How to ensure in Confluence running in Tomcat data-center only users from certain IP can access and others hit the login page to access?

Question

I have Confluence set up in Azure Data-centre and running ok. I want to make sure

• Users in certain IP range can access Confluence pages.
• Users that are not in above IP range will see the login page. And, once logged in can use the Confluence.

Now, I suppose if I add in the server.xml the following line (src:https://confluence.atlassian.com/confkb/how-to-allow-only-certain-ip-addresses-to-have-access-to-confluence-658015747.html)

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1,192.168.0.1,192.168.50.*" />

as below:

<Server port="8000" shutdown="SHUTDOWN" debug="0">
    <Service name="Tomcat-Standalone">
        <Connector
                port="8080"
                connectionTimeout="60000"
                disableUploadTimeout="true"
                maxHttpHeaderSize="16384"
                redirectPort="8443"
                maxThreads="280"
                minSpareThreads="280"
                enableLookups="false"
                acceptCount="10"
                debug="0"
                URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                proxyName="confluence.mydomain.com.au"
                proxyPort="443"
                scheme="https"
                secure="false"
        />

        <Engine name="ConfluenceDC" defaultHost="localhost" debug="0">

            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <Manager pathname=""/>
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
                </Context>

                <Context path="/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
                </Context>

                <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1,192.168.0.1,192.168.50.*" />

            </Host>
        </Engine>
    </Service>
</Server>

This possibly will allow the Confluence to be accessible by the IPs given. But I want to ensure other IP hit the login page for accessing. How to do that?

Answer 1

I don't see any way to configure this in Tomcat. You would have to configure automatic login for certain IPs, but I don't think this is what you want (all visitors from those IPs would be essentially the same user).

Maybe there is a Confluence Addon that allows you such fine grained permissions, but I don't know one.

My approach would be to just use Confluence permissions for this. Place all public pages in a Confluence Space that anonymous users can view. Place all non-public pages in a Space that is only visible to logged in users. That doesn't really fit what you are asking, but since we don't know what you are actually trying to achieve, I mention it. Maybe it helps someone else as well.

---

An afterthought: I have one Confluence instance running that fits what you want. On that instance I have basic auth configured in Apache, which runs as reverse proxy.

Every requests from certain IPs (in this case Zabbix) can access Confluence directly, and is considered as an anonymous user. Every request not from these IPs has to authenticate via basic auth before the user can access Confluence.

So, by moving the authentication from Confluence to your reverse proxy you can achieve what you want.