Link to home
Start Free TrialLog in
Avatar of CNBELGIN

asked on

SSL for Confluence using IIS Url Rewrite and ARR( Application Request Routing )

I am trying to accomplish a few things:

•      Use existing wild card SSL to secure confluence running on Windows Server 2008 R2, x64
•      Using Url Rewrite and or ARR (Application Request Routing ) to hide port numbers and force SSL connection binded to the default IIS Website.

On the client side of things, the address should look like this:
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

OK, so first off, you cannot use ARR with only 1 server in operations.  Typically ARR sits in front of a multi-server farm.  So ARR is not an option in a single server setup.

But, this should be a relatively easy install.

You need to have the importable version of the wildcard cert.  Import the cert on the server hosting confluence.  On the site running confluence, configure the site to use a specific IP (don't use the * setting... all unassigned IPs).  Then import the cert under the SSL Certificate feature of IIS Manager.  Add the https port to the binding of the website and select the newly imported cert.

The you can use URL Rewrite to pop everyone to https with the rule described in the article below.


Avatar of btan

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan

Thanks Dan!
Apparently, some experience slowness using the isapi connector performance after reviewing any FW rules etc to eventually opt for ARR to have a better performance.  See article which share on to configure IIS 7.0 and Tomcat with the IIS ARR Module (instead of the JDK ISAPI Connector) - the request will be handled by IIS before being forwarded to Tomcat by the ARR proxy. (But really confluence should be faster if not having to support IIS with the hacks)

It looks like fitting the use case here and there is also mentioned of SSL steps
I have it working with SSL currently. All you have to do is set up SSL as per normal on the IIS site, and IIS will take care of all the SSL stuff. If you are using Host Headers to host multiple instances of Confluence or even other web services, then you will have to create a SAN (Subject Alternate Name) Cert or Wildcard cert to use with IIS. Also, you would then have to use the command line to set the host headers for the different sites in IIS because as of IIS7 it only allows a single Cert to be used for all sites, and does not allow the use of host headers.

Here is the command to set host headers with SSL on your IIS sites:
 C:\Windows\System32\inetsrv\appcmd set site /"<IISSiteName>" /+bindings.protocol='https',bindingInformation='*:443:<hostHeaderValue>']

Also not forgetting, we also have to tell Confluence Tomcat that you are accessing it via a proxy by adding the following lines to your Connector in your server.xml e.g. (from the article)

Regardless, as mentioned by all, IIS by default only supports binding of an SSL certificate to one web application (or any website on the server).  Hence Host header is to be used together with Wildcard cert e.g.

In case needed, here is article to get SSL wildcard into iis7 (e.g. friendly name of  the certificate start with * )
Avatar of CNBELGIN