OpenSpeak.net

User Tools

Site Tools

Trace: install_confluence_671_bin
classes:install_confluence_671_bin

Install Confluence 6.7.1 from Binary Installer

Assumptions

This tutorial assumes you downloaded the Linux binary installer for Confluence 6.7.1, you have sudo capabilities on an AWS EC2 “free tier” instance along with an AWS RDS “free tier” database of the mysql variety. We will use the following hostnames for this tutorial:

  • Host: ec2-01.amzn.openspeak.net
  • RDS: yourRDSinstance.c8abc12tntuk.us-east-1.rds.amazonaws.com

Install Confluence

Run the installer as root: 

sudo ./atlassian-confluence-6.7.1-x64.bin

When prompted, press enter or o to proceed with install: 

sudo ./atlassian-confluence-6.7.1-x64.bin 
Unpacking JRE ...
Starting Installer ...
Feb 14, 2018 8:34:35 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Feb 14, 2018 8:34:35 PM java.util.prefs.FileSystemPreferences$2 run
INFO: Created system preferences directory in java.home.

This will install Confluence 6.7.1 on your computer.
OK [o, Enter], Cancel [c]

For this tutorial we are doing a Custom Install so choose that option when prompted: 

Choose the appropriate installation or upgrade option.
Please choose one of the following:
Express Install (uses default settings) [1], 
Custom Install (recommended for advanced users) [2, Enter], 
Upgrade an existing Confluence installation [3]

Accept the defaults for install and data locations: 

Where should Confluence 6.7.1 be installed?
[/opt/atlassian/confluence]

Default location for Confluence data
[/var/atlassian/application-data/confluence]

As part of this tutorial we configure an Nginx reverse proxy so accepting the Confluence default ports are fine: 

Where should Confluence 6.7.1 be installed?
[/opt/atlassian/confluence]

Default location for Confluence data
[/var/atlassian/application-data/confluence]

Accept the default option to start Confluence as a service: 

Confluence can be run in the background.
You may choose to run Confluence as a service, which means it will start
automatically whenever the computer restarts.
Install Confluence as Service?
Yes [y, Enter], No [n]

Wait as the installer extracts the archived Confluence application files to the chosen location. Press Enter when prompted to continue by starting Confluence: 

Extracting files ...
                                                                           
Please wait a few moments while we configure Confluence.
Installation of Confluence 6.7.1 is complete
Start Confluence now?
Yes [y, Enter], No [n]

You are prompted when the install finishes to finalize the install by directing your browser to the instance. 

Please wait a few moments while Confluence starts up.
Launching Confluence ...
Installation of Confluence 6.7.1 is complete
Your installation of Confluence 6.7.1 is now ready and can be accessed via
your browser.
Confluence 6.7.1 can be accessed at http://localhost:8090
Finishing installation ...

Install Nginx Reverse Proxy with SSL

At this point we will configure Nginx as a reverse proxy before finalizing the Confluence installation via the web page.

Install Nginx: 

sudo apt -y install nginx

Generate a self-signed SSL certificate: 

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

The output should look something like this as you answer the various questions: 

Generating a 2048 bit RSA private key
............+++
..........................................+++
writing new private key to '/etc/ssl/private/nginx-selfsigned.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Denton
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WAYTTA   
Organizational Unit Name (eg, section) []:OpenSpeak
Common Name (e.g. server FQDN or YOUR name) []:ec2-01.amzn.openspeak.net
Email Address []:curry.searle@waytta.com

Generate the dhparam.pem: 

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Edit /etc/nginx/snippets/self-signed.conf 

sudo vi /etc/nginx/snippets/self-signed.conf

to contain the following: 

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

Edit /etc/nginx/snippets/ssl-params.conf: 

sudo vi /etc/nginx/snippets/ssl-params.conf

to include the following: 

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Backup the default Nginx configuration file: 

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default-DIST

Edit /etc/nginx/sites-available/default: 

sudo vi /etc/nginx/sites-available/default

to include the following text, adjusted to match your DNS hostname: 

server {
    listen ec2-01.amzn.openspeak.net:80;
    server_name ec2-01.amzn.openspeak.net;

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    include snippets/fastcgi-php.conf;
    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;

    #return 301 https://$server_name$request_uri;
    proxy_redirect http:// https://;

    client_max_body_size 2048M;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_pass http://localhost:8090;
    }

}

Configure Confluence to Recognize the Proxy

Backup and edit the Connector section of /opt/atlassian/confluence/conf/server.xml: 

sudo cp /opt/atlassian/confluence/conf/server.xml /opt/atlassian/confluence/conf/server.xml-DIST
sudo vi  /opt/atlassian/confluence/conf/server.xml

to include the following change; specifically the last line of the block containing the proxyName, proxyPort and scheme: 

        <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
                maxThreads="48" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                proxyName="ec2-01.amzn.openspeak.net" proxyPort="443" scheme="https"
        />

Restart Services

Restart Nginx & Confluence: 

sudo service nginx restart
sudo service confluence restart

Resources

classes/install_confluence_671_bin.txt · Last modified: 2018/03/02 09:31 by curry_searle