Differences

This shows you the differences between two versions of the page.

--- classes:install_confluence_671_bin [2018/02/14 12:56] – [Install Confluence 6.7.1 from Binary Installer] curry_searle
+++ classes:install_confluence_671_bin [2018/03/02 09:31] (current) – [Install Confluence 6.7.1 from Binary Installer] curry_searle
@@ Line 1: / Line 1: @@
 ==== Install Confluence 6.7.1 from Binary Installer ====
+===Assumptions===
 This tutorial assumes you downloaded the Linux binary installer for Confluence 6.7.1, you have sudo capabilities on an AWS EC2 "free tier" instance along with an AWS RDS "free tier" database of the mysql variety. We will use the following hostnames for this tutorial:
@@ Line 6: / Line 7: @@
   * RDS: yourRDSinstance.c8abc12tntuk.us-east-1.rds.amazonaws.com
+===Install Confluence===
 Run the installer as root:
 <code>
@@ Line 82: / Line 84: @@
 </code>
+===Install Nginx Reverse Proxy with SSL===
 At this point we will configure Nginx as a reverse proxy before finalizing the Confluence installation via the web page.
@@ Line 87: / Line 90: @@
 <code>
 sudo apt -y install nginx
+</code>
+Generate a self-signed SSL certificate:
+<code>
+sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
+</code>
+The output should look something like this as you answer the various questions:
+<code>
+Generating a 2048 bit RSA private key
+............+++
+..........................................+++
+writing new private key to '/etc/ssl/private/nginx-selfsigned.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:US
+State or Province Name (full name) [Some-State]:Texas
+Locality Name (eg, city) []:Denton
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:WAYTTA
+Organizational Unit Name (eg, section) []:OpenSpeak
+Common Name (e.g. server FQDN or YOUR name) []:ec2-01.amzn.openspeak.net
+Email Address []:curry.searle@waytta.com
+</code>
+Generate the ''dhparam.pem'':
+<code>
+sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
+</code>
+Edit ''/etc/nginx/snippets/self-signed.conf''
+<code>
+sudo vi /etc/nginx/snippets/self-signed.conf
+</code>
+ to contain the following:
+<code>
+ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+</code>
+Edit ''/etc/nginx/snippets/ssl-params.conf'':
+<code>
+sudo vi /etc/nginx/snippets/ssl-params.conf
+</code>
+to include the following:
+<code>
+# from https://cipherli.st/
+# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now.  You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
 </code>
@@ Line 94: / Line 168: @@
 </code>
-Edit ''/etc/nginx/sites-available/default'' to include the following text:
+Edit ''/etc/nginx/sites-available/default'':
+<code>
+sudo vi /etc/nginx/sites-available/default
+</code>
+ to include the following text, adjusted to match your DNS hostname:
 <code>
 server {
@@ Line 120: / Line 198: @@
 }
+</code>
+===Configure Confluence to Recognize the Proxy===
+Backup and edit the ''Connector'' section of ''/opt/atlassian/confluence/conf/server.xml'':
+<code>
+sudo cp /opt/atlassian/confluence/conf/server.xml /opt/atlassian/confluence/conf/server.xml-DIST
+sudo vi  /opt/atlassian/confluence/conf/server.xml
+</code>
+to include the following change; specifically the last line of the block containing the ''proxyName'', ''proxyPort'' and ''scheme'':
+<code>
+        <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
+                maxThreads="48" minSpareThreads="10"
+                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
+                protocol="org.apache.coyote.http11.Http11NioProtocol"
+                proxyName="ec2-01.amzn.openspeak.net" proxyPort="443" scheme="https"
+        />
+</code>
+===Restart Services===
+Restart Nginx & Confluence:
+<code>
+sudo service nginx restart
+sudo service confluence restart
 </code>
 =====Resources=====
   * [[https://www.atlassian.com/software/confluence/download|Download Confluence]]