confluence.atlassian.com
Open in
urlscan Pro
2600:9000:2127:8400:15:77aa:5e80:93a1
Public Scan
Submitted URL: https://confluence.atlassian.com/x/cNIvMw
Effective URL: https://confluence.atlassian.com/doc/running-confluence-behind-nginx-with-ssl-858772080.html
Submission: On June 07 via api from CA — Scanned from CA
Effective URL: https://confluence.atlassian.com/doc/running-confluence-behind-nginx-with-ssl-858772080.html
Submission: On June 07 via api from CA — Scanned from CA
Form analysis 1 forms found in the DOM
<form>
<radiogroup>
<div class="reason-radio-box">
<label><input type="radio" name="was-this-helpful-no-reason" value="It wasn't accurate"> It wasn't accurate</label>
</div>
<div class="reason-radio-box">
<label><input type="radio" name="was-this-helpful-no-reason" value="It wasn't clear"> It wasn't clear</label>
</div>
<div class="reason-radio-box">
<label><input type="radio" name="was-this-helpful-no-reason" value="It wasn't relevant"> It wasn't relevant</label>
</div>
</radiogroup>
</form>Text Content
Products
CONFLUENCE SUPPORT
* Documentation
* Knowledge base
* Resources
* Search
* Log in
* * View account
* View requests
* Log out
* ...
KNOWLEDGE BASE
PRODUCTS
* JIRA SOFTWARE
Project and issue tracking
* JIRA SERVICE MANAGEMENT
Service management and customer support
* JIRA CORE
Manage any business project
* CONFLUENCE
Document collaboration
* BITBUCKET
Git code management
See all
RESOURCES
* DOCUMENTATION
Usage and admin help
* COMMUNITY
Answers, support, and inspiration
* SUGGESTIONS AND BUGS
Feature suggestions and bug reports
* MARKETPLACE
Product apps
* BILLING AND LICENSING
Frequently asked questions
* Log out
* Log in to account
* List watched pages
* Contact support
* Training & Certification
* Cloud Migration Center
* GDPR guides
* Enterprise services
* Atlassian partners
* Developers
* User groups
* Automation for Jira
* Atlassian.com
* PAGE
* View in Confluence
* Edit Page
* VIEWPORT
* Manage Viewport
* CONFLUENCE
* Dashboard
* Space Directory
* People Directory
Confluence 7.18 (Latest)
Documentation
Unable to load
* Atlassian Support
* Confluence 7.18
* Documentation
* Confluence administrator's guide
* Configuring Confluence Security
* Proxy and HTTPS setup for Confluence
* Running Confluence behind NGINX with SSL
Cloud
Data Center and Server 7.18
VERSIONS
* 7.18
* 7.17
* 7.16
* 7.15
* 7.14
* 7.13
* 7.12
* 7.11
* 7.10
* 7.9
* 7.8
* 7.7
* 7.6
* 7.5
* 7.4
* See all
RUNNING CONFLUENCE BEHIND NGINX WITH SSL
PROXY AND HTTPS SETUP FOR CONFLUENCE
* Running Confluence Over SSL or HTTPS
* Running Confluence behind NGINX with SSL
* Using Apache with mod_proxy
* Using Apache with mod_jk
* Using mod_rewrite to Modify Confluence URLs
* Configuring Web Proxy Support for Confluence
* Using Apache to limit access to the Confluence administration interface
ON THIS PAGE
* Step 1: Set the context path
* Step 2: Configure the Tomcat connector
* Step 3: Configure NGINX
* Step 4: Restart Confluence and NGINX
RELATED CONTENT
* Using Apache with mod_proxy
* Installing Confluence on Linux from Archive File
* Installing Confluence on Windows from Zip File
* Possible Confluence and Synchrony Configurations
* Proxy and HTTPS setup for Confluence
* Configuring the Server Base URL
* Installing Confluence on Linux
* Upgrading Confluence Manually
* Configure your CDN for Confluence Data Center
* From Confluence Evaluation through to Production Installation
STILL NEED HELP?
The Atlassian Community is here for you.
Ask the community
This page describes how to set up NGINX as a reverse proxy for Confluence.
The configuration described on this page results in a scenario where:
* External client connections with NGINX are secured using SSL. Connections
between NGINX and Confluence Server are unsecured.
* Confluence Server and NGINX run on the same machine.
We assume that you already have a running instance of NGINX. If not, refer to
the NGINX documentation for instructions on downloading and installing
NGINX. SSL certificates must be installed on the server machine. You'll an
NGINX version that supports WebSockets (1.3 or later).
If your team plans to use the Confluence Server mobile app, you'll need a
certificate issued by a trusted Certificate Authority. You can't use the app
with a self-signed certificate, or one from an untrusted or private CA.
Atlassian Support can't provide assistance with configuring third-party tools
like NGINX. If you have questions, check the NGINX documentation, ask the
Atlassian Community, or get help from a Solution Partner.
STEP 1: SET THE CONTEXT PATH
If you want to access Confluence without a context path (www.example.com), or
via a sub-domain (confluence.example.com) skip this step.
Set your Confluence application path (the part after hostname and port) in
Tomcat. Edit <installation-directory>/conf/server.xml, locate the "Context"
definition:
<Context path="" docBase="../confluence" debug="0" reloadable="false">
and change it to:
<Context path="/confluence" docBase="../confluence" debug="0" reloadable="false">
In this example we've used /confluence as the context path. Note that you can't
use /resources as your context path, as this is used by Confluence, and will
cause problems later on.
Restart Confluence, and check you can access it
at http://example:8090/confluence
STEP 2: CONFIGURE THE TOMCAT CONNECTOR
In the same <installation-directory>conf/server.xml file, use the example
connectors as a starting point.
Comment out the default connector (for unproxied access).
Show me how to do this...
In XML a comment starts with <!-- and ends with -->, and is used to make sure
only the relevant portions of the file are read by the application.
Add <!-- and --> around the default connector. It should now look like this.
<!--
========================================================
DEFAULT - Direct connector with no proxy, for unproxied HTTP access to Confluence.
========================================================
-->
<!--
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"/>
-->
Uncomment the connector listed under the HTTPS - Proxying Confluence via Apache
or Nginx over HTTPS heading.
Show me how to do this...
To uncomment a section, remove the <!-- and --> surrounding the connector.
Here's an example showing the default connector commented out, and the HTTPS
connector uncommented. The headings remain commented out.
<!--
========================================================
DEFAULT - Direct connector with no proxy, for unproxied HTTP access to Confluence.
========================================================
-->
<!--
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"/>
-->
...
<!--
========================================================
HTTPS - Proxying Confluence via Apache or Nginx over HTTPS
========================================================
-->
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" proxyName="<subdomain>.<domain>.com" proxyPort="443"/>
Insert your proxyName and proxyPort as shown in the last line below:
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" proxyName="www.example.com" proxyPort="443"/>
Make sure you've included correct values for protocol and proxyName.
STEP 3: CONFIGURE NGINX
You will need to specify a listening server in NGINX, as in the example below.
Add the following to your NGINX configuration.
Replace your server name and the location of your SSL certificate and key.
In this example, users will connect to Synchrony, which is required for
collaborative editing, directly.
server {
listen www.example.com:80;
server_name www.example.com;
listen 443 default ssl;
ssl_certificate /usr/local/etc/nginx/ssl/nginx.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-
AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-
ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-
RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-
SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-
SHA:!DSS';
ssl_prefer_server_ciphers on;
location /synchrony {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8091/synchrony;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
location /confluence {
client_max_body_size 100m;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8090/confluence;
}
}
See https://nginx.org/en/docs/http/ngx_http_proxy_module.html for more
information.
Note: do not include ssl on; if you are configuring SSL and Confluence on the
same server, as in this example.
If you're not sure what to include
for ssl_ciphers, https://mozilla.github.io/server-side-tls/ssl-config-generator/ is
a useful resource.
If you experience 413 Request Entity Too Large errors, make sure that the
client_max_body_size in the /confluence location block matches Confluence's
maximum attachment size. You may also need to increase
the client_max_body_size in the /synchrony location block if you
experience errors when editing large pages.
If you plan to use the Confluence mobile app...
If you plan to allow users to use the Confluence mobile app with your site, and
you have configured a context path, as in the example above, you may also need
to add the following line to your nginx configuration.
location /server-info.action {
proxy_pass http://localhost:8090/confluence/server-info.action;
}
If you're accessing Confluence via a sub-domain...
If you're accessing Confluence via a sub-domain, your config will look like
this:
server {
listen confluence.example.com:80;
server_name confluence.example.com;
listen 443 default ssl;
ssl_certificate /usr/local/etc/nginx/ssl/nginx.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-
AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-
ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-
RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-
SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-
SHA:!DSS';
ssl_prefer_server_ciphers on;
location / {
client_max_body_size 100m;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8090;
}
location /synchrony {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8091/synchrony;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
STEP 4: RESTART CONFLUENCE AND NGINX
1. Restart Confluence and NGINX for all the changes to take affect.
2. Update Confluence's base URL to include the context path you set earlier -
see Configuring the Server Base URL.
Last modified on Aug 5, 2021
Was this helpful?
Yes
No
It wasn't accurate
It wasn't clear
It wasn't relevant
Provide feedback about this article
RELATED CONTENT
* Using Apache with mod_proxy
* Installing Confluence on Linux from Archive File
* Installing Confluence on Windows from Zip File
* Possible Confluence and Synchrony Configurations
* Proxy and HTTPS setup for Confluence
* Configuring the Server Base URL
* Installing Confluence on Linux
* Upgrading Confluence Manually
* Configure your CDN for Confluence Data Center
* From Confluence Evaluation through to Production Installation
Powered by Confluence and Scroll Viewport.
Atlassian
* Privacy policy
* Terms of use
* Security
* © 2022 Atlassian