All HowTo's Cyber-Security Web Servers

Apache Confluence Reverse Proxy (SSL)

This article demonstrates how to configure an Apache server as a reverse proxy for Confluence. Confluence runs on Tomcat (out of the box) and listens on TCP port 8090 without encryption. Our goal is to listen on port 80 and redirect the connection to port 443 so our reverse proxy provides encryption.

We’re using LetsEncrypt to secure the Apache Reverse proxy. We’ve completed that stage before configuring the Reverse Proxy component.  Also note we don’t need the DocumentRoot after we’ve completed the LetsEncrypt process. See below for an example of the LetsEncrypt command. Remember to remove the redirect from the Apache server listening on port 80 before running LetsEncrypt.

./certbot-auto --authenticator webroot --webroot-path /var/www/html/confluence.example.com/confluence/ --installer apache -d confluence.example.com

Our port 80 (http://) Apache server looks like this:

<VirtualHost *:80>

TimeOut 1000
<Directory /var/www/html/confluence.example.com/confluence>
Options Indexes
AllowOverride All
Order allow,deny
allow from all
</Directory>

ServerName confluence.example.com
ServerAdmin [email protected]
ErrorLog logs/confluence.example.com.au_log
CustomLog logs/confluence.example.com_log common
DocumentRoot /var/www/html/confluence.example.com/confluence

<Directory /var/www/html/confluence.example.com/confluence>
Options Indexes FollowSymLinks
</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =confluence.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Our port 443 (https://) Apache reverse proxy server looks like this:

<VirtualHost *:443>

TimeOut 1000
SSLEngine On
SSLProxyEngine On
RewriteEngine On
ProxyRequests Off
ProxyPreserveHost On

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

ProxyPass / http://localhost:8090/
ProxyPassReverse / http://localhost:8090/

<Directory /var/www/html/confluence.example.com/confluence>
Options Indexes
AllowOverride All
Order allow,deny
allow from all
</Directory>

ServerName confluence.example.com
ServerAdmin [email protected]
ErrorLog logs/confluence.example.com_log
CustomLog logs/confluence.example.com_log common
DocumentRoot /var/www/html/confluence.example.com/confluence

<Directory /var/www/html/confluence.example.com/confluence>
Options Indexes FollowSymLinks
</Directory>

SSLCertificateFile /etc/letsencrypt/live/confluence.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/confluence.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/confluence.example.com/chain.pem
</VirtualHost>

Leave a Reply

Your email address will not be published. Required fields are marked *