How to allow or deny certain hosts to have access to Confluence
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.
You can allow and/or deny certain hosts to access Confluence via the following catalina classes:
org.apache.catalina.valves.RemoteAddrValve
org.apache.catalina.valves.RemoteCIDRValve
Solution
Solution 1: Remote Address Valve
The remote address valve supports the following attributes:
Attribute | Description |
---|---|
className | Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteAddrValve. |
allow | A regular expression (using |
deny | A regular expression (using |
Example:
Add the following in Confluence server.xml
file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<Engine name="Standalone" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
<!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname=""/>
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
<!-- To allow access only for the clients connecting from localhost -->
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
</Context>
<Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
reloadable="false" useHttpOnly="true">
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
</Context>
</Host>
</Engine>
Solution 2: Remote CIDR Valve
The remote CIDR valve allows you to use the IP address of the client. It supports the following configuration attributes:
Attribute | Description |
---|---|
className | Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteCIDRValve. |
allow | A comma-separated list of IPv4 or IPv6 netmasks or addresses that the remote client's IP address is matched against. If this attribute is specified, the remote address MUST match for this request to be accepted. If this attribute is not specified, all requests will be accepted UNLESS the remote IP is matched by a netmask in the |
deny | A comma-separated list of IPv4 or IPv6 netmasks or addresses that the remote client's IP address is matched against. If this attribute is specified, the remote address MUST NOT match for this request to be accepted. If this attribute is not specified, request acceptance is governed solely by the |
Example:
Add the following in Confluence server.xml
file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<Engine name="Standalone" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
<!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname=""/>
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
<!-- To allow access only for the clients connecting from localhost -->
<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
allow="127.0.0.1, ::1"/>
</Context>
<Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
reloadable="false" useHttpOnly="true">
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
</Context>
</Host>
</Engine>
For more information, please visit the Apache Tomcat Documentation.
Was this helpful?