Lars - will look at that I think for the future but does it add  another layer of complexity?

Christoph - I was thinking along those lines but I'm not sure where (or how) to do that. I'm still learning linux (somewhere between beginner and intermediate) and am definitely a beginner as far as Confluence goes.

Would this be done in the firewall (iptables) rules or in server.xml? Perhaps even somewhere different?

Cheers,

Tim

Tim - stupid question maybe but why don't you just change the port for Confluence to 443 (if using https, to 80 if not)? This should be possible in the server.xml. For the future I definitely recommend you to use Apache or ngninx as a proxy as Lars described as it is the usual setup.. 

yum groupinstall webserver
chkconfig httpd on

Add the following to /etc/httpd/conf.d/wiki.example.com.conf

<VirtualHost *:80>
ServerName wiki.example.com
ServerAlias wiki

ProxyPreserveHost On
RewriteEngine on
# Redirect http traffic to https
RewriteRule ^/(.*)$ https://wiki.example.com/$1 [L,R]
</VirtualHost>

<VirtualHost *:443>
ServerName wiki.example.com

ProxyPreserveHost On
ProxyRequests Off

ErrorLog /var/log/httpd/wiki.example.com-ssl_error_log
TransferLog /var/log/httpd/wiki.example.com-ssl_access_log
CustomLog /var/log/httpd/wiki.example.com-ssl_request_log ssl_combined

ErrorDocument 503 "<center><br><br><h1>We are down for some maintenance. Bla bla... </h1></center>"

ProxyPass /synchrony http://localhost:8091/synchrony
<Location /synchrony>
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:8091%{REQUEST_URI} [P]
</Location>

ProxyPass / http://localhost:8090/ retry=2 acquire=3000 timeout=120 Keepalive=On
ProxyPassReverse / http://localhost:8090/

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLCertificateFile /etc/pki/tls/certs/wildcard.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private//wildcard.example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/wildcard-CA.crt
</VirtualHost>

Edit confluence server.xml if you are using SSL:

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
secure="true"
scheme="https" ProxyPort="443" ProxyName="wiki.example.com" maxHttpHeaderSize="32768" />

-Lars

Something like this. Then you will not have to deal with keytool, cacerts and things like that :)

-Lars

Christoph - not a stupiud question but I'm trying to follow Atlassian instructions  - I was assuming there's a reason they specify 8443 not 443, and also it means the instructions can be referred to in the future. I was hoping it shopuld be realtively easy to just have a line or two to make anything going to https://<website> redirect to port 8443.

Lars - will have a look at that but as mentioned I was hoping there might be a an easy line or two of code (would be easier than setting-up a proxy) but perhaps there isn't.

Tim - I guess it is just that they want a configuration which should work by default even if there is already one ssl application running which would probably run on the ssl default port 443 ;) good luck! 

Christoph - I was looking into this yesterday and I think it's because non-root users are not able to bind to ports below 1024 on Linux.

I think I found part of the answer in https://confluence.atlassian.com/jirakb/how-do-i-use-port-80-or-443-on-my-jira-server-as-a-non-root-user-on-linux-890079490.html - this at least redirects to port 8443 but then causes issues with gadgets on JIRA, and on both JIRA/confluence then also causes issues with base url if users use http rather than https.

I'm getting closer but it's a bit cyclic where it fixes somethings but breaks others. I may just advise users to go to https://<server>:8443

Tim thanks for sharing and all the best to you!