Due to a change in Confluence 3.1, this procedure currently does not work in Confluence 3.1. A JIRA issue has already been logged (CONF-18120) about this. Please feel free to vote on it to improve its chances of being fixed sooner.

This page provides instructions for enforcing the use of HTTPS for the login page, but falling back to HTTP for all other pages:

Please be aware of the following caveat:


This procedure will only protect the exchange of usernames and passwords. It does not protect the session/authentication cookie and still leaves you exposed to session hijacking. Instead, we recommend that you use SSL for the whole site.

Once you have SSL working on tomcat, you need to make use of the urlrewrite plugin that's included by default with Confluence.
First, edit the filter-mapping entry in web.xml for urlrewrite from this:

<filter-mapping>
        <filter-name>UrlRewriteFilter</filter-name>
        <url-pattern>/s/*</url-pattern>
</filter-mapping>

to this:

<filter-mapping>
        <filter-name>UrlRewriteFilter</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

The next step is to edit urlrewrite.xml to read like this, changing the hostname and port number to suit your own installation:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 2.6//EN" "http://tuckey.org/res/dtds/urlrewrite2.6.dtd">
<urlrewrite>
    <!-- For image references in CSS files --> 
    <rule>
      <from>^/s/(.*)/_/download/images/([^\?]*).*</from>
       <run class="com.atlassian.plugin.servlet.ResourceDownloadUtils" method="addPublicCachingHeaders" />
       <to type="forward">/images/$2</to>
   </rule>
    <rule>
	<from>^/s/(.*)/_/([^\?]*).*</from>
        <run class="com.atlassian.plugin.servlet.ResourceDownloadUtils" method="addPublicCachingHeaders" />
        <to type="forward">/$2</to>
    </rule>
	
<rule>
    <from>^/login.action</from>
    <condition type="scheme" operator="notequal">https</condition>
    <to type="redirect">https://localhost:8443/login.action</to>
    </rule>
 
    <rule>
    <from>^/dologin.action</from>
    <condition type="scheme" operator="notequal">https</condition>
    <to type="redirect">https://localhost:8443/dologin.action</to>
    </rule>

    <rule>
    <from>^/(.*)</from>
    <condition type="scheme" operator="equal">https</condition>
    <condition type="request-uri" operator="notequal">/login.action.*</condition>
    <condition type="request-uri" operator="notequal">/dologin.action.*</condition>	
    <condition type="request-uri" operator="notequal">/s/.*</condition>
    <to type="redirect">http://localhost:8080/$1</to>
    </rule>
</urlrewrite>

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.