Using Apache with mod_proxy
This page describes how to integrate Confluence into an Apache website using mod_proxy.
There are some common situations where you might use the configuration:
- You have an existing Apache-based website, and want to add Confluence to the mix (for example, http://www.example.com/confluence).
- You have two or more Java applications, each running in their own application server on different ports, for example, http://example:8090/confluence and http://example:8080/jira. By setting up Apache with mod_proxy, you can have both available on the regular HTTP port (80) – for example, at http://www.example.com/confluence and http://www.example.com/jira. This allows each application to be restarted, managed and debugged separately.
Note: This page documents a configuration of Apache, rather than of Confluence itself. Atlassian will support Confluence with this configuration, but we cannot guarantee to help you debug problems with Apache. Please be aware that this material is provided for your information only, and that you use it at your own risk.
Base configuration
In these examples, we use the following:
http://www.example.com/confluence – your intended URL
http://example:8090 – the hostname and port Confluence is currently installed to
/confluence – the intended context path (the part after hostname and port)
Please substitute the examples below with your intended URL’s in your own server. Copy/pasting these suggestions will not work on your server.
Set the context path
Set your Confluence application path (the part after hostname and port). To do this in Tomcat (bundled with Confluence), edit conf/server.xml
, locate the “Context” definition:
<Context path="" docBase="../confluence" debug="0" reloadable="true">
and change it to:
<Context path="/confluence" docBase="../confluence" debug="0" reloadable="true">
Then restart Confluence, and ensure you can access it at http://example:8090/confluence
Set the URL for redirection
Set the URL for redirection. In the same conf/server.xml
file, locate this code segment:
<Connector port="8090" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
And append the last line:
<Connector port="8090" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
proxyName="www.example.com" proxyPort="80" />
If this isn’t working for you and you’re using SSL, try adding a scheme attribute to your Connector tag: scheme=”https”.
Now we have two options:
- If you want a URL like http://www.example.com/confluence, follow the simple configuration.
- If you want a URL like http://confluence.example.com, go to the complex configuration.
Simple Configuration
Configure mod_proxy
Now enable mod_proxy in Apache, and proxy requests to the application server by adding the example below to your Apache httpd.conf (note: the files may be different on your system; See Integrating JIRA with Apache for the process for Ubuntu/Debian layout):
# Put this after the other LoadModule directives
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
# Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /confluence http://app-server.internal.example.com:8090/confluence
ProxyPassReverse /confluence http://app-server.internal.example.com:8090/confluence
<Location /confluence>
Order allow,deny
Allow from all
</Location>
# Put this after the other LoadModule directives
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
# Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
# Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time
Require all granted
</Proxy>
ProxyPass /confluence http://app-server.internal.example.com:8090/confluence
ProxyPassReverse /confluence http://app-server.internal.example.com:8090/confluence
<Location /confluence>
# Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time
Require all granted
</Location>
Complex configuration
Complex configuration involves using the mod_proxy_html filter to modify the proxied content en-route. This is required if the Confluence path differs between Apache and the application server. For example:
Externally accessible (Apache) URL | http://confluence.example.com/ |
---|---|
Application server URL | http://app-server.internal.example.com:8090/confluence/ |
Notice that the application path in the URL is different in each. On Apache, the path is /, and on the application server the path is /confluence.
For this configuration, you need to install the mod_proxy_html module, which is not included in the standard Apache distribution.
Alternative solutions are discussed below.
# Put this after the other LoadModule directives
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so
<VirtualHost *>
ServerName confluence.example.com
# Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://app-server.internal.example.com:8090/confluence
ProxyPassReverse / http://app-server.internal.example.com:8090/confluence
ProxyHTMLURLMap / /confluence/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
# Put this after the other LoadModule directives
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so
<VirtualHost *>
ServerName confluence.example.com
# Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
# Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time
Require all granted
</Proxy>
ProxyPass / http://app-server.internal.example.com:8090/confluence
ProxyPassReverse / http://app-server.internal.example.com:8090/confluence
ProxyHTMLURLMap / /confluence/
<Location />
# Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time
Require all granted
</Location>
</VirtualHost>
The ProxyHTMLURLMap configuration can become more complex if you have multiple applications running under this configuration. The mapping should also be placed in a Location block if the web server URL is a subdirectory and not on a virtual host. The Apache Week tutorial has more information how to do this.
Final Configuration Steps
Restart your Apache server
This is needed to pick up on the new configuration. This can be done by running the following on your command line/terminal/shell:
sudo apachectl graceful
Disable HTTP Compression
Having compression run on both the proxy and Tomcat can cause problems integrating with other Atlassian applications, such as JIRA. Please disable HTTP compression as per our Compressing an HTTP Response within Confluence docs.
Set the Confluence Base URL
The last stage is to set the Base URL to the address you’re using within the proxy. In this example, it would be http://www.example.com/confluence
Adding SSL
If you’re running Apache in front of Tomcat, it’s a good idea to terminate your SSL configuration at Apache, then forward the requests to Tomcat over HTTP. You can set up Apache to terminate the SSL connection and use the ProxyPass and ProxyPassReverse directives to pass the connection through to Tomcat (or the appropriate application server) which is running Confluence.
- Create a new SSL host by creating a virtual host on 443
- The standard http connection on apache could be used to redirect to https if you want or it could just be firewalled.
- Within the VirtualHost definition:
- define the SSL options (SSLEngin and SSLCertificateFile)
- define the ProxyPass and ProxyPassReverse directives to pass through to Tomcat.
Most of the relevant Apache Config:
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
ProxyPass / http://localhost:8090/
ProxyPassReverse / http://localhost:8090/
</VirtualHost>
Apart from the Apache configuration there are a couple of things you will need to do before you get your server working:
- You will have to change your base URL to point to https addresses. See the documentation on configuring the server base URL.
- We need to set up the connector to use https. In your installation directory, edit the file server.xml and add this attributes to your connector:
proxyName="proxy.example.com" proxyPort="443" scheme="https" secure="true"
More information
- The mod_proxy_html site has documentation and examples on the use of this module in the complex configuration.
- Apache Week has a tutorial that deals with a complex situation involving two applications and ProxyHTMLURLMap.
- Using Apache with virtual hosts and mod_proxy shows how to configure the special case where you want JIRA and Confluence running on separate application servers on virtual host subdomains.
Control File Access by IP in Apache 2.4
Denying access to wp-login.php for all but a set of whitelisted IP can be a good way of enhancing site security – provided that the client has a fixed IP address.
We typically add such access controls within a .htaccess file in the document root of a project, leaving login access for our own IP address and that of the site owner.
You might occasionally need to temporarily whitelist an additional IP address, but this is easy to do.
Restricting access by IP address is no substitute for a proper username/password policy – but it may be a useful additional layer, since would-be attackers don’t even get a chance to knock on the door.
Under Apache 2.2, you could use these directives within a .htaccess file:
# ==============================================================================
# Whitelisted IP access for wp-login.php
# ==============================================================================
<files wp-login.php>
order deny,allow
deny from all
# whitelist Your First IP address
allow from xxx.xxx.xxx.xxx
# whitelist Your Second IP Address
allow from xxx.xxx.xxx.xxx
# whitelist Your Third IP Address
allow from xxx.xxx.xxx.xxx
</files>
# ==============================================================================
# Protect specified files from direct access
# ==============================================================================
<FilesMatch “^(wp-config\.php|php\.ini|php5\.ini|install\.php|php\.info|readme\.html|bb-config\.php|\.htaccess|\.htpasswd|readme\.txt|timthumb\.php|error_log|error\.log|PHP_errors\.log|\.svn)”>
Deny from all
</FilesMatch>
Whilst the Allow, Order, and Deny directives still work in Apache 2.4, they are deprecated:
The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.
-Apache 2.4 Documentation
Unfortunately, there is not a lot of literature on how to properly set up such restrictions on Apache 2.4 – without relying on mod_access_compat.
Deny Access Completely
In Apache 2.2:
Order deny,allow
Deny from all
In Apache 2.4 this becomes:
Require all denied
Restrict Access by IP address: Comparison of Apache 2.2 and 2.4
Allow from a particular IP in Apache 2.2:
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
Allow from a particular IP in Apache 2.4:
Require ip xxx.xxx.xxx.xxx
TL;DR Restrict Access Apache 2.4
# ==============================================================================
# Restrict access to WordPress login page by IP
# See: http://httpd.apache.org/docs/2.4/mod/core.html#files
# ==============================================================================
<Files “wp-login.php”>
Require ip 123.123.123.123
</Files>
If you have full access to Apache config on your server, you can enable these directives for all virtual hosts by adding them to the Apache config file:
sudo nano /etc/apache2/conf-enabled/security.conf
Access Control by host and ip address in Apache 2.4
In this post we will learn about access control by host and ip address in Apache 2.4. The Apache 2.4 released with lots of new feature. While working on Apache 2.4 you will surely get attention on new format of access control. The method of using allow,deny or vice-versa is deprecated, it was old styled method before Apache 2.4 versions.
We do expect users have some experience on Apache webserver. Hence, we are directly jumping on ACL of apache 2.4 . We have used all the below given methods inside Apache Virtual Host.
In trailing post, we are going to use directive called RequireAll. So as per Apache 2.4 documentation, know what is RequireAll directive :
apache 2.4 RequireAll
Allow only particular IP Address or Host to access website in Apache 2.4
In this scenario we will allow only particular IP address or hosts to access the website. Rest of the world will not be able to access the website hosted on Apache 2.4 .
Note: Replace Directive value as per your server’s web data path.
<Directory “/var/www/html/website”>
Options All
AllowOverride All
Require all denied
## “Require ip” is used here for IP Address/CIDR/Network
Require ip 192.168.56.4 10.10.1.1
## “Require host” is used here for hostname/FQDN
Require host www.example.com server01
</Directory>
As per your requirement you can set ACL either on ip address or Host or both.
Alternatively for this same scenario you can write in below given format also. You should notice the written in below given example.
<Directory “/var/www/html/website”>
Options All
AllowOverride All
<RequireAll>
## “Require ip” is used here for IP Address/CIDR/Network
Require ip 192.168.56.4 10.10.1.1
## “Require host” is used here for hostname/FQDN
Require host www.example.com server01
</RequireAll>
</Directory>
Deny only particular IP Address or Host to access website in Apache 2.4
In this section, we will deny particular ip address/host to access the website. As mentioned in above section as same as according to your requirement you can set ACL either on ip address or Host or both. Check the directive section where we have applied the ACL.
Note: Replace Directive value as per your server’s web data path.
<Directory “/var/www/html/website”>
Options All
AllowOverride All
<RequireAll>
Require all granted
## “Require ip” is used here for IP Address/CIDR/Network
Require not ip 192.168.56.4 10.10.1.1
## “Require host” is used here for hostname/FQDN
Require not host www.example.com server01
</RequireAll>
</Directory>
Deny All to access website running on Apache 2.4
In this section, we will define Require all denied directly inside directive. This configuration will deny all to access the website.
Note: Replace Directive value as per your server’s web data path.
<Directory “/var/www/html/website”>
Options All
AllowOverride All
## “Require all denied” will deny all to access the website.
Require all denied
</Directory>
Allow All to access website running on Apache 2.4
In this section, we will define Require all granted directly inside directive. The below given configuration helps all to access the website.
Note: Replace Directive value as per your server’s web data path.
<Directory “/var/www/html/website”>
Options All
AllowOverride All
## “Require all granted” will allow all to access the website.
Require all granted
</Directory>
Restart apache service
After doing changes in apache config file, do not forget to restart the apache service.
### In Ubuntu/Debian/
sudo service apache2 restart
### In CentOS 7/RHEL 7
systemctl restart httpd
### In CentOS|RHEL 5.x,6x.
service httpd restart
Apache Forbidden Error Message
On denying the ip address/host from Apache 2.4. The user will get the “Forbidden” message. Given below is the image reference.
<VirtualHost *:80> ServerName www.company.com ProxyPreserveHost On AllowEncodedSlashes NoDecode <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </IfModule> </VirtualHost> <VirtualHost *:443> ServerName www.company.com ProxyRequests Off SSLProxyEngine on AllowEncodedSlashes NoDecode RequestHeader set X-Forwarded-Proto "https" # Always use HTTP Strict Transport Security (HSTS) Header always set Strict-Transport-Security "max-age=63072000; includeSubdo:mains; preload" SSLEngine on SSLCertificateFile /etc/httpd/ssl/com.crt SSLCertificateKeyFile /etc/httpd/ssl/com.key SSLCertificateChainFile /etc/httpd/ssl/CA.crt # Set a cookie so the client gets the same backend server each time Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED ProxyPass /balancer-manager ! ProxyPass / "balancer://mycluster/" nocanon ProxyPassReverse / "balancer://mycluster/" <Proxy balancer://mycluster/> BalancerMember http://10.0.0.2 route=1 BalancerMember http://10.0.0.3 route=2 ProxySet stickysession=ROUTEID </Proxy> <Location "/balancer-manager"> SetHandler balancer-manager Require host localhost Require ip 192.168.2.0/24 Require host 1982.168.1.10 </Location> </VirtualHost>
Recent Comments