SSL for Confluence using IIS Url Rewrite and ARR( Application Request Routing )

I am trying to accomplish a few things:

•      Use existing wild card SSL to secure confluence running on Windows Server 2008 R2, x64
•      Using Url Rewrite and or ARR (Application Request Routing ) to hide port numbers and force SSL connection binded to the default IIS Website.

On the client side of things, the address should look like this: https://confluence.mysite.com
CNBELGINAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
OK, so first off, you cannot use ARR with only 1 server in operations.  Typically ARR sits in front of a multi-server farm.  So ARR is not an option in a single server setup.

But, this should be a relatively easy install.

You need to have the importable version of the wildcard cert.  Import the cert on the server hosting confluence.  On the site running confluence, configure the site to use a specific IP (don't use the * setting... all unassigned IPs).  Then import the cert under the SSL Certificate feature of IIS Manager.  Add the https port to the binding of the website and select the newly imported cert.

The you can use URL Rewrite to pop everyone to https with the rule described in the article below.

link:  http://forums.iis.net/t/1153050.aspx?URL+Rewrite+for+SSL+redirection

Dan
btanExec ConsultantCommented:
It should be the same install procedure as installing regular SSL certs as stated in but just that it stated Tomcat in this case.
https://confluence.atlassian.com/conf51/running-confluence-over-ssl-or-https-336169582.html
did not see any mentioned on supported platform for IIS though under appl server
https://confluence.atlassian.com/doc/supported-platforms-207488198.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dan McFaddenSystems EngineerCommented:
Its  a hack to use IIS and confluence...

link:  https://confluence.atlassian.com/display/CONFKB/How+to+setup+Confluence+with+IIS

Dan
btanExec ConsultantCommented:
Thanks Dan!
Apparently, some experience slowness using the isapi connector performance after reviewing any FW rules etc to eventually opt for ARR to have a better performance.  See article which share on to configure IIS 7.0 and Tomcat with the IIS ARR Module (instead of the JDK ISAPI Connector) - the request will be handled by IIS before being forwarded to Tomcat by the ARR proxy. (But really confluence should be faster if not having to support IIS with the hacks)

It looks like fitting the use case here and there is also mentioned of SSL steps
I have it working with SSL currently. All you have to do is set up SSL as per normal on the IIS site, and IIS will take care of all the SSL stuff. If you are using Host Headers to host multiple instances of Confluence or even other web services, then you will have to create a SAN (Subject Alternate Name) Cert or Wildcard cert to use with IIS. Also, you would then have to use the command line to set the host headers for the different sites in IIS because as of IIS7 it only allows a single Cert to be used for all sites, and does not allow the use of host headers.

Here is the command to set host headers with SSL on your IIS sites:
 C:\Windows\System32\inetsrv\appcmd set site /site.name:"<IISSiteName>" /+bindings.protocol='https',bindingInformation='*:443:<hostHeaderValue>']
https://answers.atlassian.com/questions/118050/confluence-via-iis-is-slow

Also not forgetting, we also have to tell Confluence Tomcat that you are accessing it via a proxy by adding the following lines to your Connector in your server.xml e.g. (from the article)
scheme="https"
proxyPort="443"
proxyName="confluence.company.com"

Regardless, as mentioned by all, IIS by default only supports binding of an SSL certificate to one web application (or any website on the server).  Hence Host header is to be used together with Wildcard cert e.g. http://blog.armgasys.com/?p=80

In case needed, here is article to get SSL wildcard into iis7 (e.g. friendly name of  the certificate start with * )
https://www.mojoportal.com/using-a-wildcard-ssl-certificate-in-iis-7x.aspx
CNBELGINAuthor Commented:
Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.