Confluence Server With NGINX Reverse Proxy

It has been a while since my last post but I finally have something worthy of sharing...how to set up Confluence Server using the same reverse proxy as my Ghost installation. If you are curious about that process, you can see it here.

As I got started working through my OSCP course, a friend recommended using Confluence to track my progress, do my write ups, and basically organize my thoughts. I started off with the $10/month Cloud offering because it was easiest, but quickly decided that the $10/2 year self-hosted server version was a better option. Being as I already have a server, this seemed like it would be a simple process...not so.

Looking up a guide to install Confluence on Linux leads to this page. This page IS NOT a full installation guide, but a guide for JUST the Confluence part. It assumes you have already installed a database and have that squared away. I started off trying to set up a MySQL database but quickly found that Confluence does not support the latest MySQL version and it was getting complicated to use an older version so I decided to go with PostgreSQL (the Confluence guide here. Installing Postgres is pretty easy:

sudo apt-get install postgresql

You will create a postgres user and password during this. Then to set the database up for Confluence:
sudo -i -u postgres psql create database confluence; use confluence; CREATE USER confluenceuser WITH PASSWORD 'somePassword'; ALTER DATABASE confluence OWNER TO confluenceuser; ALTER ROLE confluenceuser WITH creatrole createdb;

Use \l to list databases and \du to show users/roles and permissions and \q to quit.

At this point, follow the Confluence install guide linked above to actually install confluence. This will walk you through installing the server and then finalizing the configuration within the web UI. If you want to run Confluence locally, you are done.

If you want some security, then there are some more steps. In my case, I was already running Ghost over HTTPS so I figured I would try to use that same reverse proxy to handle connections to Confluence. The Confluence HTTPS setup guide is here

For my set up, I just had to proxy the connection. Here is the Confluence guide First was to add a CNAME record to my DNS pointing the the new subdomain I wanted to use. Then I updated my /etc/nginx/sites-enabled/ghost.conf file to handle the new traffic adding two new server directives.

server {
  listen  80;
  server_name confluence.ratil.life;

  location ~ ^/.well-known {
    root /var/www/ghost;
  }

  location / {
    return 301 https://$server_name$request_uri;
  }
}

  server {
  listen 443 ssl;
  server_name confluence.ratil.life;

  ssl_certificate /etc/letsencrypt/live/ratil.life/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/ratil.life/privkey.pem;

  ssl_session_timeout  5m;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:                                                                                                                                                       RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;
  ssl_prefer_server_ciphers   on;

  location / {
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://localhost:8090;
  }
  location /synchrony {
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://localhost:8091/synchrony;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
  }
}

You can check your config with nginx -t and then restart NGINX and Ghost with service nginx restart && /etc/init.d/ghost restart

Lastly update your Confluence Base URL in the General Configuration Settings to be the URL you use to access the site now.

This will still give you an SSL error if your cert is not a wildcard but at least your site traffic will be encrypted and you will be on your way.

A Few Notes

  • If you are going to proxy through NGINX, do not follow the Confluence SSL guide.
  • If you have a firewall running, this gets a bit messy. You will obviously need public access to 80 and 443. Confluence will require (by default) localhost access to 8090 and 8091. This is in addition to anything else you have rules for.
  • You can change those ports in /opt/atlassian/confluence/conf/server.xml
  • Make sure you have a lot of time to do this, you WILL run into issues.

Conclusion

I learned a lot from this, hopefully a few of these steps can help you save some time. I am sure I have an error in here somewhere so please let me know if something does not work for you. I had to do and undo so many things figuring this out I may have missed something.