Tomcat config is incorrect warning in Confluence 7.11 or later when there are two reverse proxies
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
When there are multiple reverse proxy layers in front of Confluence, such as:
- https://www.example.com (NGINX/Apache) (port: 443) → http://my-load-balancer.com (AWS ELB) (port: 80) → Tomcat (port: 8090)
- https://www.example.com (NGINX/Apache) (port: 443) → http://my-load-balancer.com (Azure App Gateway) (port: 80) → Tomcat (port: 8090)
Confluence displays the following message to administrators:
Tomcat config is incorrect
The Tomcat server.xml has an incorrect configuration:
scheme should be '<recommended scheme>'
proxyName should be '<recommended proxyName>'
proxyPort should be '<recommended proxyPort>'
Diagnosis
- Confluence version is Confluence 7.11 or later
- There are two or more reverse proxies in front of the Confluence Server
- The URL used in the Browser URL is correct (e.g. https://www.example.com)
The reverse proxy tags are correctly set on the Tomcat connector
<Connector port="8090" connectionTimeout="20000" redirectPort="8443" maxThreads="48" minSpareThreads="10" enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol proxyName="www.example.com" proxyPort="443" scheme="https" "/>- The Server Base URL is set correctly in Confluence Administration » General Configuration to https://www.example.com
Running this Javascript in the Console tab of the Browser Developer Tools returns the correct results
>> window.location.protocol + '//' + window.location.host + AJS.contextPath(); https://www.example.comRunning this Javascript on the Console tab of the Browser Developer Tools returns the incorrect result
Actual Results>> AJS.Meta.get('server-scheme') + '://' + AJS.Meta.get('server-name') + ':' + AJS.Meta.get('server-port') + AJS.contextPath(); http://my-load-balancer.com:80Expected Results>> AJS.Meta.get('server-scheme') + '://' + AJS.Meta.get('server-name') + ':' + AJS.Meta.get('server-port') + AJS.contextPath(); https://www.example.com
Cause
This is usually because the middle layer Load Balancer/Reverse Proxy (such as AWS ELB or Azure App Gateway) has injected these HTTP Headers:
X-Forwarded-ProtoX-Forwarded-Port
Example: As per the AWS ELB HTTP headers and Application Load Balancers documentation:
The X-Forwarded-Proto request header helps you identify the protocol (HTTP or HTTPS) that a client used to connect to your load balancer.The X-Forwarded-Port request header helps you identify the destination port that the client used to connect to the load balancer.The default <confluence-install-directory>/conf/server.xml included with Confluence 7.11+ has this RemoteIpValve enabled:
<!-- http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve -->
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
The default enabled RemoteIpValve included in Confluence 7.11+ applies the values from the X-Forwarded-Proto and X-Forwarded-Port HTTP headers which causes the Tomcat reverse proxy health check to report the warning.
Workaround
If you have checked that all the above items in the Diagnosis section are configured correctly, the RemoteIpValve can be commented out as such:
- Shutdown Confluence.
- Edit
<confluence-install-directory>/conf/server.xml Comment out the RemoteIpValve with <!-- ........ --> as such:
<!-- <Valve className="org.apache.catalina.valves.RemoteIpValve" /> -->- Start Confluence.
- The Tomcat config is incorrect warning should no longer appear.
If you still see the Tomcat config is incorrect warning after checking your server.xml, please also review: