Tomcat config is incorrect warning in Confluence 7.11 or later when there are two reverse proxies

Summary

Problem

When there are multiple reverse proxy layers in front of Confluence, such as:

• https://www.example.com (NGINX/Apache) (port: 443) → http://my-load-balancer.com (AWS ELB) (port: 80) → Tomcat (port: 8090)

• https://www.example.com (NGINX/Apache) (port: 443) → http://my-load-balancer.com (Azure App Gateway) (port: 80) → Tomcat (port: 8090)

Confluence displays the following message to administrators:

Diagnosis

• Confluence version is Confluence 7.11 or later

• There are two or more reverse proxies in front of the Confluence Server

• The URL used in the Browser URL is correct (e.g. https://www.example.com)✔️

• The reverse proxy tags are correctly set on the Tomcat connector ✔️

  1 2 3 4 5 6 <Connector port="8090" connectionTimeout="20000" redirectPort="8443" maxThreads="48" minSpareThreads="10" enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol proxyName="www.example.com" proxyPort="443" scheme="https" "/>

• The Server Base URL is set correctly in Confluence Administration » General Configuration to https://www.example.com✔️

• Running this Javascript in the Console tab of the Browser Developer Tools returns the correct results ✔️

  1 2 >> window.location.protocol + '//' + window.location.host + AJS.contextPath(); https://www.example.com

• Running this Javascript on the Console tab of the Browser Developer Tools returns the incorrect result ❌

  Actual Results

  1 2 >> AJS.Meta.get('server-scheme') + '://' + AJS.Meta.get('server-name') + ':' + AJS.Meta.get('server-port') + AJS.contextPath(); http://my-load-balancer.com:80

  Expected Results

  1 2 >> AJS.Meta.get('server-scheme') + '://' + AJS.Meta.get('server-name') + ':' + AJS.Meta.get('server-port') + AJS.contextPath(); https://www.example.com

Cause

This is usually because the middle layer Load Balancer/Reverse Proxy (such as AWS ELB or Azure App Gateway) has injected these HTTP Headers:

• X-Forwarded-Proto

• X-Forwarded-Port

Example: As per the AWS ELB HTTP headers and Application Load Balancers documentation:

The

X-Forwarded-Proto

request header helps you identify the protocol (HTTP or HTTPS) that a client used to connect to your load balancer.

The

X-Forwarded-Port

request header helps you identify the destination port that the client used to connect to the load balancer.

The default <confluence-install-directory>/conf/server.xml included with Confluence 7.11+ has this RemoteIpValve enabled:

The default enabled RemoteIpValve included in Confluence 7.11+ applies the values from the X-Forwarded-Proto and X-Forwarded-Port HTTP headers which causes the Tomcat reverse proxy health check to report the warning.

Solution

Workaround

If you have checked that all the above items in the Diagnosis section are configured correctly, the RemoteIpValve can be commented out as such:

1. Shutdown Confluence.

2. Edit <confluence-install-directory>/conf/server.xml

3. Comment out the RemoteIpValve with <!-- ........ --> as such:

   1 <!-- <Valve className="org.apache.catalina.valves.RemoteIpValve" /> -->

4. Start Confluence.

5. The Tomcat config is incorrect warning should no longer appear.

If you still see the Tomcat config is incorrect warning after checking your server.xml, please also review:

• Can't check base URL warning in Confluence 6.6 or later