Difference between revisions of "Confluence NGINX"

From UVOO Tech Wiki
Jump to navigation Jump to search
Line 1: Line 1:
 +
```
 +
host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.key -nocerts -nodes
 +
host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.crt -clcerts -nokeys
 +
```
 +
 
server.xml
 
server.xml
 
```
 
```
 
<Server port="8000" shutdown="SHUTDOWN" >
 
<Server port="8000" shutdown="SHUTDOWN" >
 +
    <!--
 
     <Service name="Tomcat-Standalone">
 
     <Service name="Tomcat-Standalone">
                 <Connector port="8081" maxHttpHeaderSize="8192" connectionTimeout="40000" redirectPort="8443"
+
                 <Connector port="8081" maxHttpHeaderSize="8192" connectionTimeout="40000"
 
         maxThreads="248" minSpareThreads="25" maxSpareThreads="100" compression="on"
 
         maxThreads="248" minSpareThreads="25" maxSpareThreads="100" compression="on"
 
         compressableMimeType="text/html,text/xml,text/plain" enableLookups="false" disableUploadTimeout="true"
 
         compressableMimeType="text/html,text/xml,text/plain" enableLookups="false" disableUploadTimeout="true"
 
         acceptCount="100" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Nio2Protocol" secure="true"
 
         acceptCount="100" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Nio2Protocol" secure="true"
 
         scheme="https" proxyName="kb.qa.example.com" proxyPort="443" SSLEnabled="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" clientAuth="false"
 
         scheme="https" proxyName="kb.qa.example.com" proxyPort="443" SSLEnabled="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" clientAuth="false"
         keyAlias="kb.qa.example.com" keystoreFile="/var/atlassian/application-data/confluence/kb.qa.example.com.jks" keystorePass="changeme" keystoreType="JKS"/>
+
         keyAlias="kb.qa.example.com" keystoreFile="/var/atlassian/application-data/confluence/kb.dev.example.com.jks" keystorePass="changeme" keystoreType="JKS"/>
 +
    -->
  
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
+
<Connector port="8090" connectionTimeout="20000"
 
   maxThreads="48" minSpareThreads="10"
 
   maxThreads="48" minSpareThreads="10"
 
   enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 
   enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 
   protocol="org.apache.coyote.http11.Http11NioProtocol"
 
   protocol="org.apache.coyote.http11.Http11NioProtocol"
   scheme="https" secure="true" proxyName="kb.qa.example.com" proxyPort="443"/>
+
   scheme="https" secure="true" proxyName="kb.dev.example.com" proxyPort="443"/>
  
  
Line 56: Line 63:
 
     # ssl_certificate    /etc/nginx/selfsigned.crt;
 
     # ssl_certificate    /etc/nginx/selfsigned.crt;
 
     # ssl_certificate_key /etc/nginx/selfsigned.key;
 
     # ssl_certificate_key /etc/nginx/selfsigned.key;
     ssl_certificate    /etc/nginx/kb.qa.example.com.crt;
+
     ssl_certificate    /etc/nginx/kb.dev.example.com.crt;
     ssl_certificate_key /etc/nginx/kb.qa.example.com.key;
+
     ssl_certificate_key /etc/nginx/kb.dev.example.com.key;
  
 
     ssl_session_timeout  5m;
 
     ssl_session_timeout  5m;
Line 101: Line 108:
  
 
}
 
}
 +
```
 +
 +
Enable via systemd
 +
```
 +
systemctl start nginx
 +
systemctl enable nginx
 +
```
 +
 +
selinux
 +
```
 +
grep nginx /var/log/audit/audit.log | audit2allow -M nginx
 +
semodule -i nginx.pp
 +
systemctl restart nginx
 
```
 
```
  

Revision as of 05:47, 4 February 2022

host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.key -nocerts -nodes
host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.crt -clcerts -nokeys

server.xml 

<Server port="8000" shutdown="SHUTDOWN" >
    <!--
    <Service name="Tomcat-Standalone">
                <Connector port="8081" maxHttpHeaderSize="8192" connectionTimeout="40000"
        maxThreads="248" minSpareThreads="25" maxSpareThreads="100" compression="on"
        compressableMimeType="text/html,text/xml,text/plain" enableLookups="false" disableUploadTimeout="true"
        acceptCount="100" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Nio2Protocol" secure="true"
        scheme="https" proxyName="kb.qa.example.com" proxyPort="443" SSLEnabled="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" clientAuth="false"
        keyAlias="kb.qa.example.com" keystoreFile="/var/atlassian/application-data/confluence/kb.dev.example.com.jks" keystorePass="changeme" keystoreType="JKS"/>
     -->

<Connector port="8090" connectionTimeout="20000"
   maxThreads="48" minSpareThreads="10"
   enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
   protocol="org.apache.coyote.http11.Http11NioProtocol"
   scheme="https" secure="true" proxyName="kb.dev.example.com" proxyPort="443"/>


        <Engine name="Standalone" defaultHost="localhost" debug="0">
            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                <!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
                    <Manager pathname=""/>
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
                </Context>

                <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
                </Context>
            </Host>
        </Engine>
    </Service>
</Server>

/etc/nginx/conf.d/kb.qa.example.com.conf 

    # proxy_cache_path  /nginxcache  levels=1:2    keys_zone=STATIC:10m
    # inactive=24h  max_size=1g;
proxy_cache_path /var/run/nginx-cache levels=1:2 keys_zone=nginx-cache:10m max_size=500m;

server {

    listen 80 default_server;
    listen [::]:80 default_server;
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }

    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
server_name _;
    # listen 443 default ssl;


    # ssl_certificate     /etc/nginx/selfsigned.crt;
    # ssl_certificate_key /etc/nginx/selfsigned.key;
    ssl_certificate     /etc/nginx/kb.dev.example.com.crt;
    ssl_certificate_key /etc/nginx/kb.dev.example.com.key;

    ssl_session_timeout  5m;

    ssl_protocols TLSv1.3 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve secp521r1:secp384r1;
  ssl_ciphers EECDH+AESGCM:EECDH+AES256;

  ssl_session_cache shared:TLS:2m;
  ssl_buffer_size 4k;

location /nginxhealth {
    return 200 'healthy';
    add_header Content-Type text/plain;
}

    location / {

proxy_cache nginx-cache;

proxy_cache_valid 1440m;

proxy_cache_min_uses 1;

add_header X-Proxy-Cache $upstream_cache_status;
# proxy_ignore_headers Cache-Control;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8090;
    }

    location /synchrony {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8091/synchrony;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }

}

Enable via systemd 

systemctl start nginx
systemctl enable nginx

selinux 

grep nginx /var/log/audit/audit.log | audit2allow -M nginx
semodule -i nginx.pp
systemctl restart nginx

REf

Retrieved from "https://tech.uvoo.io/index.php?title=Confluence_NGINX&oldid=2660"