Avatar of CNBELGIN
CNBELGIN
 asked on

SSL for Confluence using IIS Url Rewrite and ARR( Application Request Routing )

I am trying to accomplish a few things:

•      Use existing wild card SSL to secure confluence running on Windows Server 2008 R2, x64
•      Using Url Rewrite and or ARR (Application Request Routing ) to hide port numbers and force SSL connection binded to the default IIS Website.

On the client side of things, the address should look like this: https://confluence.mysite.com
SSL / HTTPSMicrosoft IIS Web ServerWindows Server 2008

Avatar of undefined
Last Comment
CNBELGIN

8/22/2022 - Mon
Dan McFadden

OK, so first off, you cannot use ARR with only 1 server in operations.  Typically ARR sits in front of a multi-server farm.  So ARR is not an option in a single server setup.

But, this should be a relatively easy install.

You need to have the importable version of the wildcard cert.  Import the cert on the server hosting confluence.  On the site running confluence, configure the site to use a specific IP (don't use the * setting... all unassigned IPs).  Then import the cert under the SSL Certificate feature of IIS Manager.  Add the https port to the binding of the website and select the newly imported cert.

The you can use URL Rewrite to pop everyone to https with the rule described in the article below.

link:  http://forums.iis.net/t/1153050.aspx?URL+Rewrite+for+SSL+redirection

Dan
ASKER CERTIFIED SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Dan McFadden

Its  a hack to use IIS and confluence...

link:  https://confluence.atlassian.com/display/CONFKB/How+to+setup+Confluence+with+IIS

Dan
btan

Thanks Dan!
Apparently, some experience slowness using the isapi connector performance after reviewing any FW rules etc to eventually opt for ARR to have a better performance.  See article which share on to configure IIS 7.0 and Tomcat with the IIS ARR Module (instead of the JDK ISAPI Connector) - the request will be handled by IIS before being forwarded to Tomcat by the ARR proxy. (But really confluence should be faster if not having to support IIS with the hacks)

It looks like fitting the use case here and there is also mentioned of SSL steps
I have it working with SSL currently. All you have to do is set up SSL as per normal on the IIS site, and IIS will take care of all the SSL stuff. If you are using Host Headers to host multiple instances of Confluence or even other web services, then you will have to create a SAN (Subject Alternate Name) Cert or Wildcard cert to use with IIS. Also, you would then have to use the command line to set the host headers for the different sites in IIS because as of IIS7 it only allows a single Cert to be used for all sites, and does not allow the use of host headers.

Here is the command to set host headers with SSL on your IIS sites:
 C:\Windows\System32\inetsrv\appcmd set site /site.name:"<IISSiteName>" /+bindings.protocol='https',bindingInformation='*:443:<hostHeaderValue>']
https://answers.atlassian.com/questions/118050/confluence-via-iis-is-slow

Also not forgetting, we also have to tell Confluence Tomcat that you are accessing it via a proxy by adding the following lines to your Connector in your server.xml e.g. (from the article)
scheme="https"
proxyPort="443"
proxyName="confluence.company.com"

Regardless, as mentioned by all, IIS by default only supports binding of an SSL certificate to one web application (or any website on the server).  Hence Host header is to be used together with Wildcard cert e.g. http://blog.armgasys.com/?p=80

In case needed, here is article to get SSL wildcard into iis7 (e.g. friendly name of  the certificate start with * )
https://www.mojoportal.com/using-a-wildcard-ssl-certificate-in-iis-7x.aspx
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
CNBELGIN

ASKER
Thanks