自从上次服务器中勒索病毒后一直对confluence耿耿于怀。
所有的安全防护都做得很好,但却中了勒索病毒,怎么都想不通,唯一可能的解释就是confluence有漏洞,查看了相关的资料,也说 Confluence 存在权限绕过漏洞 (CVE-2023-22518)。
停服了一段时间后,趁着五一更新到最新版。
1、下载软件
1.1 下载 atlassian confluence 8.9.1
https://www.atlassian.com/software/confluence/download-archives
安装指导:
https://confluence.atlassian.com/doc/confluence-installation-and-upgrade-guide-214864161.html
系统要求:
https://confluence.atlassian.com/doc/supported-platforms-207488198.html
1.2 下载 TencentKona 11
https://cloud.tencent.com/document/product/1149/38537
1.3 下载 MySQL 8.0
https://dev.mysql.com/downloads/repo/yum/
1.4 下载 MySQL 连接驱动
https://dev.mysql.com/downloads/connector/j/
2、安装Java
需要注意的是:Confluence 8.9.1 不支持TencentKona 17,在输入激活码的时候会提示:该激活码无效,是Java版本的问题。
解压到/opt目录
tar -zxvf TencentKona-11.0.14.b1-jdk_linux-x86_64.tar.gz -C /opt
加到配置文件
vim /etc/profile export JAVA_HOME=/opt/TencentKona-11.0.14.b1 export PATH=${JAVA_HOME}/bin:$PATH export CLASSPATH=.:${JAVA_HOME}/lib
重新加载配置文件
source /etc/profile
查看Java版本
java -version
3、安装MySQL
yum localinstall mysql80-community-release-el8-9.noarch.rpm
检查数据源
yum repolist enabled | grep "mysql.*-community.*"
禁用CentOS 8自带MySQL模块
yum module disable mysql
安装MySQL ,注意需要添加--nogpgcheck
yum install mysql-community-server --nogpgcheck
设置开机启动,启动MySQL,查看服务
systemctl enable mysqld systemctl start mysqld systemctl status mysqld
查看生成的临时密码
grep 'temporary password' /var/log/mysqld.log
修改root密码
ALTER USER 'root'@'localhost' IDENTIFIED BY '<password>';
修改数据库配置文件
vim /etc/my.cnf
官方的对数据库的要求:https://confluence.atlassian.com/doc/database-setup-for-mysql-128747.html
# Confluence Configure character-set-server=utf8mb4 collation-server=utf8mb4_bin default-storage-engine=INNODB max_allowed_packet=256M innodb_log_file_size=2GB transaction-isolation=READ-COMMITTED binlog_format=row log_bin_trust_function_creators = 1
log_bin_trust_function_creators = 1 一定要加,不然后来连接数据库会报错
重启 MySQL 服务,使配置生效
systemctl restart mysqld
创建用户和数据库
CREATE USER 'confluenceuser'@'%' IDENTIFIED BY '<password>'; CREATE DATABASE confluence CHARACTER SET utf8mb4 COLLATE utf8mb4_bin; GRANT ALL PRIVILEGES ON confluence.* TO 'confluenceuser'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES; \q
WITH GRANT OPTION的作用可以参考这里:https://blog.csdn.net/chenghuikai/article/details/52219491
4.安装 Confluence
4.1 创建所需目录
mkdir -pv /data/{confluence,confluence-home}
解压数据到confluence目录
tar xvf atlassian-confluence-8.9.1.tar.gz -C /data/confluence/
配置confluence-home
vim /data/confluence/atlassian-confluence-8.9.1/confluence/WEB-INF/classes/confluence-init.properties
增加下面配置
confluence.home=/data/confluence-home
4.2 激活工具 agent.jar
将下载好的jar包上传到 /opt/目录
/opt/agent.jar
4.3 MySQL驱动
在启动之前,先把MySQL驱动拷贝到安装目录,避免后面还需要再重启一次
tar -zxvf mysql-connector-j-8.3.0.tar.gz cd mysql-connector-j-8.3.0/ mv mysql-connector-j-8.3.0.jar /data/confluence/atlassian-confluence-8.9.1/confluence/WEB-INF/lib/
4.4 启动 Confluence
JAVA_OPTS="-javaagent:/opt/agent.jar" /data/confluence/atlassian-confluence-8.9.1/bin/start-confluence.sh
查看启动是否成功
netstat -tunlp | grep 8090
ps aux|grep javaagent
ps aux | grep confluence
atlassian-agent 自启动设置
vim /data/confluence/atlassian-confluence-8.9.1/bin/setenv.sh export JAVA_OPTS="-javaagent:/opt/agent.jar ${JAVA_OPTS}"
浏览器打开http://ip:8090,开始配置confluence
生成许可证秘钥
java -jar /opt/agent.jar -d -m xxx@qq.com -n liangfu.wang -p conf -o liangfu.wang -s B2D2-GEK1-SIFY-FL7X
此处参数分别为: -d:是否需要 Data Center 许可证 -m:许可证颁发给的邮箱 -n:许可证名称,默认为许可证颁发给的邮箱 -o:许可证颁发给的组织名 -p:产品名称,Confluence 需要填写 conf - 支持的参数 - crowd: Crowd - jsm: JIRA Service Management - questions: Questions plugin for Confluence - crucible: Crucible - capture: Capture plugin for JIRA - conf: Confluence - training: Training plugin for JIRA - *: 第三方插件密钥,一般类似于:com.foo.bar - bitbucket: Bitbucket - tc: Team Calendars plugin for Confluence - bamboo: Bamboo - fisheye: FishEye - portfolio: Portfolio plugin for JIRA - jc: JIRA Core - jsd: JIRA Service Desk - jira: JIRA Software(common jira) -s:服务器 ID,在 Confluence 配置页面上找到
需要注意的是:Confluence 从8.6开始只支持 Data Center 许可证,所以激活码生成的命令需要加-d
5.其他
5.1 从备份还原
如果导出文件很大,则需要从主目录导入。 将文件复制到/data/confluence-home/restore,然后从下方将其导入。
cp /data/backups/backup-2023_11_03.zip /data/confluence-home/restore
5.2 自定义备份路径
vim /data/confluence-home/confluence.cfg.xml
<property name="admin.ui.allow.daily.backup.custom.location">true</property>
重启confluence
sh /data/confluence/atlassian-confluence-8.9.1/bin/stop-confluence.sh sh /data/confluence/atlassian-confluence-8.9.1/bin/start-confluence.sh
5.3 定时任务
Confluence 配置cron表达式:
0 0 3 1,3,6,9,12,15,18,21,24,27,29 * ?
在线Cron表达式生成器:https://cron.qqe2.com/
linux机器上配置crontab定时任务
0 5 * * * /bin/sh /opt/cos_migrate_tool_v5-1.4.12/start_migrate.sh
5.4 PDF导出语言支持
msyh.ttc
5.5 配置Nginx反向代理
(1)安装NGINX
安装 Nginx
yum install -y nginx
启动 Nginx
systemctl start nginx.service
设置开机自启 Nginx
systemctl enable nginx.service
(2)配置
修改 /etc/nginx/nginx.conf 文件
vim /etc/nginx/nginx.conf
#user nobody; worker_processes 10; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; underscores_in_headers on; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; }
创建 /etc/nginx/conf.d/wiki.conf 文件
vim /etc/nginx/conf.d/wiki.conf
server { listen 80; server_name liangfu.wang; return 301 https://liangfu.wang$request_uri; } server { listen 443 ssl; server_name liangfu.wang; ssl_certificate /data/liangfu.wang_bundle.crt; ssl_certificate_key /data/liangfu.wang.key; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; location / { client_max_body_size 100m; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:8090; } location /synchrony { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:8090/synchrony; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } }
重启 Nginx
nginx -c /etc/nginx/nginx.conf
检查进程
# ps -ef | grep nginx root 20218 1 0 01:28 ? 00:00:00 nginx: master process nginx -c /etc/nginx/nginx.conf nginx 20219 20218 0 01:28 ? 00:00:00 nginx: worker process nginx 20220 20218 0 01:28 ? 00:00:00 nginx: worker process nginx 20221 20218 0 01:28 ? 00:00:00 nginx: worker process nginx 20222 20218 0 01:28 ? 00:00:00 nginx: worker process nginx 20223 20218 0 01:28 ? 00:00:00 nginx: worker process nginx 20224 20218 0 01:28 ? 00:00:00 nginx: worker process nginx 20225 20218 0 01:28 ? 00:00:00 nginx: worker process nginx 20226 20218 0 01:28 ? 00:00:00 nginx: worker process nginx 20227 20218 0 01:28 ? 00:00:00 nginx: worker process nginx 20228 20218 0 01:28 ? 00:00:00 nginx: worker process root 22886 20001 0 01:36 pts/0 00:00:00 grep --color=auto nginx
5.6 配置Tomcat连接器,改成https协议
编辑 /data/confluence/atlassian-confluence-8.9.1/conf/server.xml
vim /data/confluence/atlassian-confluence-8.9.1/conf/server.xml
添加https配置
scheme="https" secure="true" proxyName="liangfu.wang" proxyPort="443"
效果如下:
5.7 JVM内存优化
默认安装时JVM内存设置为1024M,当同时访问用户数较多时,服务卡死,日志报JVM OutOfMemoryError
vim /data/confluence/atlassian-confluence-8.9.1/bin/setenv.sh
# Set the Java heap size CATALINA_OPTS="-Xms2048m -Xmx2048m ${CATALINA_OPTS}"
说明:
-Xms:Java Heap最大值,默认值为物理内存的1/4,最佳设值应该视物理内存大小及计算机内其他内存开销而定
-Xmx:Java Heap初始值,Server端JVM最好将-Xms和-Xmx设为相同值,开发测试机JVM可以保留默认值
重启confluence
sh /data/confluence/atlassian-confluence-8.9.1/bin/stop-confluence.sh sh /data/confluence/atlassian-confluence-8.9.1/bin/start-confluence.sh
检查confluence进程
ps -ef | grep confluence
检查端口
# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::8090 :::* LISTEN 54786/java tcp6 0 0 :::8091 :::* LISTEN 55500/java
5.8 修改备案信息
vim /data/confluence/atlassian-confluence-8.9.1/confluence/decorators/includes/footer-content.vm
5.9 修改访问URL
登录confluence 管理页面,修改默认的URL地址为https://liangfu.wang
参考链接:
https://mp.weixin.qq.com/s/qcHe781i-sqkdgRC6FECtg
https://mp.weixin.qq.com/s/UuL8wndzhpH0HiaJIFlgzQ?poc_token=HG6kN2ajWxmYXv5LYR3We9pyaINyde6anQNTahOi
https://doc.devpod.cn/conf/confluence-cve-2023-22518-67502083.html