Difference between revisions of "Confluence NGINX"
Jump to navigation
Jump to search
(Created page with "server.xml ``` <Server port="8000" shutdown="SHUTDOWN" > <Service name="Tomcat-Standalone"> <Connector port="8081" maxHttpHeaderSize="8192" connectionTimeo...") |
|||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | |||
| + | |||
server.xml | server.xml | ||
``` | ``` | ||
<Server port="8000" shutdown="SHUTDOWN" > | <Server port="8000" shutdown="SHUTDOWN" > | ||
| + | <!-- | ||
<Service name="Tomcat-Standalone"> | <Service name="Tomcat-Standalone"> | ||
| − | <Connector port="8081" maxHttpHeaderSize="8192" connectionTimeout="40000 | + | <Connector port="8081" maxHttpHeaderSize="8192" connectionTimeout="40000" |
maxThreads="248" minSpareThreads="25" maxSpareThreads="100" compression="on" | maxThreads="248" minSpareThreads="25" maxSpareThreads="100" compression="on" | ||
compressableMimeType="text/html,text/xml,text/plain" enableLookups="false" disableUploadTimeout="true" | compressableMimeType="text/html,text/xml,text/plain" enableLookups="false" disableUploadTimeout="true" | ||
acceptCount="100" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Nio2Protocol" secure="true" | acceptCount="100" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Nio2Protocol" secure="true" | ||
scheme="https" proxyName="kb.qa.example.com" proxyPort="443" SSLEnabled="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" clientAuth="false" | scheme="https" proxyName="kb.qa.example.com" proxyPort="443" SSLEnabled="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" clientAuth="false" | ||
| − | keyAlias="kb.qa.example.com" keystoreFile="/var/atlassian/application-data/confluence/kb. | + | keyAlias="kb.qa.example.com" keystoreFile="/var/atlassian/application-data/confluence/kb.dev.example.com.jks" keystorePass="changeme" keystoreType="JKS"/> |
| + | --> | ||
| − | <Connector port="8090" connectionTimeout="20000 | + | <Connector port="8090" connectionTimeout="20000" |
maxThreads="48" minSpareThreads="10" | maxThreads="48" minSpareThreads="10" | ||
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8" | enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8" | ||
protocol="org.apache.coyote.http11.Http11NioProtocol" | protocol="org.apache.coyote.http11.Http11NioProtocol" | ||
| − | scheme="https" secure="true" proxyName="kb. | + | scheme="https" secure="true" proxyName="kb.dev.example.com" proxyPort="443"/> |
| Line 33: | Line 37: | ||
</Server> | </Server> | ||
``` | ``` | ||
| + | |||
| + | /etc/nginx/conf.d/kb.qa.example.com.conf | ||
| + | ``` | ||
| + | # proxy_cache_path /nginxcache levels=1:2 keys_zone=STATIC:10m | ||
| + | # inactive=24h max_size=1g; | ||
| + | proxy_cache_path /var/run/nginx-cache levels=1:2 keys_zone=nginx-cache:10m max_size=500m; | ||
| + | |||
| + | server { | ||
| + | |||
| + | listen 80 default_server; | ||
| + | listen [::]:80 default_server; | ||
| + | if ($scheme != "https") { | ||
| + | return 301 https://$host$request_uri; | ||
| + | } | ||
| + | |||
| + | listen 443 ssl default_server; | ||
| + | listen [::]:443 ssl default_server; | ||
| + | server_name _; | ||
| + | # listen 443 default ssl; | ||
| + | |||
| + | |||
| + | # ssl_certificate /etc/nginx/selfsigned.crt; | ||
| + | # ssl_certificate_key /etc/nginx/selfsigned.key; | ||
| + | ssl_certificate /etc/nginx/kb.dev.example.com.crt; | ||
| + | ssl_certificate_key /etc/nginx/kb.dev.example.com.key; | ||
| + | |||
| + | ssl_session_timeout 5m; | ||
| + | |||
| + | ssl_protocols TLSv1.3 TLSv1.2; | ||
| + | ssl_prefer_server_ciphers on; | ||
| + | ssl_ecdh_curve secp521r1:secp384r1; | ||
| + | ssl_ciphers EECDH+AESGCM:EECDH+AES256; | ||
| + | |||
| + | ssl_session_cache shared:TLS:2m; | ||
| + | ssl_buffer_size 4k; | ||
| + | |||
| + | location /nginxhealth { | ||
| + | return 200 'healthy'; | ||
| + | add_header Content-Type text/plain; | ||
| + | } | ||
| + | |||
| + | location / { | ||
| + | |||
| + | proxy_cache nginx-cache; | ||
| + | |||
| + | proxy_cache_valid 1440m; | ||
| + | |||
| + | proxy_cache_min_uses 1; | ||
| + | |||
| + | add_header X-Proxy-Cache $upstream_cache_status; | ||
| + | # proxy_ignore_headers Cache-Control; | ||
| + | proxy_set_header X-Forwarded-Host $host; | ||
| + | proxy_set_header X-Forwarded-Server $host; | ||
| + | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| + | proxy_pass http://localhost:8090; | ||
| + | } | ||
| + | |||
| + | location /synchrony { | ||
| + | proxy_set_header X-Forwarded-Host $host; | ||
| + | proxy_set_header X-Forwarded-Server $host; | ||
| + | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| + | proxy_pass http://localhost:8091/synchrony; | ||
| + | proxy_http_version 1.1; | ||
| + | proxy_set_header Upgrade $http_upgrade; | ||
| + | proxy_set_header Connection "Upgrade"; | ||
| + | } | ||
| + | |||
| + | } | ||
| + | ``` | ||
| + | |||
| + | Enable via systemd | ||
| + | ``` | ||
| + | systemctl start nginx | ||
| + | systemctl enable nginx | ||
| + | ``` | ||
| + | |||
| + | keys | ||
| + | ``` | ||
| + | host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.key -nocerts -nodes | ||
| + | host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.crt -clcerts -nokeys | ||
| + | chown nginx:nginx $host.key $host.crt | ||
| + | chmod 0640 $host.key $host.crt | ||
| + | cp $host.key $host.crt /etc/nginx/ | ||
| + | ``` | ||
| + | |||
| + | selinux | ||
| + | ``` | ||
| + | grep nginx /var/log/audit/audit.log | audit2allow -M nginx | ||
| + | semodule -i nginx.pp | ||
| + | systemctl restart nginx | ||
| + | ``` | ||
| + | |||
| + | If having permissions issues with selinux (like cert files) | ||
| + | ``` | ||
| + | restorecon -Rv /etc/nginx/mycertfiles.* | ||
| + | systemctl start nginx | ||
| + | ``` | ||
| + | |||
| + | # REf | ||
| + | - https://serverfault.com/questions/758817/whats-the-redirect-port-for-in-tomcat | ||
| + | - https://confluence.atlassian.com/doc/running-confluence-behind-nginx-with-ssl-858772080.html | ||
| + | - https://www.nginx.com/blog/using-nginx-plus-with-selinux/ | ||
Latest revision as of 05:52, 5 February 2022
server.xml
<Server port="8000" shutdown="SHUTDOWN" >
<!--
<Service name="Tomcat-Standalone">
<Connector port="8081" maxHttpHeaderSize="8192" connectionTimeout="40000"
maxThreads="248" minSpareThreads="25" maxSpareThreads="100" compression="on"
compressableMimeType="text/html,text/xml,text/plain" enableLookups="false" disableUploadTimeout="true"
acceptCount="100" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Nio2Protocol" secure="true"
scheme="https" proxyName="kb.qa.example.com" proxyPort="443" SSLEnabled="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" clientAuth="false"
keyAlias="kb.qa.example.com" keystoreFile="/var/atlassian/application-data/confluence/kb.dev.example.com.jks" keystorePass="changeme" keystoreType="JKS"/>
-->
<Connector port="8090" connectionTimeout="20000"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" proxyName="kb.dev.example.com" proxyPort="443"/>
<Engine name="Standalone" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
<!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname=""/>
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
</Context>
<Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
</Context>
</Host>
</Engine>
</Service>
</Server>
/etc/nginx/conf.d/kb.qa.example.com.conf
# proxy_cache_path /nginxcache levels=1:2 keys_zone=STATIC:10m
# inactive=24h max_size=1g;
proxy_cache_path /var/run/nginx-cache levels=1:2 keys_zone=nginx-cache:10m max_size=500m;
server {
listen 80 default_server;
listen [::]:80 default_server;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
# listen 443 default ssl;
# ssl_certificate /etc/nginx/selfsigned.crt;
# ssl_certificate_key /etc/nginx/selfsigned.key;
ssl_certificate /etc/nginx/kb.dev.example.com.crt;
ssl_certificate_key /etc/nginx/kb.dev.example.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp521r1:secp384r1;
ssl_ciphers EECDH+AESGCM:EECDH+AES256;
ssl_session_cache shared:TLS:2m;
ssl_buffer_size 4k;
location /nginxhealth {
return 200 'healthy';
add_header Content-Type text/plain;
}
location / {
proxy_cache nginx-cache;
proxy_cache_valid 1440m;
proxy_cache_min_uses 1;
add_header X-Proxy-Cache $upstream_cache_status;
# proxy_ignore_headers Cache-Control;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8090;
}
location /synchrony {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8091/synchrony;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
Enable via systemd
systemctl start nginx systemctl enable nginx
keys
host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.key -nocerts -nodes host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.crt -clcerts -nokeys chown nginx:nginx $host.key $host.crt chmod 0640 $host.key $host.crt cp $host.key $host.crt /etc/nginx/
selinux
grep nginx /var/log/audit/audit.log | audit2allow -M nginx semodule -i nginx.pp systemctl restart nginx
If having permissions issues with selinux (like cert files)
restorecon -Rv /etc/nginx/mycertfiles.* systemctl start nginx