SSL for Confluence using IIS Url Rewrite and ARR( Application Request Routing )

CNBELGIN
CNBELGIN used Ask the Experts™
on
I am trying to accomplish a few things:

•      Use existing wild card SSL to secure confluence running on Windows Server 2008 R2, x64
•      Using Url Rewrite and or ARR (Application Request Routing ) to hide port numbers and force SSL connection binded to the default IIS Website.

On the client side of things, the address should look like this: https://confluence.mysite.com
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dan McFaddenSystems Engineer

Commented:
OK, so first off, you cannot use ARR with only 1 server in operations.  Typically ARR sits in front of a multi-server farm.  So ARR is not an option in a single server setup.

But, this should be a relatively easy install.

You need to have the importable version of the wildcard cert.  Import the cert on the server hosting confluence.  On the site running confluence, configure the site to use a specific IP (don't use the * setting... all unassigned IPs).  Then import the cert under the SSL Certificate feature of IIS Manager.  Add the https port to the binding of the website and select the newly imported cert.

The you can use URL Rewrite to pop everyone to https with the rule described in the article below.

link:  http://forums.iis.net/t/1153050.aspx?URL+Rewrite+for+SSL+redirection

Dan
Exec Consultant
Distinguished Expert 2018
Commented:
It should be the same install procedure as installing regular SSL certs as stated in but just that it stated Tomcat in this case.
https://confluence.atlassian.com/conf51/running-confluence-over-ssl-or-https-336169582.html
did not see any mentioned on supported platform for IIS though under appl server
https://confluence.atlassian.com/doc/supported-platforms-207488198.html
Dan McFaddenSystems Engineer

Commented:
Its  a hack to use IIS and confluence...

link:  https://confluence.atlassian.com/display/CONFKB/How+to+setup+Confluence+with+IIS

Dan
btanExec Consultant
Distinguished Expert 2018

Commented:
Thanks Dan!
Apparently, some experience slowness using the isapi connector performance after reviewing any FW rules etc to eventually opt for ARR to have a better performance.  See article which share on to configure IIS 7.0 and Tomcat with the IIS ARR Module (instead of the JDK ISAPI Connector) - the request will be handled by IIS before being forwarded to Tomcat by the ARR proxy. (But really confluence should be faster if not having to support IIS with the hacks)

It looks like fitting the use case here and there is also mentioned of SSL steps
I have it working with SSL currently. All you have to do is set up SSL as per normal on the IIS site, and IIS will take care of all the SSL stuff. If you are using Host Headers to host multiple instances of Confluence or even other web services, then you will have to create a SAN (Subject Alternate Name) Cert or Wildcard cert to use with IIS. Also, you would then have to use the command line to set the host headers for the different sites in IIS because as of IIS7 it only allows a single Cert to be used for all sites, and does not allow the use of host headers.

Here is the command to set host headers with SSL on your IIS sites:
 C:\Windows\System32\inetsrv\appcmd set site /site.name:"<IISSiteName>" /+bindings.protocol='https',bindingInformation='*:443:<hostHeaderValue>']
https://answers.atlassian.com/questions/118050/confluence-via-iis-is-slow

Also not forgetting, we also have to tell Confluence Tomcat that you are accessing it via a proxy by adding the following lines to your Connector in your server.xml e.g. (from the article)
scheme="https"
proxyPort="443"
proxyName="confluence.company.com"

Regardless, as mentioned by all, IIS by default only supports binding of an SSL certificate to one web application (or any website on the server).  Hence Host header is to be used together with Wildcard cert e.g. http://blog.armgasys.com/?p=80

In case needed, here is article to get SSL wildcard into iis7 (e.g. friendly name of  the certificate start with * )
https://www.mojoportal.com/using-a-wildcard-ssl-certificate-in-iis-7x.aspx

Author

Commented:
Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial