Confluence Behind IIS Reverse Proxy

Atlassian Confluence Server for Windows is bundled with a web server which runs on port 8090. Most organisations would rather a more user-friendly URL such as confluence.domain.com. Although this isn’t technically supported by Atlassian, it’s best practice to leave this port as is and instead implement a Reverse Proxy.

Prerequesites

The following steps assume you’re running Confluence Server on Windows Server 2012 R2 or higher over HTTPS.

How to configure a Reverse Proxy in IIS

  1. Launch the Server Manager and click Manage → Add Roles and Features… 
    1. On the Before You Begin screen, click Next
    2. On the Installation Type screen, click Next
    3. On the Server Selection screen, click Next
    4. On the Server Roles screen, select Web Server (IIS) and click Next
    5. On the Features screen, click Next
    6. On the Web Server Role (IIS) screen, click Next
    7. On the Role Services screen, select HTTP RedirectRequest FilteringWebSocket Protocol, and leave the default options checked off. Click Next
    8. On the Confirmation screen, click Install. Wait for IIS to be installed before proceeding. 
  2. Download and install the Web Platform Installerhttps://www.microsoft.com/web/downloads/platform.aspx. Once installed, download and install the following modules using the Web Platform Installer. 
    Application Request Routing 3.0
    URL Rewrite
  3. Launch Internet Information Services (IIS) Manager.
  4. Click the server node and select Application Request Routing Cache
    1. From the Action panel, select Server Proxy Settings
    2. Check “Enable Proxy” and set HTTP version to “HTTP/1.1”. Deselect “Reverse rewrite host in response headers”. Leave all other options as default and click Apply
  5. Right-click Application Pools and select Add Application Pool
    1. Name the Application Pool “Confluence“.
    2. Set the .NET CLR version to “No Managed Code“.
    3. Click OK
  6. Right-click Sites and select Add Website… 
    1. Name the Website “Confluence” and set the Application Pool to “Confluence“. 
    2. Set the Physical path to “C:\inetpub\wwwroot-confluence“. 
    3. Set the Binding Type to “HTTPS“.
    4. Set your desired Host name. For example, “confluence.domain.com”. 
    5. Set the Certificate
    6. Click OK
  7. Select the Confluence site and then select URL Rewrite. From the Actions pane select Add Rules and choose a Blank Rule
    1. Name to rule “Confluence“. 
    2. Set Match URL to:
      Requested URL: Matches the Pattern
      Using: Regular Expressions
      Pattern: (.*)
      Ignore Case: Checked
    3. Set Action to:
      Action Type: Rewrite
      Rewrite URL: http://localhost:8090/{R:1}
      Append query string: Checked
    4. Select “Stop processing of subsequent rules“.
    5. Click Apply
  8. Select the Confluence site and then select Request Filtering.
    1. From the Action panel, select Edit Feature Settings... 
    2. Select “Allow double escaping
    3. Click OK
  9. Select the Confluence site and then select Output Caching.
    1. From the Action panel, select Edit Feature Settings... 
    2. Deselect “Enable Cache” and “Enable kernel cache“. 
    3. Click OK
  10. Launch Notepad ad Administrator and open the file C:\inetpub\wwwroot-confluence\web.config. The following URL Rewrite rules are used by Synchrony for co-editing in Confluence. There’s also a rule to redirect any HTTP request to HTTPS. Add the following lines directly below <rules>:
<clear />
<rule name="HTTP to HTTPS" stopProcessing="true">
    <match url="(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTPS}" pattern="^OFF$" />
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
<rule name="Synchrony HTTP" stopProcessing="true">
    <match url="^synchrony/(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
    <action type="Rewrite" url="http://localhost:8091/synchrony/{R:1}" />
</rule>
<rule name="Synchrony Web Sockets Reverse Proxy" stopProcessing="true">
    <match url="ws://(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
    <action type="Rewrite" url="ws://localhost:8091/{R:1}" />
</rule>

Add the following lines directly below </system.webServer>:

<system.web>
    <httpRuntime executionTimeout="20" maxRequestLength="61440" requestPathInvalidCharacters="" requestValidationMode="2.0" />
    <pages validateRequest="false" />
</system.web>

The final result should look like this:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="HTTP to HTTPS" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" />
                </rule>
                <rule name="Synchrony HTTP" stopProcessing="true">
                    <match url="^synchrony/(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="Rewrite" url="http://localhost:8091/synchrony/{R:1}" />
                </rule>
                <rule name="Synchrony Web Sockets Reverse Proxy" stopProcessing="true">
                    <match url="ws://(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="Rewrite" url="ws://localhost:8091/{R:1}" />
                </rule>
                <rule name="Confluence" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="Rewrite" url="http://localhost:8090/{R:1}" />
                </rule>
            </rules>
        </rewrite>
        <security>
            <requestFiltering allowDoubleEscaping="true" />
        </security>
        <caching enabled="false" enableKernelCache="false" />
    </system.webServer>
    <system.web>
        <!-- This keeps IIS from complaining about special characters in the url. Also has some controls for max upload size. Set to the equivalent of the above, but in kilobytes instead of bytes. (ex. 61440 = 60MB) -->
        <httpRuntime executionTimeout="20" maxRequestLength="61440" requestPathInvalidCharacters="" requestValidationMode="2.0" />
        <pages validateRequest="false" />
    </system.web>
</configuration>
  1. Launch Notepad ad Administrator and open the file C:\Program Files\Atlassian\Confluence2\conf\server.xml. Modify the file as shown below. 
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
           maxThreads="48" minSpareThreads="10"
           enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
           protocol="org.apache.coyote.http11.Http11NioProtocol" />

Add the proxyName, proxyPort, and scheme attributes:

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
           maxThreads="48" minSpareThreads="10"
           enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           proxyName="confluence.domain.com" proxyPort="443" scheme="https" />
  1. Launch Command Prompt and Administrator.
    1. Run the following commands:Replace <CONFLUENCE-SERVICE-NAME> with the name of the Confluence Window Service. For example, “tomcat9w //ES//Confluence120417160306”
      cd C:\Program Files\Atlassian\Confluence2\libtomcat9w //ES//<CONFLUENCE-SERVICE-N 
    2. Select the Java tab. 
    3. Append the following line to the bottom of Java Options:
      -Dorg.apache.tomcat.websocket.DISABLE_BUILTIN_EXTENSIONS=true
    4. Click OK.
  2. Launch Command Prompt as Administrator and run the following command:
    iisreset /noforce
  3. Restart the Confluence service using services.msc. This process will take a few minutes. Even after the service restarts, Tomcat will take another few minutes to bring up the Confluence web server. 
  4. Browse to the new URL and login to Confluence. You will receive a notification indicating the Base URL is not valid. Go to settings → General Configuration. Click Edit and set the Server Base URL to https://confluence.domain.com. Click Save. 

2 Comments

  1. Hi,

    I followed your guide, but still i am unable to get it to work – it actually threw some errors, after i started the confluence service..
    Something about server.xml had errors and proxyname, scheme and port was incorrect.

    • That sounds like a syntax error in the server.xml file. I recommend restoring a previous version and retry seeing the correct values.

Leave a Reply

%d