Confluence reverse proxy and firefox

If you’re running confluence behind a reverse proxy then you might stumble upon an issue that prevents firefox from working correctly. Strange bugs will hapen like clicking on “add a new page” resulting in endless loading loops.

Checking the logfile of confluence you’ll see something like this:

WARN [http-nio-8090-exec-6] [common.security.jersey.XsrfResourceFilter] 
  passesAdditionalBrowserChecks Additional XSRF checks failed for request: 
  http://localhost:9080/rest/analytics/1.0/publish/bulk , origin: null , 
  referrer: WHATEVERYOURDOMAINIS , credentials in request: true , allowed via CORS: false

Solving this requires adjusting the file conf/server.xml of the confluence distribution. The entry of interest will look like this:

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
        maxThreads="48" minSpareThreads="10"
        enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
        protocol="org.apache.coyote.http11.Http11NioProtocol" />

You’ll have to change it to include the reverse proxy informations like this:

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
        maxThreads="48" minSpareThreads="10"
        enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        proxyName="WHATEVERYOURDOMAINIS" proxyPort="443" scheme="https"/>

The setup above assumes that you’re running behind a reverse proxy via HTTPS which you should. ;-)

A matching configuration for nginx looks like this:

    server {
        listen       443 ssl;
        server_name  WHATEVERYOURDOMAINIS;

        ssl_certificate      /etc/ssl/YOURCERT.crt;
        ssl_certificate_key  /etc/ssl/YOURCERT.key;

        root SOMEPATH;

        location / {
          proxy_pass http://localhost:8090;
          proxy_redirect default;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
        }
        location /synchrony {
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Server $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://localhost:8091/synchrony;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
        }
    }

This should also fix synchrony issues (collaborative editing).

Jens Grassel Written by:

Solving problems and burning chrome for fun and profit.