Tutorial on using Docker Compose to build Confluence

This article uses the "Attribution 4.0 International (CC BY 4.0)" license agreement. You are welcome to reprint or modify it for use, but you need to indicate the source. Attribution 4.0 International (CC BY 4.0)

Author: Su Yang

Creation time: March 30, 2019 Word count: 5170 words Reading time: 11 minutes to read this article link: https://soulteary.com/2019/03/30/construct-confluence-with-docker.html

Building Confluence with Docker

For small team collaboration or if you want to spend money to save worry, Confluence is one of the better choices. However, when I installed Confluence recently, I found that the official and online installation instructions were relatively "backward" and inefficient, so I wrote this article.

This article will introduce how to use Docker Compose to quickly build Confluence and how to use it with Traefik . If you have read the previous content, you should be able to solve the battle in ten minutes by following this article.

Basic preparation

• Official container image on Docker Hub: https://hub.docker.com/r/atlassian/confluence-server/tags

Here we will explain two representative versions: 6.4 and 6.15

• MySQL JDBC Connector: https://dev.mysql.com/downloads/connector/j/5.1.html

If you also choose to use MySQL as the storage backend, you need to download this file. Generally, you will get a compressed package of mysql-connector-java-5.1.47.tar.gz . After decompression, you will get mysql-connector-java-5.1.47.jar , which we will use later.

For the use of old versions of software

Let's talk about the old version first. If you just need basic Wiki functionality, the following configuration file should be able to meet your needs.

version: '3'

services:

  confluence:
    image: atlassian/confluence-server:6.4.3-alpine
    expose:
      - 8090
      - 8091
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.port=8090"
      - "traefik.frontend.rule=Host:${DOMAIN}"
      - "traefik.frontend.entryPoints=http,https"
    volumes:
      - ./data:/var/atlassian/application-data/confluence
      - ./mysql-connector-java-5.1.47.jar:/opt/atlassian/confluence/confluence/WEB-INF/lib/mysql-connector-java-5.1.47.jar

networks:
  traefik:
    external: true

After saving the above file as docker-compose.yml , we create another basic configuration file **.env **, which is as simple as the above configuration. The file content can be as follows.

DOMAIN=wiki.lab.com

Put docker-compose.yml , .env , and mysql-connector-java-5.1.47.jar in the same directory. If your Traefik is ready at this moment, execute docker-compose up and your service will be started.

Simply access the domain name you configured, such as wiki.lab.com in the example, and you can configure the Confluence web interface. If you don’t know how to use Traefik yet, you can check out the old articles, which are also tutorials under ten minutes.

If you choose to deploy Confluence on the public network, you might as well simply add Basic Auth authentication to block these malicious requests from the public network.

Because we use Traefik, adding this feature is very simple and only requires two steps:

The first step is to add the following content to the labels field of docker-compose.yml .

- "traefik.frontend.auth.basic=${BASIC_AUTH}"

The second step is to execute htpasswd -nb user user to get a text string containing the username and encrypted password, such as user:$apr1$MzgRxukq$MhYl/2JidzUNlHfyfIQF41 , and then add the content to .env :

BASIC_AUTH=user:$apr1$MzgRxukq$MhYl/2JidzUNlHfyfIQF41

When another scanner wants to scan the application directly, it will be blocked by Basic Auth.

Application health check error

When you complete the installation and start using it, you will find a warning message in the upper right corner of the interface.

Can't check base URL

This problem is mentioned in the official knowledge base. If you are also using an earlier version (before 6.6), you can actually solve the problem by configuring Hosts .

For example, add a statement in docker-compose.yml to let the application server look for the application address on the local machine instead of accessing the application on the public network address. The reference configuration is as follows:

version: '3'

services:

  confluence:
    image: atlassian/confluence-server:6.4.3-alpine
    expose:
      - 8090
      - 8091
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.port=8090"
      - "traefik.frontend.rule=Host:${DOMAIN}"
      - "traefik.frontend.entryPoints=http,https"
    volumes:
      - ./data:/var/atlassian/application-data/confluence
      - ./mysql-connector-java-5.1.47.jar:/opt/atlassian/confluence/confluence/WEB-INF/lib/mysql-connector-java-5.1.47.jar
    extra_hosts:
      - "${DOMAIN}:127.0.0.1"

networks:
  traefik:
    external: true

Isn’t it very simple? If your needs are basic, the above configuration should be able to meet your needs.

For the use of new version software

Next, let's talk about how to use the latest version of the software. Since we use containers, updating the version is very simple. Just modify the version number of the image in the configuration file. For example, if I want to upgrade the lower version 6.4.3 to another version, I only need to change 6.4.3 in the configuration to 6.15.1 , for example, atlassian/confluence-server:6.15.1-alpine .

Other basic usage is consistent with the old version of the software. However, there are a few minor issues here that need to be addressed.

The database cannot be connected correctly

WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.

To solve this problem, you can choose to configure an encrypted MySQL connection and update the certificate in the container, or you can choose to add parameters to turn off the mandatory use of encrypted connection requests. The latter is simpler and can be done if the requirements are not high.

Edit hibernate.connection.url in the data/confluence.cfg.xml file, add the ?useSSL=false parameter after the connection address, and restart the application.

Traefik Basic Auth and Tomcat interact

In the new version of the software logic, there is additional processing for requests with Basic Auth : if Basic Auth is configured above, the application will prompt that the verification failed and you cannot log in to the system.

This is obviously not the purpose of adding Basic Auth, and in actual use, it is not recommended to directly expose Confluence's authentication interface to the outside world.

The solution is simple. Add a line in docker-compose.yml - "traefik.frontend.auth.basic.removeHeader=true" . The authentication information of Traefik will only be used for Traefik. When the reverse proxy is applied, the authentication information in the HTTP request will be deleted.

Again, restarting the app will solve the problem.

A slightly more troublesome health check

Because we use Traefik to mount the certificate, the application actually runs behind a proxy server. When you access the console using the administrator, you will see a warning message.

Your URL does not match

Confluence's base URL is set to http://wiki.lab.com, but you are accessing Confluence from https://wiki.lab.com.

Considering the normal use of the application, we usually modify the protocol, such as modifying the site base URL to https . But after the correction, you will get another warning.

Tomcat is not configured correctly

Tomcat server.xml configuration is incorrect:
Scheme should be 'https'
proxyName should be 'YOUR_DOMAIN_URI'
proxyPort should be '443'

The reason is that for newer versions of applications, the health check logic comes with port and protocol judgment. The happy days when lower versions could directly use Traefik to reverse mount certificates are gone forever.

Solving the problem requires three steps.

The first step is to copy the Tomcat running configuration server.xml in the container to the local computer (da5582a01879 is the container PID obtained by docker ps).

docker cp da5582a01879:/opt/atlassian/confluence/conf/server.xml .

In the second step, update the configuration of the Connector with port 8090 to the following content (pay special attention to the last line):

<Connector
    port="8090"
    connectionTimeout="20000"
    redirectPort="8443"
    maxThreads="48" minSpareThreads="10"
    enableLookups="false"
    acceptCount="10"
    debug="0"
    URIEncoding="UTF-8"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    proxyName="wiki.lab.com" proxyPort="443" scheme="https"/>

The third step is to update docker-compose.yml configuration file.

Add the following content to the volumes field:

- ./server.xml:/opt/atlassian/confluence/conf/server.xml

Also delete the extra_hosts field content.

Restart the app and everything should be fine.

Complete configuration file

For ease of use, a complete reference configuration is given here.

version: '3'

services:

  confluence:
    image: atlassian/confluence-server:6.15.1-alpine
    expose:
      - 8090
      - 8091
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.port=8090"
      - "traefik.frontend.rule=Host:${DOMAIN}"
      - "traefik.frontend.entryPoints=http,https"
      - "traefik.frontend.auth.basic.removeHeader=true"
      - "traefik.frontend.auth.basic=${BASIC_AUTH}"
    volumes:
      - ./data:/var/atlassian/application-data/confluence
      - ./mysql-connector-java-5.1.47.jar:/opt/atlassian/confluence/confluence/WEB-INF/lib/mysql-connector-java-5.1.47.jar
      - ./server.xml:/opt/atlassian/confluence/conf/server.xml


networks:
  traefik:
    external: true

at last

Although Confluence is a good solution for teams, it may be better to use the completely open source and free WordPress for individuals/teams with customization capabilities. In the next article, I will introduce some customization of WordPress for knowledge management purposes.

The above is the details of using Docker to build Confluence. For more information about using Docker to build Confluence, please pay attention to other related articles on 123WORDPRESS.COM!