Edit 2018-03-06: I created a script that will do all the set-up on this post and original installation post in one go on github. https://github.com/sjoulaei/install-confluence-centos
================================================================
In this short tutorial i will go through how to enable SSL on Confluence on Centos 7.
Atlassian applications allow the use of SSL within range of their products, however Atlassian support doesn’t cover configuration of 3rd party software. Although there are many useful articles on Atlassian website on this subject, it is messy and hard to follow just one article from A to Z to especially for Centos 7 environment which doesn’t install latest required Apache web server by default.
There are few different ways to do this I will use Apache web server as reverse proxy server. Apache will serve as https server and Confluence will stay on http.
You need to have Confluence installed and working to continue with this tutorial. If you haven’t got it installed you can do so by following my other post here: How to install Confluence on Centos7 with postgresql
You can also check this post: how to enable SSL on Jira software (Centos 7) if you are looking for Jira version of this article. They are very similar the only difference is an extra directive to allow collaborative editing which was added in version 6.
Environment
OS: Centos 7.3
Apache web server: 2.4.18 (Will be installed as part of scl package)
Install Dependencies
sudo yum -y update sudo yum -y install centos-release-scl-rh sudo yum -y install httpd24-httpd sudo yum -y install httpd24-mod_ssl.x86_64 sudo yum -y install httpd24-mod_proxy_html.x86_64
Prepare SSL certificate
Get your certification and key files from the certifying authority and copy them into a directory in your machine.
For example:
/etc/ssl/certs/yourdomain_cert.crt
/etc/ssl/private/yourdomain_key.key
Set-up Apache
sudo vim /opt/rh/httpd24/root/etc/httpd/conf.d/confluence.conf
<VirtualHost *:443 > ServerName confluence.yourdomain.com ServerAlias confluence.yourdomain.com DocumentRoot /opt/rh/httpd24/root/var/www/confluence/public ErrorLog /opt/rh/httpd24/root/var/www/confluence/error.log CustomLog /opt/rh/httpd24/root/var/www/confluence/requests.log combined ProxyRequests Off ProxyPreserveHost On ProxyVia Off RewriteEngine On RewriteCond %{REQUEST_URI} !^/synchrony RewriteRule ^/(.*) http://confluence.yourdomain.com:8090/$1 [P] <Proxy *> Require all granted </Proxy> ProxyPass /synchrony http://confluence.yourdomain.com:8091/synchrony <Location /synchrony> Require all granted RewriteEngine on RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] RewriteRule .* ws://confluence.yourdomain.com:8091%{REQUEST_URI} [P] </Location> ProxyPass / http://confluence.yourdomain.com:8090/ ProxyPassReverse / http://confluence.yourdomain.com:8090/ <Location /> Require all granted </Location> SSLEngine On SSLCertificateFile /etc/ssl/certs/confluence.crt SSLCertificateKeyFile /etc/certs/private/confluence.key </VirtualHost> <VirtualHost *:80> ServerName confluence.yourdomain.com Redirect Permanent / https://confluence.yourdomain.com/ </VirtualHost>
sudo systemctl restart httpd24-httpd
If SELinux is set to enforce it might stop httpd24
from starting. To get around this you can disable
the SELinux by updating the file below.
sudo vim /etc/sysconfig/selinux
Change the status from enforce to disabled or permissive. For more details on SELinux refer to: An introduction to SELinux on Centos 7
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Set-up Confluence
sudo vim /opt/atlassian/confluence/conf/server.xml
Update the connector to look like these lines:
<Connector port="8090" maxThreads="48" minSpareThreads="10" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="443" acceptCount="10" disableUploadTimeout="true" URIEncoding="UTF-8" proxyName="confluence.yourdomain.com" proxyPort="443" scheme="https" />
sudo systemctl restart confluence
Add certificate keys to the Confluence keystore
If you have followed the steps up to here your server should be accessible through the https address. However Confluence will complain that it can not access itself from the backend. This is because the version on Java that Confluence is using doesn’t have your certificates in keystore hence doesn’t trust it and drops any attempt to access it.
Follow these steps to add the key to Confluence keystore.
cd ~ openssl s_client -connect confluence.yourdomain.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt sudo /opt/atlassian/confluence/jre/bin/keytool -import -alias confluence.yourdomain.com -keystore /opt/atlassian/confluence/jre/lib/security/cacerts -file public.crt
Enter ‘changeit
‘ as keystore password.