Cloud
Data Center 9.5
Versions

Tightening access with a websudo allowlist

Configuring Secure Administrator Sessions

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

To add an extra layer of security to websudo operations, you can configure and enable your own IP address/subnet allowlist for Confluence. This means that certain superuser operations can only be performed from pre-approved IP addresses.


This feature is deactivated by default. If you choose to activate it, avoid locking yourself out of your own system by completing the configuration steps in the sequence shown on this page.

  1. Read the Before You Start section below.

  2. Configure your allowlist.

  3. Enable the allowlist service.

Before you start

Before enabling your websudo allowlist, your system must be set up to run it correctly. To avoid running into problems, read and understand the following sections on best practice and other useful info.

Use a reverse proxy or gateway

To ensure that Confluence Data Center accurately identifies client IP addresses, you must use a reverse proxy or gateway positioned in front of the Confluence instance. 

Any server or service responsible for handling connections from the internet should include the client's IP address as a header in the HTTP request. This header will then be forwarded to internal servers or nodes for processing.
By default, this feature uses the X-Forwarded-For header as the source of the client's IP address. Without the assistance of a reverse proxy or gateway to handle this task, Confluence won’t be able to correctly identify client IPs on its own. The responsibility of extracting and forwarding the client IP addresses lies with the reverse proxy or gateway, not with Confluence directly.

Best practices

  • Make sure you can’t lock yourself out by including more than one single IP address in your allowlist.

  • Configure your allowlist based on VPN settings.

  • For long allowlists, we recommend using CIDR notation, and/or patterns with wildcards (for IPV4 addresses only — for example, 103.12.*.*).

  • Keep your allowlist restricted to reduce security concerns. For example, including *.*.*.* is equivalent to switching off the allowlist restrictions altogether.

  • Take a backup of your config file. You will need this if you lock yourself out.

Other useful info

  • The websudo allowlist is a comma-separated list.

  • Any server or service responsible for handling connections from the internet should include the client's IP address as a header in the HTTP request. This header will then be forwarded to internal servers/nodes for processing. By default, this feature uses the X-Forwarded-For header as the source of the client's IP address. However, you can change the name of this header by modifying the server.tomcat.remoteip.remote-ip-header configuration property in the confluence.cfg.xml file.

  • If any strings in the allowlist contain an error, such as a typo, or an invalid character, that configuration portion will be omitted from the service configuration. Although unlikely, it is possible that no IP addresses would be allowed for this feature, resulting in no one being able to use websudo. In such cases, you must change the specified properties to provide correct values before enabling the allowlist.

Configure your websudo allowlist

Your websudo allowlist is configurable as comma-separated lists of IP addresses and CIDR addresses within your Confluence configuration file (confluence.cfg.xml). Follow the steps below to configure your allowlist.

  1. Locate your confluence.cfg.xml file and take a backup of it.

  2. Open your live confluence.cfg.xml file in your preferred text editor.

  3. If you would like to add IP addresses, add the websudo.allowlist.ip property to your file, and add your comma-separated list of IP addresses.
    For example:

    websudo.allowlist.ip=172.29.143.247,2001:0db8:85a3:0000:0000:8a2e:0370:7330

  4. If you would like to add IP address subnets, add the websudo.allowlist.cidr property to your file, and add your comma-separated list of CIDR addresses.
    For example:

    websudo.allowlist.cidr=8.8.8.1/24,0:0:0:1::/64

  5. Check for any errors to ensure your lists won’t be omitted from the service configuration.
    Hint: look for the error text:

    Exception while parsing IP/CIDR Pattern {}. Ignoring part {}

  6. Save your configuration file.

Activate the websudo allowlist service

After you’ve configured your allowlist and you’re certain your address details are included in the allowlist, you can enable it. Follow the steps below.

  1. Open your live confluence.cfg.xml file in your preferred text editor.

  2. Search for websudo.allowlist.enabled.

  3. If the string is missing, add it to your file.

  4. Change the string’s value to true.

  5. Save and close your configuration file.

  6. Restart Confluence for the changes to take effect.

If Confluence fails to start, reinstate your backup copy of confluence.cfg.xml and start over.

Deactivate the websudo allowlist service

If you wish to stop using the websudo allowlist service, you can do so if you’re using any of the addresses listed in the allowlist. Follow the steps below.

  1. Open your live confluence.cfg.xml file in your preferred text editor.

  2. Search for websudo.allowlist.enabled.

  3. Change the string’s value to false.

  4. Save and close the configuration file.

  5. Restart Confluence for the changes to take effect.

An alternative method to deactivate the allowlist is to remove the entire line containing websudo.allowlist.enabled from the configuration file. It lessens the chance of the option being set back to true.
Last modified on Jul 17, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.