Differences

This shows you the differences between two versions of the page.

--- classes:install_confluence_671_bin [2018/02/14 12:49] – [Install Confluence 6.7.1 from Binary Installer] curry_searle
+++ classes:install_confluence_671_bin [2018/03/02 09:31] (current) – [Install Confluence 6.7.1 from Binary Installer] curry_searle
@@ Line 1: / Line 1: @@
 ==== Install Confluence 6.7.1 from Binary Installer ====
-This tutorial assumes you downloaded the Linux binary installer for Confluence 6.7.1, you have sudo capabilities on an AWS EC2 "free tier" instance along with an AWS RDS "free tier" database of the mysql variety.
+===Assumptions===
+This tutorial assumes you downloaded the Linux binary installer for Confluence 6.7.1, you have sudo capabilities on an AWS EC2 "free tier" instance along with an AWS RDS "free tier" database of the mysql variety. We will use the following hostnames for this tutorial:
+  * Host: ec2-01.amzn.openspeak.net
+  * RDS: yourRDSinstance.c8abc12tntuk.us-east-1.rds.amazonaws.com
+===Install Confluence===
 Run the installer as root:
 <code>
@@ Line 79: / Line 84: @@
 </code>
+===Install Nginx Reverse Proxy with SSL===
 At this point we will configure Nginx as a reverse proxy before finalizing the Confluence installation via the web page.
@@ Line 86: / Line 92: @@
 </code>
+Generate a self-signed SSL certificate:
+<code>
+sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
+</code>
+The output should look something like this as you answer the various questions:
+<code>
+Generating a 2048 bit RSA private key
+............+++
+..........................................+++
+writing new private key to '/etc/ssl/private/nginx-selfsigned.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:US
+State or Province Name (full name) [Some-State]:Texas
+Locality Name (eg, city) []:Denton
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:WAYTTA
+Organizational Unit Name (eg, section) []:OpenSpeak
+Common Name (e.g. server FQDN or YOUR name) []:ec2-01.amzn.openspeak.net
+Email Address []:curry.searle@waytta.com
+</code>
+Generate the ''dhparam.pem'':
+<code>
+sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
+</code>
+Edit ''/etc/nginx/snippets/self-signed.conf''
+<code>
+sudo vi /etc/nginx/snippets/self-signed.conf
+</code>
+ to contain the following:
+<code>
+ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+</code>
+Edit ''/etc/nginx/snippets/ssl-params.conf'':
+<code>
+sudo vi /etc/nginx/snippets/ssl-params.conf
+</code>
+to include the following:
+<code>
+# from https://cipherli.st/
+# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now.  You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+</code>
+Backup the default Nginx configuration file:
+<code>
+sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default-DIST
+</code>
+Edit ''/etc/nginx/sites-available/default'':
+<code>
+sudo vi /etc/nginx/sites-available/default
+</code>
+ to include the following text, adjusted to match your DNS hostname:
+<code>
+server {
+    listen ec2-01.amzn.openspeak.net:80;
+    server_name ec2-01.amzn.openspeak.net;
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+    include snippets/fastcgi-php.conf;
+    include snippets/self-signed.conf;
+    include snippets/ssl-params.conf;
+    #return 301 https://$server_name$request_uri;
+    proxy_redirect http:// https://;
+    client_max_body_size 2048M;
+    location / {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://localhost:8090;
+    }
+}
+</code>
+===Configure Confluence to Recognize the Proxy===
+Backup and edit the ''Connector'' section of ''/opt/atlassian/confluence/conf/server.xml'':
+<code>
+sudo cp /opt/atlassian/confluence/conf/server.xml /opt/atlassian/confluence/conf/server.xml-DIST
+sudo vi  /opt/atlassian/confluence/conf/server.xml
+</code>
+to include the following change; specifically the last line of the block containing the ''proxyName'', ''proxyPort'' and ''scheme'':
+<code>
+        <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
+                maxThreads="48" minSpareThreads="10"
+                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
+                protocol="org.apache.coyote.http11.Http11NioProtocol"
+                proxyName="ec2-01.amzn.openspeak.net" proxyPort="443" scheme="https"
+        />
+</code>
+===Restart Services===
+Restart Nginx & Confluence:
+<code>
+sudo service nginx restart
+sudo service confluence restart
+</code>
 =====Resources=====
   * [[https://www.atlassian.com/software/confluence/download|Download Confluence]]