I am using Alfresco standalone community edition on Ubuntu Machine which is working with configured domain. SSL certs are going to expire in a week so I update the new domain crt and keys in nginx.conf
After updating while login to share getting below error but old domain is still active and able to login to share even new domain certs and keys are configured.
Something's wrong with this page...
We may have hit an error or something might have been removed or deleted, so check that the URL is correct.
Alternatively you might not have permission to view the page (it could be on a private site) or there could have been an internal error. Try checking with your IT team.
If you're trying to get to your home page and it's no longer available you should change it by clicking your name on the toolbar
nginx.conf(old conf)
events {}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
index index.html index.htm;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name old.domain.com;
return 301 https://$host$request_uri;
location / {
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 504 /50x.html;
location = /50x.html {
}
}
}
server{
listen 80;
listen 443 ssl;
server_name new.domain.com;
return 301 https://old.domain.com/share;
}
server {
listen 443 default ssl;
server_name old.domain.com;
access_log on;
ssl on;
ssl_certificate /etc/nginx/ssl/OLD.DOMAIN.COM.crt;
ssl_certificate_key /etc/nginx/ssl/old.domain.key;
location / {
client_max_body_size 4000M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080;
sub_filter_types text/javascript;
sub_filter_once off;
sub_filter '<img src="http://www.alfresco.com/assets/images/logos/community-5.2-share.png' '<img src="test';
sub_filter '<a href="http://www.alfresco.com/services/support/communityterms/#support' '<a href="test';
}
}
}
nginx config(new)
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name new.domain.com;
return 301 https://$host$request_uri;
location / {
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 504 /50x.html;
location = /50x.html {
}
}
}
server {
listen 443 default ssl;
server_name new.domain.com;
access_log on;
ssl on;
ssl_certificate /etc/nginx/ssl/NEW.DOMAIN.COM.crt;
ssl_certificate_key /etc/nginx/ssl/new.domain.com.key;
location / {
client_max_body_size 4000M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080;
}
}
}
Gone through the similar cases in web some are suggesting to change the parameters like port number and proxy pass, server.xml changes. May be i am wrong But my question is the setup working fine for 1 year after updating new domain certs getting share login errors.
Don't whether the old certs are stored or cached as share is accessible through old domain even updating nginx.conf with new certs.
Any ideas or suggestions would be a great help
Thanks
Your error happens in Alfresco itself and has nothing to do with certificates.
If you check the correct log (tomcat/logs/catalina.out) you should see your issue.
My guess is that you use a different hostname than configured and that fires the CSRF Token Filter in Alfresco Share.
Either change the share.host and alfresco.host in alfresco-global.properties or disable or modify the CSRF Token Filter in share-config-custom.xml
Related
I am trying to setup tusd with Uppy on https without success. It works well on http.
Here's my nginx conf file:
server {
listen 80;
listen[::]: 80;
server_name
DOMAIN.com
www.DOMAIN.com;
root / srv / users / DOMAIN / apps / DOMAIN / public;
access_log / srv / users / DOMAIN / log / DOMAIN / DOMAIN_nginx.access.log main;
error_log / srv / users / DOMAIN / log / DOMAIN / DOMAIN_nginx.error.log;
proxy_set_header Host $host;
proxy_set_header X - Real - IP $remote_addr;
proxy_set_header X - Forwarded - For $proxy_add_x_forwarded_for;
include / etc / nginx - sp / vhosts.d / DOMAIN.d
/*.nonssl_conf;
include /etc/nginx-sp/vhosts.d/DOMAIN.d/*.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name
DOMAIN.com
www.DOMAIN.com
;
ssl_certificate_key ssl/DOMAIN.key;
ssl_certificate ssl/DOMAIN.combined_crt;
root /srv/users/DOMAIN/apps/DOMAIN/public;
access_log /srv/users/DOMAIN/log/DOMAIN/DOMAIN_nginx.access_ssl.log main;
error_log /srv/users/DOMAIN/log/DOMAIN/DOMAIN_nginx.error_ssl.log;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto $scheme;
include /etc/nginx-sp/vhosts.d/DOMAIN.d/*.ssl_conf;
include /etc/nginx-sp/vhosts.d/DOMAIN.d/*.conf;
location /files/ {
#resolver 8.8.8.8 4.2.2.2;
proxy_pass http://localhost:3020/files;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# Disable request and response buffering
proxy_request_buffering off;
proxy_buffering off;
proxy_http_version 1.1;
# Add X-Forwarded-* headers so that response can reference https and
# originating host:port
proxy_set_header X-Forwarded-Host $hostname;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Allow proxying of websockets if required
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 0;
}
}
At another conf file I have this additional configuration:
location / {
proxy_pass $backend_protocol://$backend_host:$backend_port;
}
At Chrome console I have the following output:
upload.js:2 OPTIONS https://DOMAIN/files/2b775a112504ed1222c6ffdd4fbdac03+Dc99JI0Zvgh54FXVfpp5K32GAiZBjV5bY-d9tzj8fDL1FxNKKZrHP_SBE6OERG8SWAm1ZjqtjYMVWSvWCQLba0qsR8krfVBYw8ApHqIBO7DG9Bn1t_tv_a6nuuTuqlXC net::ERR_NAME_NOT_RESOLVED
Notice the domain without the .com extension!
I tried all combinations of configuration, commenting the configuration lines without success. Can you spot the mistake?
A contractor solved it for me and the solution is neat. He did it instead configuring Apache.
At the first nginx conf file he removed the "location /files/" section entirely. At the apache conf file, he added the following lines:
ProxyPass /files http://localhost:3020/files
ProxyPassReverse /files http://localhost:3020/files
And it worked.
This is pretty clearly a network issue which should be a definite mismatch between the data that is advertised in the HTTP Headers and the data transferred over the wire.
It could come from the following:
Server: If a server has a bug with certain modules that changes the content but don't update the content-length in the header or just doesn't work properly. It was the case for the Node HTTP Proxy at some point (see here)
Proxy: Any proxy between you and your server could be modifying the request and not update the content-length header.
This problem could also be the nginx docker container disk space. Just check and if full please clear the files.
Let me know if that helps.
Re-use then adapt (from companion.mywebsite.com to yourdomain.com) this working nginx configuration file :
( don't forget to change also ssl_certificate, ssl_certificate_key and ssl_dhparam )
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
server_name companion.mywebsite.com;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://0.0.0.0:3020;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/companion.mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/companion.mywebsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = companion.mywebsite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name companion.mywebsite.com;
return 404; # managed by Certbot
}}
Then try again... if you get this error:
Nginx Error: The page you are looking for is temporarily unavailable. Please try again later.
Run:
setsebool -P httpd_can_network_connect 1
To fix permission then restart apache
I have a droplet on Digital Ocean, that I am using to host a site and an API for that site.
I would like:
https://example.com to serve the website
https://example.com/api to serve the API, running on port 3000.
Here's my /etc/nginx/nginx.conf file:
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/http-error.log;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server {
server_name example.com; # managed by Certbot
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
# SSL settings
ssl_certificate /path/to/file.pem; # managed by Certbot
ssl_certificate_key /path/to/file.pem; # managed by Certbot
include /path/to/file.conf; # managed by Certbot
ssl_dhparam /path/to/file.pem; # managed by Certbot
proxy_http_version 1.1;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
# Routes
location /api/ {
proxy_pass http://127.0.0.1:3000/;
}
location / {
root /usr/share/nginx/html;
}
error_page 404 /404.html;
location = /40x.html {}
error_page 500 502 503 504 /50x.html;
location = /50x.html {}
}
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name example.com;
return 404; # managed by Certbot
}
}
Serving the static html files works great, but the https://example.com/api/ returns a 502: Bad Gateway error. I don't understand what I am doing wrong... any help would be appreciated. Thank you.
Turns out my config was totally fine. I just need to enable networking on the Droplet. I used this post to do so. Thanks, everyone!
In short:
setsebool httpd_can_network_connect on
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:3000;
}
This normally does not disappoint me. Please try.
I have a service running on https://old-server.net:8444/devs/. I set up a new service on a new server https://new-server.net/. When accessing the new service via the web, things work as expected. But when trying to login to the old service via curl (A POST request) or download from it (GET request), I just get the "301 Moved Permanently" message. Here is my nginx.conf:
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen 80;
server_name new-server.net;
server_tokens off;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name new-server.net;
server_tokens off;
ssl_certificate /etc/nginx/certs/server.cer;
ssl_certificate_key /etc/nginx/certs/server.key;
location / {
proxy_pass http://new-server.net:8081/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https ;
proxy_redirect http:// https:// ;
}
}
server {
listen 8444 ssl;
server_name old-server.net;
server_tokens off;
ssl_certificate /etc/nginx/certs/server.cer;
ssl_certificate_key /etc/nginx/certs/server.key;
location /devs {
rewrite ^/devs(.*) https://new-server.net$1 permanent;
}
}
}
I'm using rewrite because the new server doesn't have the /devs/ context path of the old server. I wasn't sure how to achieve this with a 'return 301' line. So, is it possible for me to allow devs to continue to GET and POST to the old URL and have those requests sent to the new URL?
I've installed and set up senaite.lims, which is a Plone extension, running on Plone 4.3.18 installed by the Unified Installer, and adding senaite.lims to the buildout.cfg eggs.
It's running fine on port 8080, and I can get Nginx to work redirecting / to :8080, but when I start using https, suddenly the css of the site doesn't work anymore.
I looked at the source, and the produced html page shows a link to the stylesheet with http://.... which I don't know if may cause problems, but if I actually try to open the .css file in the browser it works fine.
I set up and tried both with port 80 redirecting the https, and serving both a version of http and https, but neither one would get the page to render using .css. If anyone has any tips, or sees something wrongly configured in the nginx below, any help would be greatly appreciated.
Here is my nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
default_type application/octet-stream;
include /etc/nginx/mime.types;
sendfile on;
keepalive_timeout 75;
upstream plone {
server 127.0.0.1:8080;
}
server {
listen 80;
listen 443 ssl http2;
server_name 99.99.99.99; # changed for posting on SO
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
proxy_pass http://localhost:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffer_size 128k;
proxy_buffers 8 128k;
proxy_busy_buffers_size 256k;
}
}
}
You missed to rewrite the URL, e.g:
rewrite ^(.*)$ /VirtualHostBase/$scheme/$host/senaite/VirtualHostRoot/$1 break;
Here is a complete working config for SENAITE:
server {
listen 80;
server_name senaite.mydomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name senaite.mydomain.com;
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
include snippets/ssl-senaite.mydomain.com.conf;
include snippets/ssl-params.conf;
include snippets/well-known.conf;
access_log /var/log/nginx/senaite.access.log;
error_log /var/log/nginx/senaite.error.log error;
# Allow Cross-Origin Resource Sharing from our HTTP domain
add_header "Access-Control-Allow-Origin" "http://senaite.ridingbytes.com";
add_header "Access-Control-Allow-Credentials" "true";
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS";
add_header "X-Frame-Options" "SAMEORIGIN";
if ($http_cookie ~* "__ac=([^;]+)(?:;|$)" ) {
# prevent infinite recursions between http and https
break;
}
# rewrite ^(.*)(/logged_out)(.*) http://$server_name$1$2$3 redirect;
location / {
set $backend http://haproxy;
# API calls take a different backend w/o caching
if ($uri ~* "##API") {
set $backend http://api;
}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
rewrite ^(.*)$ /VirtualHostBase/$scheme/$host/senaite/VirtualHostRoot/$1 break;
# proxy_pass $backend;
proxy_pass http://plone;
}
}
I need to hind port number from url. i am running odoo instance using --db-filter='^%d#', mydomain.com:8069 is works fine but mydomain.com is getting page not found. I have installed nginx and edited /etc/nginx/nginx.conf as below.
/etc/nginx/nginx.conf
#user nobody;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
# anything written in /opt/nginx/conf/mime.types is interpreted as if written inside the http { } block
default_type application/octet-stream;
#
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
server {
# You would want to make a separate file with its own server block for each virtual domain
# on your server and then include them.
listen 8069;
listen 192.168.1.111:8080;
listen 192.168.1.111;
#tells Nginx the hostname and the TCP port where it should listen for HTTP connections.
# listen 80; is equivalent to listen *:80;
#server_name localhost;
server_name mydomain.com;
server_name www.mydomain.com;
# lets you doname-based virtual hosting
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
#The location setting lets you configure how nginx responds to requests for resources within the server.
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
How can i do that? suggest any solutions..
Try the following server configuration. You can put it in a separate file and include it in the main nginx.conf if you like.
upstream odoo {
server 127.0.0.1:8080; # Or wherever your Odoo service is listening
}
server {
server_name mydomain.com;
listen 0.0.0.0:80;
root /var/www/html/odoo/;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ #odoo;
}
location #odoo {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://odoo;
}
}
In short, this defines an upstream server odoo for your odoo service. When a request is received (say mydomain.com/path/to/resource), nginx will try to process it by delivering the corresponding resource it is supposed to serve from the root dir. If that fails, it will retry, appending a slash to it. If that fails as well, it will send the path to the upstream server (odoo) for processing.