Versions Compared

Old Version 8

changes.mady.by.user Dick Visser

Saved on

compared with

New Version 9

changes.mady.by.user Dick Visser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
sudo su - postgres
createuser -S -d -r -P -E confuser
createdb -O confuser confluence

 

Confluence - part 1

 This is a default install of Confluence, which has only local account and no federated logins - that comes later in part 2.

...

Code Block
ServerName example.com
 
ProxyRequests Off
<Proxy http://ip6-localhost:8090>
        Order deny,allow
        Allow from all
</Proxy>


ProxyPass /mellon/ !
ProxyPass / http://ip6-localhost:8090/
ProxyPassReverse / http://ip6-localhost:8090/


# Mobile theme does not honour new seraph values for login URL, so we have to redirect that
RewriteEngine on
RewriteCond     %{QUERY_STRING} ^originalUrl=(.*)$      [NC]
Rewriterule     ^/plugins/servlet/mobile/login          /mellon/login?ReturnTo=%1 [R,NE]

<Location />
        MellonEnable "info"
        MellonSecureCookie On
        MellonSessionDump Off
        MellonSamlResponseDump Off
        MellonEndpointPath "/mellon"
        MellonSPPrivateKeyFile /etc/apache2/mellon/sp.key
        MellonSPCertFile /etc/apache2/mellon/sp.crt
        MellonIdPMetadataFile /etc/apache2/mellon/idp.xml

        # To avoid security holes, first unset any existing header
        RequestHeader unset REMOTE_USER
        # Then conditionally set it
        RequestHeader set REMOTE_USER "%{MELLON_eduPersonPrincipalName}e" env=MELLON_eduPersonPrincipalName

        RequestHeader unset CONF_FULL_NAME
        RequestHeader set CONF_FULL_NAME "%{MELLON_displayName}e" env=MELLON_displayName

        RequestHeader unset CONF_EMAIL
        RequestHeader set CONF_EMAIL "%{MELLON_mail}e" env=MELLON_mail
</Location>

...

 

Code Block
languagehtml/xml
        <action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction">
            <interceptor-ref name="defaultStack"/>
            <result name="error" type="velocity">/logout.vm</result>
            <result name="success" type="redirect">/login.action?logout=true</result>
        </action>

to this:

Code Block
languagehtml/xml
        <action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction">
            <interceptor-ref name="defaultStack"/>
            <result name="error" type="velocity">/logout.vm</result>
            <result name="success" type="redirect">/mellon/logout?ReturnTo=%2Fdashboard.action</result>
        </action>

 

Now "jar" everything up again and replace the original jar:

Code Block
languagebash
cd /tmp/jar
jar cf /opt/confluence/confluence/WEB-INF/lib/confluence-5.1.jar .

Restart Confluence. You should now also be able to use federated logins on your iPad/etc.

 

Post install 

Limit access to the unprotected TCP port

Confluence by default listens to TCP port 8090 on all interface. Since Apache will be the internet facing application, there is no need for Confluence to listen on all interfaces. Even worse, if you do let it listen on the internet then it is trivial to add a REMOTE_USER header and spoof any account. Of course it is good practice to use a firewall to protect this port, but you can limit this in Confluence as well. Since Apache is configured to only connect to the (IPv6) localhost address, this is what you should configure Confluence to use as listening address. As per Tomcat docs, you should add an "address" attribute to the Connector, which is located in conf/server.xml:

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8090" address="::1" minProcessors="5"