...
- A correctly configured apache web server that is able to serve an HTTPS web site (https://example.com).
- A SAML Identity Provider (IdP).
- An account on that IdP.
- An attribute that can be used as username in Confluence (for example eduPersonPrincipalName). Attributes for full name and e-mail are optional but recommended. In this case we assume 'mail' and 'displayName' can be used.
- The user name of the to-be administrator account. So, if you choose eduPersonPrincipalName as the attribute for username, you need to know your own value (for instance 'dvisser@surfnet.nl').
PostgreSQL
| Code Block |
|---|
apt-get install postgresql |
...
Download the source http://www.atlassian.com/software/confluence/downloads/binary/atlassian-confluence-5.15.13.tar.gz and unpack it to /opt/confluence. All relative paths mentioned below are relative to this directory.
...
| Code Block |
|---|
ServerName example.com
ProxyRequests Off
<Proxy http://ip6-localhost:8090>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /mellon/ !
ProxyPass / http://ip6-localhost:8090/
ProxyPassReverse / http://ip6-localhost:8090/
# Mobile theme does not honour new seraph values for login URL, so we have to redirect that
RewriteEngine on
RewriteCond %{QUERY_STRING} ^originalUrl=(.*)$ [NC]
Rewriterule ^/plugins/servlet/mobile/login /mellon/login?ReturnTo=%1 [R,NE]
# Remove the jsessionid from the URL, to prevent 404 errors when
# unauthenticated visitors try to access a protected resource.
ReWriteRule ^(.*);jsessionid=[A-Za-z0-9]+(.*)$ $1$2 [R,NE]
<Location />
MellonEnable "info"
MellonSecureCookie On
MellonSessionDump Off
MellonSamlResponseDump Off
MellonEndpointPath "/mellon"
MellonSPPrivateKeyFile /etc/apache2/mellon/sp.key
MellonSPCertFile /etc/apache2/mellon/sp.crt
MellonIdPMetadataFile /etc/apache2/mellon/idp.xml
# To avoid security holes, first unset any existing header
RequestHeader unset REMOTE_USER
# Then conditionally set it
RequestHeader set REMOTE_USER "%{MELLON_eduPersonPrincipalName}e" env=MELLON_eduPersonPrincipalName
RequestHeader unset CONF_FULL_NAME
RequestHeader set CONF_FULL_NAME "%{MELLON_displayName}e" env=MELLON_displayName
RequestHeader unset CONF_EMAIL
RequestHeader set CONF_EMAIL "%{MELLON_mail}e" env=MELLON_mail
</Location> |
...
- Download the right version of remoteUserAuth.jar (I used 2.25.0) from https://github.com/chauth/confluence_http_authenticator/tree/master/releases, and store it in
confluence/WEB-INF/lib.Make sure you're actually downloading the JAR file and not the HTML page. - Download https://github.com/chauth/confluence_http_authenticator/blob/master/conf/remoteUserAuthenticator.properties and save it as
confluence/WEB-INF/classes/remoteUserAuthenticator.properties. The defaults were almost OK, the only thing I needed to change was convert.to.utf8=true. Edit
confluence/WEB-INF/classes/seraph-config.xmland change this section in the beginning:Code Block language html/xml <init-param> <param-name>login.url</param-name> <param-value>/login.action?os_destination=${originalurl}</param-value> </init-param> <init-param> <param-name>link.login.url</param-name> <param-value>/login.action</param-value> </init-param>To this:
Code Block language html/xml <init-param> <param-name>login.url</param-name> <param-value>/mellon/login?ReturnTo=${originalurl}</param-value> </init-param> <init-param> <param-name>link.login.url</param-name> <param-value>/mellon/login?ReturnTo=%2Fdashboard.action</param-value> </init-param>
...
mkdir /tmp/jarcd /tmp/jarjar xf /opt/confluence/confluence/WEB-INF/lib/confluence-5.15.13.jar
xwork.xml and change this part:
| Code Block | ||
|---|---|---|
| ||
<action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction">
<interceptor-ref name="defaultStack"/>
<result name="error" type="velocity">/logout.vm</result>
<result name="success" type="redirect">/login.action?logout=true</result>
</action> |
to this:
| Code Block | ||
|---|---|---|
| ||
<action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction">
<interceptor-ref name="defaultStack"/>
<result name="error" type="velocity">/logout.vm</result>
<result name="success" type="redirect">/mellon/logout?ReturnTo=%2Fdashboard.action</result>
</action> |
Now "jar" everything up again and replace the original jar:
| Code Block | ||
|---|---|---|
| ||
cd /tmp/jar jar cf /opt/confluence/confluence/WEB-INF/lib/confluence-5.15.13.jar . |
Restart Confluence. You should now also be able to use federated logins on your iPad/etc.
Post install
Limit access to the unprotected TCP port
Confluence by default listens to TCP port 8090 on all interface. Since Apache will be the internet facing application, there is no need for Confluence to listen on all interfaces. Even worse, if you do let it listen on the internet then it is trivial to add a REMOTE_USER header and spoof any account. Of course it is good practice to use a firewall to protect this port, but you can limit this in Confluence as well. Since Apache is configured to only connect to the (IPv6) localhost address, this is what you should configure Confluence to use as listening address. As per Tomcat docs, you should add an "address" attribute to the Connector, which is located in conf/server.xml:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8090" address="::1" minProcessors="5"