This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

confluence from atlassian behind sophos WAF

I recently installed latest version of confluence 6.0.3 on Ubuntu 16.04.1 LTS connected to a mysql database.  All is running great when accessed from local LAN on http://confluence:8090    Then I needed to open access for some external users and instead of configuring a reverse proxy on the VM where this is running I thought to deploy a webserver protection feature in sophos.  I sounds like a great idea and I already have two such external web servers working fine.  Created an external webserver and a certificate and used port 8443 over https for external users.  Internal web server is still running on http 8090.  So far so good and I can access it via https, login and browse all spaces and pages. Problem is I cannot create new pages or edit anything.  If I turn off collaborative editor then all works fine.  This is not a fix though.  I think the reverse proxy in this case needs some further configuration. Has anyone configured WAF for confluence?  I opened a ticket with atlassian but they said since all works fine over http locally they do not support beyond that point. 

Any help is appreciated.



This thread was automatically locked due to age.
  • The best workaround for this is probably giving VPN Remote Access to the individual(s) that need to edit remotely.  If it's just one person at a time, the HTML5 solution might work well for this.  My preference is always for the SSL VPN as that also works well on my iPhone.

    Have you tried selecting 'Rewrite HTML' in the 'Advanced' section of your Virtual Server?  If that wasn't the trick, please show the lines from the reverseproxy log file when you have an access/update that fails.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob!  Yes, setting up SSL VPN for these users is one way to resolve this but these are not tech people and trying to keep it as simple as possible for them.

     

    I have done following changed in confluence to adjust for this:

    1. Set the URL for redirection as advised from atlassian in /opt/atlassian/confluence/conf/server.xml  file and added last line "bolded"

    <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
                    maxThreads="48" minSpareThreads="10"
                    enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                    protocol="org.apache.coyote.http11.Http11NioProtocol"
                    proxyName="my_domain.net" proxyPort="8443" "scheme="https" />

     

    2. Thought to follow option 3 for Reverse proxy with internal Synchrony proxy

    Details are on this link here look at the 3rd diagram.

    1. Turned ON Synchrony proxy by editing /var/atlassian/confluence/confluence.cfg.xml file

    <property name="synchrony.proxy.enabled">true</property>

    1. Changed the confluence Base URL to HTTPS

    Edited from admin console and changed it from http://confluence:8090  to https://confluence.my_domain_name.net:8443

    1. The only thing I have not done are these instructions: (They are for apache)

    I’m not sure how or where these are configured in Sophos WAF.  Do I have to go to cli in UTM and do these changes?  Would these be global and affect all WAFs. ?  This link issue relates to similar problem I have.

    LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
    LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
    LoadModule proxy_wstunnel_module /usr/lib/apache2/modules/mod_proxy_wstunnel.so
    LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so

    The other requirement they have is that the reverse proxy server and the firewall should allow webSocket connections. Not sure if the WAF in Sophos allows for this and where do you see if this is set or where to configure it.

    Yes, now some things are broken when I access it locally as http://confluence:8090 but my goal at this point is to fix it externally and if I wanted to do work with it I can come externally and access it too.

    For now I have to keep Collaborating editor OFF to resolve this issue.  Other than that all is working fine and using HTTPS.

     

    I will collect some logs and post them here.

     

    Thanks for looking and A Happy New Year!