Confluence | @sskaje

By @sskaje
Link: https://sskaje.me/2017/01/running-atlassian-confluencebamboobitbucket-nginx-ssl/

It’s easy to set up a reverse proxy forwarding requests to Atlassian’s products.

If you look up posts on Atlassian’s official confluence, you’ll get something correct but confusing.

Here is my nginx configuration, for all products except Confluence:

server {
	listen 127.0.0.1:80;
	listen 127.0.0.1:443 ssl  http2 proxy_protocol;

	ssl_certificate /etc/letsencrypt/live/bitbucket.sskaje.me/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/bitbucket.sskaje.me/privkey.pem;

	set_real_ip_from 127.0.0.1/32;
	real_ip_header proxy_protocol;

	if ($scheme = "http") {
		rewrite ^/(.*) https://$server_name/$1 redirect;
	}

	add_header  Content-Security-Policy upgrade-insecure-requests;

	access_log /var/log/nginx/bitbucket.sskaje.me-access.log;
	error_log  /var/log/nginx/bitbucket.sskaje.me-error.log;

	root /opt/atlassian-bitbucket/atlassian-bitbucket/;
	index index.html index.htm index.nginx-debian.html;

	server_name bitbucket.sskaje.me; 
	if ($http_x_forwarded_proto = '') {
		set $http_x_forwarded_proto  $scheme;
	}
	client_max_body_size 1G;


	location / {
		proxy_read_timeout  900s;

		proxy_pass http://127.0.0.1:7990;
		proxy_set_header    X-Forwarded-Port  $server_port;
		proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
		proxy_set_header    Host              $http_host;
		proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
	}
}

server {

listen 127.0.0.1:80;

listen 127.0.0.1:443 ssl http2 proxy_protocol;

ssl_certificate /etc/letsencrypt/live/bitbucket.sskaje.me/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/bitbucket.sskaje.me/privkey.pem;

set_real_ip_from 127.0.0.1/32;

real_ip_header proxy_protocol;

if ($scheme = "http") {

rewrite ^/(.*) https://$server_name/$1 redirect;

}

add_header Content-Security-Policy upgrade-insecure-requests;

access_log /var/log/nginx/bitbucket.sskaje.me-access.log;

error_log /var/log/nginx/bitbucket.sskaje.me-error.log;

root /opt/atlassian-bitbucket/atlassian-bitbucket/;

index index.html index.htm index.nginx-debian.html;

server_name bitbucket.sskaje.me;

if ($http_x_forwarded_proto = '') {

set $http_x_forwarded_proto $scheme;

}

client_max_body_size 1G;

location / {

proxy_read_timeout 900s;

proxy_pass http://127.0.0.1:7990;

proxy_set_header X-Forwarded-Port $server_port;

proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

proxy_set_header Host $http_host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

I have haproxy in front of Nginx, if you don’t, let nginx listens to 0.0.0.0:443 and 0.0.0.0:80.

And, for built-in tomcat, make sure you have following lines in server.xml:

                   secure="true"
                   scheme="https"
                   proxyName="bitbucket.sskaje.me
                   proxyPort="443"

secure="true"

scheme="https"

proxyName="bitbucket.sskaje.me

proxyPort="443"

So bitbucket’s server.xml looks like

        <Connector port="7990" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   compression="on"
                   compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
                   secure="true"
                   scheme="https"
                   proxyName="bitbucket.sskaje.me"
                   proxyPort="443"

 />

<Connector port="7990" protocol="HTTP/1.1"

connectionTimeout="20000"

useBodyEncodingForURI="true"

redirectPort="8443"

compression="on"

compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"

secure="true"

scheme="https"

proxyName="bitbucket.sskaje.me"

proxyPort="443"

All other fields are all default values.

For Confluences, there’s something really stupid: ‘synchrony’.
According to official confluence, add lines below to nginx:

	location /synchrony-proxy/ {
		rewrite ^/synchrony-proxy/(.*) /synchrony/$1 break;

		proxy_read_timeout  900s;

		proxy_pass http://127.0.0.1:8091;
		proxy_set_header    X-Forwarded-Port  $server_port;
		proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
		proxy_set_header    Host              $http_host;
		proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;

		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
	}

location /synchrony-proxy/ {

rewrite ^/synchrony-proxy/(.*) /synchrony/$1 break;

proxy_read_timeout 900s;

proxy_pass http://127.0.0.1:8091;

proxy_set_header X-Forwarded-Port $server_port;

proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

proxy_set_header Host $http_host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

}

Other wise you’ll get function corrupted.

Running Atlassian Confluence/Bamboo/Bitbucket behind Nginx with SSL by @sskaje: https://sskaje.me/2017/01/running-atlassian-confluencebamboobitbucket-nginx-ssl/