Installing Confluence + PostgreSQL + NGINX SSL reverse-proxy on Centos 7

Confluence is a replicable wiki system for internal use by organizations to create a unified knowledge base. Written in Java. Developed by the Australian company Atlassian, it is one of its two main products.

Installing PostgreSQL 12

Add the PostgreSQL 12 repository

$ sudo yum -y install https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm

Installing the required packages

$ sudo yum -y install epel-release yum-utils
$ sudo yum-config-manager --enable pgdg12
$ sudo yum -y install postgresql12-server postgresql12

Database initialization is required after installation before the service can be started

$ sudo /usr/pgsql-12/bin/postgresql-12-setup initdb

Start the PostgreSQL service and check the status

$ sudo systemctl enable --now postgresql-12
$ systemctl status postgresql-12

Editing PostgreSQL settings, opening access for Confluence

$ sudo nano /var/lib/pgsql/12/data/pg_hba.conf
[...]
# IPv4 local connections:
#host    all             all             127.0.0.1/32            ident
host    confluence      confluenceuser  127.0.0.1/32            md5

Restarting PostgreSQL

$ sudo systemctl restart postgresql-12

Create user and base

$ sudo su - postgres
$ psql
postgres=# CREATE ROLE confluenceuser WITH LOGIN PASSWORD 'password' VALID UNTIL 'infinity';
CREATE ROLE
postgres=# CREATE DATABASE confluence WITH ENCODING='UTF8' OWNER=confluenceuser CONNECTION LIMIT=-1;
CREATE DATABASE
postgres-# q
$ exit

Installing Confluence

Create a user for Confluence

$ sudo useradd -m -U -r -d /opt/atlassian confluence

Set a password to the user

$ sudo passwd confluence
New password:
Retype new password:

Add the confluence user to the wheel group, then he would have superuser rights (sudo)

$ sudo usermod -aG wheel confluence

Switch to the confluence user, go to your home directory. All further operations will be performed from under this user

$ sudo su confluence
$ cd

Downloading the distribution confluence 7.5.0 and make it executable

$ wget https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-7.5.0-x64.bin
$ chmod a+x atlassian-confluence-7.5.0-x64.bin

Launching the Confluence installation

$ sudo ./atlassian-confluence-7.5.0-x64.bin

During the installation process, you will need to select actions

This will install Confluence 7.5.0 on your computer.
OK [o, Enter], Cancel [c]
o
Click Next to continue, or Cancel to exit Setup.

Choose the appropriate installation or upgrade option.
Please choose one of the following:
Express Install (uses default settings) [1],
Custom Install (recommended for advanced users) [2, Enter],
Upgrade an existing Confluence installation [3]
2

Select the folder where you would like Confluence 7.5.0 to be installed, then click Next.
Where should Confluence 7.5.0 be installed?
[/opt/atlassian/confluence]


Default location for Confluence data
[/var/atlassian/application-data/confluence]


Configure which ports Confluence will use.
Confluence requires two TCP ports that are not being used by any other applications on this machine. The HTTP port is where you will access Confluence through your browser. The Control port is used to Startup and
Shutdown Confluence.
Use default ports (HTTP: 8090, Control: 8000) - Recommended [1, Enter], Set custom value for HTTP and Control ports [2]
1

Confluence can be run in the background.
You may choose to run Confluence as a service, which means it will start automatically whenever the computer restarts.
Install Confluence as Service?
Yes [y, Enter], No [n]
y

Extracting files ...

Please wait a few moments while we configure Confluence.

Installation of Confluence 7.5.0 is complete
Start Confluence now?
Yes [y, Enter], No [n]
y

Please wait a few moments while Confluence starts up.
Launching Confluence ...

Installation of Confluence 7.5.0 is complete
Your installation of Confluence 7.5.0 is now ready and can be accessed via
your browser.
Confluence 7.5.0 can be accessed at http://localhost:8090
Finishing installation ...

Set up Firewall, open port 8090 / tcp

$ sudo firewall-cmd --permanent --add-port=8090/tcp
$ sudo firewall-cmd --reload

Checking if Confluence has started

$ netstat -nltup | grep 8090

If there is no entry with the port number, start Confluence manually

$ /etc/init.d/confluence start
либо
$ sudo /opt/atlassian/confluence/bin/catalina.sh start

Go to the site http: // localhost: 8090 and continue installation

Industrial plantInstalling Confluence + PostgreSQL + NGINX SSL reverse-proxy on Centos 7 2Trial license

On the site https://my.atlassian.com/license/evaluation generate a trial license by server ID

Installing Confluence + PostgreSQL + NGINX SSL reverse-proxy on Centos 7 3Trial licenseInstalling Confluence + PostgreSQL + NGINX SSL reverse-proxy on Centos 7 4My databaseInstalling Confluence + PostgreSQL + NGINX SSL reverse-proxy on Centos 7 5Database setup

Enter the data on connecting to PostgreSQL and click the “Check connection” button

	Тип базы данных: PostgreSQL
	Тип установки: Простой
	Имя хоста: localhost
	Порт: 5432
	Название базы данных: confluence
	Имя пользователя: confluenceuser
	Пароль: password

Installing Confluence + PostgreSQL + NGINX SSL reverse-proxy on Centos 7 6Sample site

For the first time, I recommend installing the sample site. You can always delete this test space.

Installing Confluence + PostgreSQL + NGINX SSL reverse-proxy on Centos 7 7Configuring User Management – Managing Users and Groups in ConfluenceInstalling Confluence + PostgreSQL + NGINX SSL reverse-proxy on Centos 7 8Setting up a system administrator accountInstalling Confluence + PostgreSQL + NGINX SSL reverse-proxy on Centos 7 9Installation completed

Configuring Nginx as a reverse-proxy

Add nginx repository

$ sudo nano /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
 
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key

Install nginx, add the service to startup and start it

$ sudo yum install -y nginx
$ sudo systemctl enable --now nginx

Create a directory where the self-signed ssl certificate will be located

$ sudo mkdir /etc/nginx/ssl
$ sudo chmod 700 /etc/nginx/ssl

Create a self-signed certificate and key

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Country Name (2 letter code) [XX]: RU
State or Province Name (full name) []: Moscow
Locality Name (eg, city) [Default City]: Moscow
Organization Name (eg, company) [Default Company Ltd]: Company
Organizational Unit Name (eg, section) []: IT
Common Name (eg, your name or your server's hostname) []: localhost
Email Address []: [email protected]

$ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

Let’s edit the NGINX configuration file

$ sudo nano /etc/nginx/conf.d/default.conf
server {
 server_name localhost;
 
 listen 443 default ssl;
 ssl_certificate /etc/nginx/ssl/nginx.crt;
 ssl_certificate_key /etc/nginx/ssl/nginx.key;
 ssl_dhparam /etc/nginx/ssl/dhparam.pem;
 
 ssl_session_timeout 5m;
 
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 ssl_prefer_server_ciphers on;
 
 location / {
 client_max_body_size 100m;
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_pass http://localhost:8090;
 }
 location /synchrony {
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_pass http://localhost:8091/synchrony;
 proxy_http_version 1.1;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "Upgrade";
 }
}
 
server {
 listen 80;
 server_name localhost;
 return 301 https://$server_name$request_uri;
}

Host localhost in line server_name can be replaced with any domain name. On a test machine, I usually use localhost.

Check the config and restart nginx

$ sudo nginx -t
$ sudo systemctl restart nginx

Now you need to make settings from the Confluence side, edit tomcat settings

$ sudo nano /opt/atlassian/confluence/conf/server.xml

Let’s comment out the line:

<!--
< Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"/ >
-->

Let’s uncomment and correct the line below:

< Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" proxyName="localhost" proxyPort="443"/>

If you don’t use ssl, the last line will look like this:

scheme="http" proxyName="localhost" proxyPort="80"/>

localhost can also be replaced with your host

Restart Confluence:

$ sudo /etc/init.d/confluence restart

Configuring Firewall

Because earlier we opened port 8090, close it

$ sudo firewall-cmd --permanent --remove-port=8090/tcp

Opening ports 80,443

$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --reload

Configuring SeLinux

$ sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
$ sudo semodule -i mynginx.pp
$ sudo setsebool httpd_can_network_connect on
$ sudo setsebool httpd_can_network_connect on -P

Completing Confluence setup

Updating the base URL in Confluence settings

Администрирование (справа вверху шестерёнка) -> Основные настройки -> Настройки сайта -> Базовый адрес сервера (https://localhost/admin/editgeneralconfig.action)
http://localhost:8090 -> https://localhost

Confluence as a system service on Linux

Create the confluence.service unit file

$ sudo nano /lib/systemd/system/confluence.service
[Unit]
Description=Confluence
After=network.target

[Service]
Type=forking
User=confluence
PIDFile=/opt/atlassian/confluence/work/catalina.pid
ExecStart=/opt/atlassian/confluence/bin/start-confluence.sh
ExecStop=/opt/atlassian/confluence/bin/stop-confluence.sh
TimeoutSec=200
LimitNOFILE=4096
LimitNPROC=4096

[Install]
WantedBy=multi-user.target

Change file permissions

$ sudo chmod 664 /lib/systemd/system/confluence.service

After creating the unit file, you need to restart the systemd process to pick up the changes. Then we start the service and add it to startup. Checking the status

$ sudo systemctl daemon-reload
$ sudo systemctl enable --now confluence
$ sudo systemctl status confluence

Error: dedicated user confluence

Change the user from whom Confluence starts using the start-confluence.sh script

$ sudo nano /opt/atlassian/confluence/bin/user.sh
# START INSTALLER MAGIC ! DO NOT EDIT !
CONF_USER="confluence" # user created by installer
# END INSTALLER MAGIC ! DO NOT EDIT !

export CONF_USER
Sidebar