How to allow or deny certain hosts to have access to Confluence

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.

You can allow and/or deny certain hosts to access Confluence via the following catalina classes:

org.apache.catalina.valves.RemoteAddrValve
org.apache.catalina.valves.RemoteCIDRValve

Solution

Solution 1: Remote Address Valve

The remote address valve supports the following attributes:

Attribute	Description
className	Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteAddrValve.
allow	A regular expression (using `java.util.regex`) that the remote client's IP address is compared to. If this attribute is specified, the remote address MUST match for this request to be accepted. If this attribute is not specified, all requests will be accepted UNLESS the remote address matches a `deny` pattern.
deny	A regular expression (using `java.util.regex`) that the remote client's IP address is compared to. If this attribute is specified, the remote address MUST NOT match for this request to be accepted. If this attribute is not specified, request acceptance is governed solely by the `allow` attribute.

Example:

Add the following in Confluence server.xmlfile:

        <Engine name="Standalone" defaultHost="localhost" debug="0">
            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
                    <Manager pathname=""/>
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
					<!-- To allow access only for the clients connecting from localhost -->
					<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
                </Context>

                <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
                         reloadable="false" useHttpOnly="true">
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
                </Context>
            </Host>
        </Engine>

Solution 2: Remote CIDR Valve

The remote CIDR valve allows you to use the IP address of the client. It supports the following configuration attributes:

Attribute	Description
className	Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteCIDRValve.
allow	A comma-separated list of IPv4 or IPv6 netmasks or addresses that the remote client's IP address is matched against. If this attribute is specified, the remote address MUST match for this request to be accepted. If this attribute is not specified, all requests will be accepted UNLESS the remote IP is matched by a netmask in the `deny` attribute.
deny	A comma-separated list of IPv4 or IPv6 netmasks or addresses that the remote client's IP address is matched against. If this attribute is specified, the remote address MUST NOT match for this request to be accepted. If this attribute is not specified, request acceptance is governed solely by the `accept` attribute.

Example:

Add the following in Confluence server.xmlfile:

        <Engine name="Standalone" defaultHost="localhost" debug="0">
            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
                    <Manager pathname=""/>
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
					<!-- To allow access only for the clients connecting from localhost -->
					<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
      allow="127.0.0.1, ::1"/>
                </Context>

                <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
                         reloadable="false" useHttpOnly="true">
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
                </Context>
            </Host>
        </Engine>

For more information, please visit the Apache Tomcat Documentation.

Updated on April 8, 2025

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

How to allow or deny certain hosts to have access to Confluence

Summary

Solution

Solution 1: Remote Address Valve

Solution 2: Remote CIDR Valve

Still need help?