://localhost:8080/wiki
    ProxyPassReverse /confluence http://localhost:8080/wiki
    SetEnv force-proxy-request-1.0 1
    SetEnv proxy-nokeepalive 1

    <Location /confluence>
        Order allow,deny
        Allow from all
    </Location>

    Confluence confluence-init.properties

     confluence.home=d:/confluence/data

    Confluence server.xml

            <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8080" minProcessors="5" maxHttpHeaderSize="8192"
                       maxProcessors="75" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" disableUploadTimeout="true"
                       enableLookups="false" redirectPort="8444" acceptCount="10" debug="0" connectionTimeout="20000"
                       useURIValidationHack="false" URIEncoding="UTF-8"
                       proxyName="localhost" proxyPort="80"/>

            <Context path="/wiki" docBase="../confluence" debug="0" reloadable="false"> 

    03 Oct 2007
  3. User avatar

    Luis Arias

    I had to use the following setup with confluence 2.6 and Apache 2.2 because style sheets were  being prefixed with /confluence and didn't show up:

     NameVirtualHost *
    <VirtualHost *>
            ServerName wiki.example.com

            <IfModule proxy_module>  
              <Proxy *>
                Order deny,allow
                Allow from *
              </Proxy>

              <IfModule proxy_ajp_module>
                ProxyPass /confluence/ ajp://localhost:8009/confluence/
                ProxyPassReverse /confluence/ ajp://localhost:8009/confluence/
                ProxyPass / ajp://localhost:8009/confluence/
                ProxyPassReverse / ajp://localhost:8009/confluence/
              </IfModule>

              <Location />
                 Order allow,deny
                 Allow from all
              </Location>
            </IfModule>
    </VirtualHost>

    24 Oct 2007
  4. User avatar

    Anonymous

    Hi Guys,

    I have a client using Apache 1.3.xx and am wondering if you have any documentation on this or could help me with proxying Confluence through Apache 1.3?

    Any help or pointers would be greatly appreciated. 

    Regards,

    Roger 

    26 Nov 2007
    1. User avatar

      Tony Cheah Tong Nyee

      Hi Roger,

      Unfortunately, I am not aware of any documentation specific to Apache 1.3 is available here. Perhaps, you may want to give a try to refer to the documentation available in the Apache documentation as a reference:

      Another option would be to try open a discussion on Atlassian Answers, as there might have users/developers who have experience in similar environment might share their idea with you.

      Cheers,
      Tony

      29 Nov 2007
      1. User avatar

        Anonymous

        Hi Tony,

        I've upgraded to apache version 2, and used Luis Arias Virtual host config (slightly changed) as this was the only way I could get the CSS to come through correctly.

        I now have the problem where I enter valid login details, then click login, but it returns me to the login screen, all at http://confluence.example.com\\

        When I try the same test at http://confluence.example.com:8080/confluence I can login using the same details as I used above, and it takes me to the dashboard.

        Has anyone else come across this? 

        Roger 

        30 Nov 2007
        1. User avatar

          Tony Cheah Tong Nyee

          Hi Roger,

          Feel free to raise a support request regarding this issue if you still require any assistance from us. From there, we are able to troubleshoot and look into this issue further.

          Cheers,
          Tony

          14 Mar 2008
  5. User avatar

    Anonymous

    After hours of fiddling around I finaly got it working. I wrote it down in my own confluence instance, so I just copied it here. I hope this helps someone in the future.

    Greetz Erik

    Table of Contents

    Description

    On your J2EE server (I only used Glassfish) you have an application deployed, for instance 'confluence-2.7'. The default way of accessing this web application is by going to the url 'http://localhost:8080/confluence-2.7'. I however wanted to map just have the url 'http://confluence' for easy development access. In the future I want to be able to connect domains to it.

    If you are impatient and do not want to do things step by step you can find a Summary at the bottom of this page.

    Getting the correct modules for apache

    We need to do the following things:

    • Map 'http://confluence' to 'http://localhost:8080/confluence-2.7'
    • Make sure that all links coming from 'http://localhost:8080/confluence-2.7' do not point to '/confluence-2.7/*'
    • Make sure the path in the cookies is corrected

    Proxying requests

    You will need to enable the following lines in your httpd.conf:

    To make sure proxying is enabled add the following lines to you httpd.conf (I added them at the top of httpd-vhosts.conf):

    The virtual host itself looks like this:

    Add the following lines:

    Correcting the HTML

    In order to correct the html we need a module called mod_proxy_html. You can not download a compiled version for free from the original site so I included a windows version here: http://www.apachelounge.com/download/mods/mod_proxy_html-3.0.0-w32.zip.

    Extract the mod_proxy_html directory to the modules directory of apache. Also copy the proxy_html.conf file to that directory.

    Make sure the following line is enabled:

    At the bottom of the modules list in your httpd.conf add the following lines:

    In the virtual host we add the following lines:

    Fixing cookies

    In order to fix the cookies you need to add the following line to your VirtualHost:

    Summary

    Make sure you have mod_proxy_html

    These are the lines we added to our httpd.conf:

    This is our VirtualHost:

    14 Jan 2008
  6. User avatar

    Ludovic Lambert

    Miss

    09 Feb 2008
  7. User avatar

    Anonymous

    Configuration with SSL appears here: http://confluence.atlassian.com/display/DOC/Adding+SSL+for+Secure+Logins+and+Page+Security?focusedCommentId=18579545#comment-18579545

    You may have to turn ProxyPreserveHost to OFF to get SSL working.

    23 Apr 2008
    1. User avatar

      Anonymous

      Thank You! That fixed it on our end for SSL. coolPoints++

      04 Feb 2011
  8. User avatar

    Anonymous

    With Apache 2.2.3 (Red Hat), I can't get reverse proxy to work... First problem, is that the server.xml file in conflence 2.8.1 doesn't match the documentation found above.  So I may be confused there.

     I am able to get things to work when I point to alpha.uarts.edu:8080, but when i go to server.xml and add the line

     proxyName="alpha.uarts.edu" proxyPort="80"/>

      and then add the following to httpd.conf

    \# confluence setup
    ProxyRequests Off
    ProxyPreserveHost On
    
    <Proxy \*>
    &nbsp;&nbsp;&nbsp; Order deny,allow
    &nbsp;&nbsp;&nbsp; Allow from all
    </Proxy>
    
    ProxyPass /confluence http://alpha.uarts.edu:8080/confluence
    ProxyPassReverse /confluence http://alpha.uarts.edu:8080/confluence&nbsp;&nbsp;
    
    <Location /confluence>
    &nbsp;&nbsp;&nbsp; Order allow,deny
    &nbsp;&nbsp;&nbsp; Allow from all
    </Location>
    
    

     I am receiving Apache 503 errors.

    This is a brand new install of RHEL5 that I'm using to host confluence (and other things later on) so I know that nothing else is conflicting.
    Its infact the production server 'to-be' of confluence, now that our evaluation is winding down, and I'm following the same methodology I used to get Confluence 2.6 running (with no problems).

    If anyone has installed 2.8.1 and can share with me their connection block from server.xml, I'd appreciate it.

    Thanks

    11 Jun 2008
    1. User avatar

      Anonymous

      Here is the relevent parts of server.xml that I edited.

      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8080" minProcessors="5"
      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; maxProcessors="75"
      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; enableLookups="false" redirectPort="8444" acceptCount="10" debug="0" connectionTimeout="20000"
      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; useURIValidationHack="false" URIEncoding="UTF-8"
      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxyName="alpha.uarts.edu" proxyPort="80"/>
      
      
      &nbsp; <Context path="/confluence" docBase="../confluence" debug="0" reloadable="true">
      
      
      11 Jun 2008
    1. User avatar

      Duran Goodyear

      I think I can blame SELINUX.

      I set it to disabled, and now have a new problem...

      it took 451 seconds for the standalone tomcat to finish starting, and it gave me this nasty error in catalina.out

      INFO: Server startup in 455491 ms
      Exception in thread "com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#2" java.lang.NullPointerException
              at com.mchange.v2.log.log4j.Log4jMLog$Log4jMLogger.isLoggable(Log4jMLog.java:257)
              at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:551)
      Exception in thread "com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#0" java.lang.NullPointerException
              at com.mchange.v2.log.log4j.Log4jMLog$Log4jMLogger.isLoggable(Log4jMLog.java:257)
              at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:551)
      Exception in thread "com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#2" java.lang.NullPointerException
              at com.mchange.v2.log.log4j.Log4jMLog$Log4jMLogger.isLoggable(Log4jMLog.java:257)
              at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:551)
      Exception in thread "Timer-1" java.lang.NullPointerException
              at com.mchange.v2.log.log4j.Log4jMLog$Log4jMLogger.isLoggable(Log4jMLog.java:257)
              at com.mchange.v2.resourcepool.BasicResourcePool$CheckIdleResourcesTask.run(BasicResourcePool.java:1961)
              at java.util.TimerThread.mainLoop(Timer.java:512)
              at java.util.TimerThread.run(Timer.java:462)
      Exception in thread "Timer-0" java.lang.NullPointerException
              at com.mchange.v2.log.log4j.Log4jMLog$Log4jMLogger.isLoggable(Log4jMLog.java:257)
              at com.mchange.v2.resourcepool.BasicResourcePool$CullTask.run(BasicResourcePool.java:1934)
              at java.util.TimerThread.mainLoop(Timer.java:512)
              at java.util.TimerThread.run(Timer.java:462)
      

      and the browser, when I try to load the page says...

      HTTP Status 404 - /confluence/
      
      type Status report
      
      message /confluence/
      
      description The requested resource (/confluence/) is not available.
      Apache Tomcat/5.5.23

      I'm going to go try and get it working in standalone mode only through port 8080, and work my way back, but this looks like a tomcat configuration issue.

      Any thoughts anyone?

      Thanks

      11 Jun 2008
      1. User avatar

        Duran Goodyear

        Alrighty, this was a SELINUX issue.

        I had to disable it, and it absolutely destroyed what ever other permission structure existed.

        I had to reinstall confluence completely.

        Protip, avoid SELINUX (wink)   (thats just my own fud, ymmv)

        12 Jun 2008
  9. User avatar

    Anonymous

    HELP!!

    I appear to be having similar issues to one of the above posts. I am running confluence 2.9 on Red Hat ES 5.1 with Apache 2.2. I continue to get a 503 error when trying to connect. I was trying the complex config with the URL re-mapping, but I scaled back and decided to do a simple port URL redirection and I am still getting a 503 error. I have scoured this site and tried every variation I can think of. Does any one have any ideas?? I have the following httpd.conf entry:

     ProxyRequests Off
    ProxyPreserveHost On

    <VirtualHost *:80>
        ServerName confluence.domain.com

        # Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)

        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>

        ProxyPass / http://confluence-server.domain.com:8080/
        ProxyPassReverse / http://confluence-server.domain.com:8080/

        <Location />
            Order allow,deny
            Allow from all
        </Location>
    </VirtualHost>

    26 Aug 2008
  10. User avatar

    Anonymous

    Found the solution for 503 errors if anyone is running newer version of SELinux or Red Hat ES. It has to do with network permission for httpd. You will probably see log entries like the following:

     <pre>[Thu Jul 09 11:37:13 2008] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:3000 (star) failed

     I found a post online that requires granting the httpd service network rights using the following command:

     /usr/sbin/setsebool httpd_can_network_connect 1

    This solved my problems. Hope this helps others...

    26 Aug 2008
    1. User avatar

      Anonymous

      thank you very much!!! it was very helpful!!

      16 May 2011
  11. User avatar

    Royce Wong

    This documentation does not indicate which version of Apache it is referencing. If you look at the doc. for JIRA/Apache integration, it says:

    ProxyPreserveHost is only available on Apache 2. For Apache 1.1-1.3.x, you should instead specify proxyName and proxyPort attributes in Tomcat...

    Therefore, if you are running Apache 2, you do not need to add proxyName="www.example.com" proxyPort="80" in Tomcat's server.xml.

    I tested mine with Tomcat 5.5.27, Apache 2 on Windows XP and it works. I configured Confluence to use port 8280 & JIRA to use port 8180 running on seperate Tomcats (seperate JVMs). My httpd.conf looks like this:

    So I can access my Confluence via: *http://localhost/confluence\* (http://localhost/confluence*) and JIRA via: *http://localhost/jira\* (http://localhost/jira*), all on one machine and I can start/stop Confluence & JIRA independently since they are on seperate Tomcat.. (smile)

    25 Mar 2009
    1. User avatar

      Anonymous

      quit right!

      If you proxyName="www.example.com" proxyPort="80" in Tomcat's server.xml, you will get 503 error

      16 Feb 2011
  12. User avatar

    Anonymous

    Hi,

    Problem(Abstract)

    A Proxy Error in Apache HTTP Server causes a 502 error response in the browser.

    Symptom

    The user sees a 502 Proxy Error in the browser that says:The proxy server received an invalid response from an upstream server. The proxy server could not handle the requestPOST. Reason: Error reading from remote server
    Apache Server 2.2 error log displays errors similar to:proxy: Error reading from remote server returned by ...
    Environment Apache HTTP Server 2.2 is configured as a proxy or reverseproxy in front of some other back-end web server.

    Server version: Apache/2.2.6 (FreeBSD) with mod_proxy and Tomcat 5.5. Both apache and tomcat is on same system.

    I tried with KeepAlive; KeepAliveTimeout <Limit>; However I looking for a solution which would not required any timeout <Limit>.

    My httpd.conf looks like this:

    LoadModule proxy_module libexec/apache22/mod_proxy.so
    LoadModule proxy_http_module libexec/apache22/mod_proxy_http.so

    #
    # For mod_proxy.
    #
    ProxyRequests Off
    ProxyPass /rs http://localhost:8080/A/R
    ProxyPassReverse /rs http://localhost:8080/A/R
    # To handle internal requests send by r wizard
    ProxyPass /R http://localhost:8080/A/R
    ProxyPassReverse /R http://localhost:8080/A/R

    My server.xml setting are :

     <Connector port="8080" address="127.0.0.1" maxHttpHeaderSize="8192"
                   maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                   enableLookups="false" redirectPort="8443" acceptCount="100"
                   connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"
                       proxyName="localhost" proxyPort="80" emptySessionPath="true"/
    >

    01 Jun 2009
  13. User avatar

    Anonymous

    Could it be that this is not working anymore since Confluence 3.1+ ?

    I posted a comment here explaining my case, it should have been on this page instead :

    http://confluence.atlassian.com/display/DOC/Adding+SSL+for+Secure+Logins+and+Page+Security?focusedCommentId=213516563#comment-213516563

    08 Feb 2010
  14. User avatar

    Paul Southworth

    I configured Confluence 3.2 behind an F5 LTM load balancer.  I'm doing SSL termination on the F5, while Confluence serves plain HTTP.  The instructions on this page were useful but the instructions in the section titled "Adding SSL" are incomplete.

    In addition to "define the ProxyPass and ProxyPassReverse directives to pass through to Tomcat" you must also set the "scheme" in the Tomcat Connector configuration.

    If your proxy's hostname is wiki.example.com you will need to add the following to the Connector settings in server.xml:

    proxyName="wiki.example.com" proxyPort="443" scheme="https"

    07 Apr 2010
    1. User avatar

      Jeff Lord

      We are deploying jira/confluence behind and f5.

      Setup looks like client https => F5 => apache proxy => tomcat

      I have the apache proxy => tomcat working ok.

      Going through the F5 is causing trouble. Any ideas or help would be greatly appreciated.

      13 Jul 2010
    1. User avatar

      Anonymous

      Thanks — This is what I overlooked (smile)

      26 Sep 2011
  15. User avatar

    Anonymous

    Followed all the instructions and advice above but still have a problem.

    My setup is as follows:

    CLIENT -- INTERNET-HTTPS-FIREWALL-APACHE REVERSE PROXY-HTTP--APPLICATOIN SERVER

    The APPLICATION SERVERs are: Crowd, Jira and Confluence (Fisheye and Bamboo to be added when this setup is working properly).

    I can log in perfectly, Crowd works like a charm.

    The only issue is that I can't get a gadget from JIRA to work in Confluence and vice versa. As a URL it keeps using https://<external (https://<external)\_URL>. CHanging it to the internal URL allows me to add the gadget, but that's about it. They simply won't work.

    Any idea which setting needs to be changed in order to get it working properly?

    Thank you in advance,

    Pascal

    09 Jun 2010
    1. User avatar

      Edwin Dawson [Atlassian Technical Writer]

      Hi there,

      For help with integrating Atlassian products behind the firewall, take a look at our comprehensive integration guide. It provides complete instructions for setting up gadgets across the Atlassian suite.

      I hope this helps.

      Best Regards,


      Edwin Dawson
      Technical Writing Team Leader
      edawson@atlassian.com
      ATLASSIAN - http://www.atlassian.com

      10 Jun 2010
      1. User avatar

        Anonymous

        Hi Edwin,

        I followed those instructions, but no result. Tried to set the Trusted Applications again, but requesting the URL threw an error. Tried for days to fix the problem, but ended up submitting a support ticket.

        Will post result here when the issue is fixed, so it might help someone else.

        Best regards,

        Pascal

        14 Jun 2010
        1. User avatar

          iain wright

          Did you ever figure this out? 

          We are experiencing the same issue when attempting to integrate confluence as a trusted application in JIRA 

          23 Mar 2011
  16. User avatar

    Rune Stilling

    I just want to share some experiences with trying to use mod_proxy. Couldn't make the ProxyHTMLURLMap directive work though since my confluence app is running as Tomcat Root. Anyways it worked fine except that links to attachments with URL's containing danish characters (æøå) didn't work but returned a "Page not found" error. So - Something went wrong between Apache and Tomcat. Don't know if this could have been fixed with ProxyHTMLURLMap but I decided to use mod_jk instead and that worked.

    \Rune

    12 Aug 2010
  17. User avatar

    David Leifer

    I have a very basic problem - I have Jira, Confluence, and Crowd installed and all working. I'd like to change the URL so users don't have to enter the port #, however  there is no httpd file on my machine. I'm running Windows server 2008 and installed the stand alone verions of each Atlassian program.

    I got Jira to working without having to specify the port by editing the server.sml file only but I think I was only able to do that because it's using the default port - 8080, so can not do it the same way for the others.

    Would really appreciate any help.

    Thanks!

    13 Aug 2010
    1. User avatar

      Azwandi Aris [Atlassian]

      Hello David,

      You will need to install and configure a proxy server e.g. Apache HTTPd server to get this setup as intended. It's free and there is a lot of resources on the net you can refer to.

      Also, I believe JIRA is set to use default HTTP port 80, instead of 8080. Using this method is simple, yet limited to one application. If you have a proxy server, set it to use default port 80 and all other apps may use different port numbers such as 8080, 8081 and so on.

      You may wish to refer to our Running Confluence behind Apache pertaining to the configuration. FYI, using mod_proxy is simpler than mod_jk.

      Hope this helps.

      16 Aug 2010
  18. User avatar

    Martin M Reed

    The setup I was trying to go for is to access confluence at the root of the external URL, and keep the Tomcat context at /confluence internally. I have a single instance of Tomcat fronted by Apache. Using the root at the external level was easy if I used the ROOT.xml context under Tomcat... however that was not preferred. The problem I was having when using the /confluence context was that CSS and links were screwed up when the page rendered. I finally got it working using a combination of ProxyPass and a RewriteRule. The ProxyHTMLURLMap was doing nothing for me until I added SetOutputFilter.

    08 Jan 2011
  19. User avatar

    Anonymous

    Just FYI,  I have found a problem with using the simple mod_proxy setup with Confluence 4.0, Fedora 15 and mod_security.  Everything works fine, except saving changes to a page.  Those throw a 403 error.  My only solution so far is to disable mod_security.

    12 Jan 2012
  20. User avatar

    Jason Huntley

    By setting up SSL on the Apache httpd server and proxy the requests over to local non-ssl tomcat, is the connection from the host to the client still encrypted? Does the proxy httpd server secure the connection?

    23 Jan 2012
  21. User avatar

    Dave Niewinski

    I followed this tutorial to the letter since it's exactly the same as my setup.  I have Confluence running on the same server as apache on port 8090, and i want to proxy through example.com/confluence.  My httpd.conf file is the same (copy and paste).  Everything works great except for thumbnails under the Updates pane on the dashboard.  It says a user posted an image, and when you click on that, the image comes up, but if you expand it to see a thumbnail of the image, the thumbnail image is broken.  If i look at the source for the page, the link is to example.com/confluence/download...., but the src for the thumbnail is example.com/download.  The confluence is missing in the link so the image isn't being displayed.  I've tried changing my Base URL in confluence to both example.com and example.com/confluence, but neither one seems to fix it.  Is there something else I need to add to my httpd.conf that isn't covered in this guide?

    I'm new to apache configurations so any help would be appreciated.

    16 Mar 2012
  22. User avatar

    Anonymous

    FYI: Mod proxy instalation through apt-get is broken on Ubuntu 12.04 LTS -  apache will not realod. Solution: https://bugs.launchpad.net/ubuntu/+source/mod-proxy-html/+bug/964397 - on the bug description

    08 May 2012
  23. User avatar

    Aniket Anerao

    Hi All,

    I am trying to configure Apache as a reverse proxy for a intranet php web application which is hosted on other machine.

    Apache machine IP addr : 172.17.12.235
    OS : RHEL 5

    Web application IP addr : 172.17.245.23
    OS : WIN 2003 Server
    path : C:/htdocs/www/cleangrad/html/


    Below is the configuration done in httpd.conf

    DocumentRoot "/var/www/html"


    <VirtualHost *:80>
    ProxyPass /site1 http://172.17.245.23/cleangrad/html/
    ProxyPassReverse /site1 http://172.17.245.23/cleangrad/html
    </VirtualHost>


    M able to get the login page of the application, but unable to fetch the  contents in the same which resides in some other folder in the same web application machine.
    Below is what i get in the error-log file :


    [root@InMumLB01 logs]# tail -f error_inotes_balanced_ssl
    [Wed May 16 17:46:13 2012] [error] [client 172.17.251.128] File does not exist: /var/www/html/pic, referer: http://172.17.12.235/site1
    [Wed May 16 17:46:13 2012] [error] [client 172.17.251.128] File does not exist: /var/www/html/pic, referer: http://172.17.12.235/site1
    [Wed May 16 17:46:13 2012] [error] [client 172.17.251.128] File does not exist: /var/www/html/pic, referer: http://172.17.12.235/site1
    [Wed May 16 17:46:13 2012] [error] [client 172.17.251.128] File does not exist: /var/www/html/images, referer: http://172.17.12.235/site1
    [Wed May 16 17:46:13 2012] [error] [client 172.17.251.128] File does not exist: /var/www/html/images, referer: http://172.17.12.235/site1
    [Wed May 16 17:46:13 2012] [error] [client 172.17.251.128] File does not exist: /var/www/html/images, referer: http://172.17.12.235/site1
    [Wed May 16 17:46:13 2012] [error] [client 172.17.251.128] File does not exist: /var/www/html/images, referer: http://172.17.12.235/site1
    [Wed May 16 17:46:13 2012] [error] [client 172.17.251.128] File does not exist: /var/www/html/images, referer: http://172.17.12.235/site1
    [Wed May 16 17:46:13 2012] [error] [client 172.17.251.128] File does not exist: /var/www/html/images, referer: http://172.17.12.235/site1
    [Wed May 16 17:46:13 2012] [error] [client 172.17.251.128] File does not exist: /var/www/html/images, referer: http://172.17.12.235/site1


    What i understood is it is trying to find those files on apache reverse proxy machine instead of the web application machine where the files reside.

    How can i fix this issue ?

    16 May 2012
    1. User avatar

      Anonymous

      Hi,

        I am also facing same issue. Please let us know the required configuration to expadite this.

      Awaiting your replies!!!

      03 Sep 2012
      1. User avatar

        Michael Seager [Atlassian]

        Anonymous,

        The above information is meant as a general guide; it's very difficult to provide one document with exact configuration for every single situation and requirement.

        If you desperately need help and don't have an experienced network engineer handy then I'd suggest posting in our Answers forum; alternatively we have a number of Atlassian Experts who provide consulting which may be able to help. Note that these are external to Atlassian and charge for their services.

        04 Sep 2012
  24. User avatar

    Amalia Sanusi [Atlassian]

    I find this blog post very useful to set up mod_proxy with SSL http://www.lackhead.org/2009/10/confluence-mod_proxy-and-ssl-oh-my/

    30 Jul 2012
  25. User avatar

    Anonymous

    Hi,

     I am also facing same issue as Mr. Aniket Anerao is facing. Please let us know the exact configuration which will enable to serve static content by apache and dynamic by Tomcat.

     

     

     

    Best Regards,

    Jagdish Machhi

    03 Sep 2012
    1. User avatar

      Michael Seager [Atlassian]

      Jagdish, please see my comment above.

      04 Sep 2012
  26. User avatar

    Anonymous

    I am using confluence 4.2 with apache on Linux machine. I enabled the ssl connector option for confluence to enable it send data over ssl. I uncommented the ssl connector part of server.xml, created key using java key tool as per the instruction. Now while saving the pages I am getting Bad gateway error invalid response from an upstream server. I tried cleaning browser cache and other rial and error method but nothing seems to work.

    06 Nov 2012
  27. User avatar

    chandan kumar

    I am using confluence 4.2 with apache on Linux machine. I enabled the ssl connector option for confluence to enable it send data over ssl. I uncommented the ssl connector part of server.xml, created key using java key tool as per the instruction. Now while saving the pages I am getting Bad gateway error invalid response from an upstream server. I tried cleaning browser cache and other rial and error method but nothing seems to work.

    06 Nov 2012
  28. User avatar

    Abdul Sattar

    Hi,

    I am using confluence 3.5.17. I have followed mod_proxy simple configuration as said above. I am getting 403 error with "Forbidden You don't have permission to access / on this server"

    I am Not using SSL.

    <Context path="/wikitcp" docBase="../confluence" debug="0" reloadable="true"> 

    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8080" minProcessors="5"
    maxProcessors="75" maxHttpHeaderSize="8192"
    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" redirectPort="8443" acceptCount="100" debug="0" connectionTimeout="20000" disableUploadTimeout="true"
    useURIValidationHack="false" URIEncoding="UTF-8" scheme="https"
    proxyName="cwktstk1" proxyPort="11212"/>

    ProxyPass /wikitcp http://localhost:8080/wikitcp
    ProxyPassReverse /wikitcp http://localhost:8080/wikitcp
    <Location /wikitcp>
    Order allow,deny
    Allow from all
    </Location>

    Apache and Tomcat sitting on same machine "cwktstk1"

    Am I doing anything wrong? 

    04 Mar 2013
    1. User avatar

      eduard frades

      probably you have .htaccess file, or modsecurity enabled.

      14 Apr 2013
  29. User avatar

    Farzad Panahi

    You are missing a step here. If you terminate SSL at Apache you should add SSL certificates to JAVA keystore in order to Application Link work properly. AS mentioned here

    The Atlassian documentation is scattered across multiple web pages as shown below. The biggest headache with the Atlassian documentation is caused by their choice to show only the "Most of the relevant Apache Config". This is especially true regarding the SSL configuration for Jira, Confluence, and Fisheye. For Example: On the following page Using Apache with mod_proxy Atlassian states the following for adding SSL...

    "Because of how the ProxyPass and ProxyPassReverse directives work, you should not need to modify the tomcat installation at all."

    This is not only a misleading statement, it is simply wrong.
    You will need to..

    • Add Apache's public key to Java cacerts
    • Configure Tomcat
      • Jira server.xml
      • Confluence server.xml
      • Fisheye config.xml

     

    Please revise this page to include this piece of information.

    06 Mar 2013
  30. User avatar

    eduard frades

    There is no way that it work under a subdomain, I tryed this configuration and I can only see start login page and pages created within confluence before done this change, after done this change /pages , /admin and other places give me 404 error.

     

    Does it need some extra configuration?

     

    thanks

    14 Apr 2013
  31. User avatar

    Yuri Ardila

    Same as above.

    The base url just disappear on some links like pages. 

    26 May 2013
  32. User avatar

    Yuri Ardila

    I found the problem. Apparently my setting was bad. I set the context path --> contextPath="/", when it should have been contextPath="". When I set it to "", it works.

    26 May 2013
  33. User avatar

    Eddie Webb

    We are getting many connection issues under heavy load where apache workers get errors or timeout to the backend.

    [Tue Sep 24 14:00:51 2013] [error] ap_proxy_connect_backend disabling worker for (vxpip-elforg05)
    [Tue Sep 24 14:00:51 2013] [error] (110)Connection timed out: proxy: HTTP: attempt to connect to 10.177.73.75:8090 (vxpip-elforg05) failed
    [Tue Sep 24 14:01:02 2013] [error] (110)Connection timed out: proxy: HTTP: attempt to connect to 10.177.73.75:8090 (vxpip-elforg05) failed
    [Tue Sep 24 14:01:02 2013] [error] ap_proxy_connect_backend disabling worker for (vxpip-elforg05)
    [Tue Sep 24 14:01:03 2013] [error] proxy: HTTP: disabled connection for (vxpip-elforg05)
    [Tue Sep 24 14:01:05 2013] [error] proxy: HTTP: disabled connection for (vxpip-elforg05)
    [Tue Sep 24 14:01:07 2013] [error] proxy: HTTP: disabled connection for (vxpip-elforg05)
    [Tue Sep 24 14:01:07 2013] [error] proxy: HTTP: disabled connection for (vxpip-elforg05)

     

    Wondering if these env values are needed in apache - http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#envsettings

    24 Sep 2013
  34. User avatar

    4Cast

    Isn't there and error in the Simple Configuration?

    I have read all the notes above and can't see any reference to this.

    The apache config recommended is

    ProxyPass /confluence http://www.example.com/confluence
    ProxyPassReverse /confluence http://www.example.com/confluence

    Surely this will do nothing at all. It just means if I get a request at http://www.example.com/confluence, it will pass it to http://www.example.com/confluence.

    Surely the config should be:

    ProxyPassReverse /confluence http://www.example.com:8090/confluence
    Or even:
    ProxyPass /confluence http://localhost:8090/confluence
    ProxyPassReverse /confluence http://localhost:8090/confluence
    I have been trying all day to get this to work with no luck.
    01 Feb 2014
    1. User avatar

      Denise Unterwurzacher [Atlassian]

      Yes, that's correct, thank you for pointing it out! I've updated the doc to reflect that. 

      -Denise

      Atlassian Support

      03 Feb 2014
  35. User avatar

    Matt Brown

    Has there been any testing under Apache 2.4? We want to use Subversion Edge, which now uses Apache 2.4. The instructions here don't work. The httpd.conf syntax is different. We tried to use 2.4 syntax to do the same thing, but we keep getting tomcat authentication denied errors.

    11 Aug 2014
    1. User avatar

      R Nir

      Hello ,

       

      Did you eventually solve this for Apache 4.2? Same problem here and I's appreciate a hint.

      Rina

      16 Jan 2015
      1. User avatar

        Dave Norton

        Hi Matt and Rina!

        I've updated the document to reflect the changes to Apache in 2.4. See this page for details on the changes, but the authorization rules must be changed:

        becomes

        I've updated the documents to include Apache 2.2 and Apache 2.4 versions. I hope this helps (smile)

        21 Jan 2015
        1. User avatar

          Eddie Webb

          I noticed you include mod_proxy_http above as well, but I don;t see the example actually using any of the directives/environment variables it provides.  

          Can you please clarify why we would add mod_proxy_http on top of core mod_proxy, and what directives we would use?

          http://httpd.apache.org/docs/2.2/mod/mod_proxy_http.html

           

          In addition to the configuration directives that control the behaviour of mod_proxy, there are a number of environment variables that control the HTTP protocol provider. Environment variables below that don't specify specific values are enabled when set to any value.

          proxy-sendextracrlf Causes proxy to send an extra CR-LF newline on the end of a request. This is a workaround for a bug in some browsers.force-proxy-request-1.0Forces the proxy to send requests to the backend as HTTP/1.0 and disables HTTP/1.1 features.

          proxy-nokeepaliveForces the proxy to close the backend connection after each request.

          proxy-chain-auth If the proxy requires authentication, it will read and consume the proxy authentication credentials sent by the client. With proxy-chain-auth it will alsoforward the credentials to the next proxy in the chain. This may be necessary if you have a chain of proxies that share authentication information.Security Warning: Do not set this unless you know you need it, as it forwards sensitive information!

          proxy-sendcl HTTP/1.0 required all HTTP requests that include a body (e.g. POST requests) to include a Content-Length header. This environment variable forces the Apache proxy to send this header to the backend server, regardless of what the Client sent to the proxy. It ensures compatibility when proxying for an HTTP/1.0 or unknown backend. However, it may require the entire request to be buffered by the proxy, so it becomes very inefficient for large requests.proxy-sendchunks or proxy-sendchunkedThis is the opposite of proxy-sendcl. It allows request bodies to be sent to the backend using chunked transfer encoding. This allows the request to be efficiently streamed, but requires that the backend server supports HTTP/1.1.

          proxy-interim-response This variable takes values RFC or Suppress. Earlier httpd versions would suppress HTTP interim (1xx) responses sent from the backend. This is technically a violation of the HTTP protocol. In practice, if a backend sends an interim response, it may itself be extending the protocol in a manner we know nothing about, or just broken. So this is now configurable: set proxy-interim-response RFC to be fully protocol compliant, or proxy-interim-response Suppress to suppress interim responses.

          proxy-initial-not-pooled If this variable is set no pooled connection will be reused if the client connection is an initial connection. This avoids the "proxy: error reading status line from remote server" error message caused by the race condition that the backend server closed the pooled connection after the connection check by the proxy and before data sent by the proxy reached the backend. It has to be kept in mind that setting this variable downgrades performance, especially with HTTP/1.0 clients.

           

           

          21 Jan 2015
          1. User avatar

            Dave Mason [Atlassian]

            Hi Eddie,

            mod_proxy_http must be enabled otherwise you can't use a http URL in a ProxyPass directive. You don't need to use any other configuration besides what we have listed above.

            Regards,

            Dave

            21 Jan 2015
  36. User avatar

    Nikhil Bhatnagar

    Dear Community members,

    I need help regarding apache integration with jira.

    I have integrated apache, it works fine but only issue I face is when I try to do below operations:

     

    1. Add users to group.
    2. Delete a version
    3. Release/unrelease a version
      JIRA hangs indefinitely
    28 Jan 2015
    1. User avatar

      Dave Norton

      Can you bypass the reverse proxy (by browsing to IP:port) to see if the proxy is indeed the cause of the problem?

      If you're still having problems after bypassing the proxy, our support team might be able to help you with these problems - if you haven't already done so, I'd suggest opening a ticket at https://support.atlassian.com/ - they'll be able to take a look at the logs and see if they can figure out what's going wrong.

      Edit: To clarify, while we don't support the configuration and troubleshooting for Apache itself, we can try and have a look at what might be going wrong (smile)

      29 Jan 2015
  37. User avatar

    Artur Mücke

    Hi, I think there is a mistake in the documentation for the "complex" setup. At least the rewrite did not work in my case as desired. The Subdomain http://wiki.mydomain.com was always rewritten to http://wiki.mydomain.com/confluence which was not the expected behaviour for the "complex" setup. The mistake seems to be in the following two lines:

     

    ProxyPass / http://app-server.internal.example.com:8090/confluence
    ProxyPassReverse / http://app-server.internal.example.com:8090/confluence

    It should be:

    ProxyPass / http://app-server.internal.example.com:8090/ 
    ProxyPassReverse / http://app-server.internal.example.com:8090/ 

    At least in my case the issue was solved by removing the trailing content path.

     

    18 Feb 2015
  38. User avatar

    Jan-Willem Pas

    Hi All,

    One addition I found usefull is changing the default timeout of the the mod proxy to more than 1 minute. If some action in Confluence takes longer than 1 minute (importing a big Word file for example) this would result in a '502 Proxy error' response instead of waiting for Confluence to return.

    Adding these options to the httpd.conf resolves this:

     

    Regards,

    Jan-Willem

     

    21 May 2015
  39. User avatar

    Jinesh Choksi

    If you struggling to figure out why single sign on is not working for Bamboo 5.9.1 when Bamboo is installed on a server with mod_proxy in front of it, enable DEBUG level logging on the Crowd server (In Crowd, go to 'Administration' -> 'Logging & Profiling'. Change the com.atlassian.crowd package to DEBUG.) and see whether you are getting:

     

    DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] The token keys don't match

     

    errors in Crowd's log file. If you are, then most likely, you need to add both 127.0.0.1 and 0:0:0:0:0:0:0:1 to the Trusted Proxy Servers list in Crowd.


    Be very careful about making changes to Trusted Proxy Servers as the change is immediate and you can very well lock yourself and every other user out of all applications that use crowd for authentication.

     

    (If do lock yourself out, you can recover access by editing the row in the crowd database's cwd_property table where property_name = trusted.proxy.servers)

     

    See this page for further information: link

    10 Jul 2015
Powered by Confluence and Scroll Viewport