I try to use the settings from this docker-compose: https://github.com/Alfresco/acs-deployment/blob/master/docker-compose/docker-compose.yml
It works only if I don't change the host/port/protocol (scheme).
Alfresco still redirect my login page to port 8080 even if I set:
-Dshare.host=example.org
-Dshare.port=443
-Dshare.protocol=https
-Dalfresco.host=example.org
-Dalfresco.port=443
-Dalfresco.protocol=https
-Daos.baseUrlOverwrite=https://example.org/alfresco/aos
My infrastructure:
haproxy (provide SSL :443)
-> Alfresco's NGiNX Proxy (:8080)
-> Alfresco Share (:8080)
-> Alfresco Content Services (:8080)
Alfresco Components: https://docs.alfresco.com/content-services/6.0/install/containers/docker-compose/#deployment-project-in-github
NGiNX config: https://github.com/Alfresco/acs-ingress/blob/master/nginx.conf
Please compare the values of the config files with your configuration's.
CORS Portion in web.xml
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.allowGenericHttpRequests</param-name>
<init-param>
<param-name>cors.allowGenericHttpRequests</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>*</param-value>
<!--param-value>http://localhost:8081,https://localhost:3000,https://dms.sws-digital.com</param-value-->
</init-param>
<init-param>
<param-name>cors.allowSubdomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET, HEAD, POST, PUT, DELETE, OPTIONS</param-value>
</init-param>
<init-param>
<param-name>cors.supportedHeaders</param-name>
<param-value>origin, authorization, x-file-size, x-file-name, content-type, accept, x-file-type</param-valu$ </init-param>
<init-param>
<param-name>cors.supportsCredentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.maxAge</param-name>
<param-value>3600</param-value>
</init-param>
</filter>
[...]
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/api/*</url-pattern>
<url-pattern>/service/*</url-pattern>
<url-pattern>/s/*</url-pattern>
<url-pattern>/cmisbrowser/*</url-pattern>
</filter-mapping>
Configurations of alfresco dockers (ngnix https proxy)
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
rewrite ^ https://$host$request_uri? permanent;
}
[...]
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/ssl/certs/sws-digital.com.crt;
ssl_certificate_key /etc/ssl/private/sws-digital.com.key;
ssl_protocols TLSv1.2;
root /var/www/html;
server_name dms.sws-digital.com;
rewrite ^/$ /share;
location /share {
proxy_pass http://share:8080;
#proxy_redirect off;
proxy_pass_header Set-Cookie;
proxy_set_header Origin "";
proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Frowarded-Proto $scheme;
proxy_set_header Referer "";
# Allow large file upload
client_max_body_size 0;
}
location /alfresco {
proxy_pass http://alfresco:8080;
#proxy_redirect off;
proxy_pass_header Set-Cookie;
proxy_set_header Proxy "";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Frowarded-Proto $scheme;
proxy_set_header Referer "";
# large files upload
client_max_body_size 0;
}
Config in alfresco-global.properties:
alfresco.context=alfresco
alfresco.host=dms.sws-digital.com
alfresco.port=443
alfresco.protocol=https
share.context=share
share.host=dms.sws-digital.com
share.port=443
share.protocol=https
opencmis.context.override=false
opencmis.context.value=
opencmis.servletpath.override=false
opencmis.servletpath.value=
opencmis.server.override=true
opencmis.server.value=https://dms.sws-digital.com
aos.baseUrlOverwrite=https://dms.sws-digital.com/alfresco/aos
Also you can give a try with the new docker installer,
This project will produce a Docker Compose template with HA Proxy using NGINX.
Related
is it possible to use nginx as a reverse proxy like this?
I was looking at this post: https://www.digitalocean.com/community/questions/self-hosted-ngrok-or-serveo-alternative
And wanted to get it to work with a dynamic port.
for example:
http://1234.mydomain.com --> http://localhost:1234
http://3333.mydomain.com --> http://localhost:3333
Is this possible with nginx?
I tried to create a wildcard domain and in nginx's sites-available I've put this:
server {
#server_name tunnel.mydomain.com;
server_name *.mydomain.com; #<----------
server_name ~^(?<port>[\w-]+)\.mydomain\.com$; #<----------
access_log /var/log/nginx/tunnel/$host;
listen 443 ssl;
listen [::]:443;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com.ml/privkey.pem;
location / {
#proxy_pass http://localhost:3333/;
proxy_pass http://localhost:$port/; #<----------
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
error_page 502 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
But it's not working, this does not distinguish different ports.
I have created a cert like this:
Following steps from:
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/ nginx-selfsigned.crt
Using my domain example:
Common Name (e.g. server FQDN or YOUR name): www.examplesite1.com
Within the article it says I can have only 1 default server, which I assume the self cert will work on.
Lets say I have 2 websites on my nginx like this:
/etc/nginx/sites-available/examplesite1.com
/etc/nginx/sites-available/examplesite2.com
Both with config that looks like this: (with examplesite2.com for 2nd example.)
Notice, I am forwarding to a proxy server - node.js in my case.
server {
listen 80;
server_name examplesite1.com www.examplesite1.com;
return 301 https://$server_name$request_uri;
client_max_body_size 10G;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:8000;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
server {
# SSL configuration
server_name www.examplesite1.com www.www.examplesite1.com;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
}
Symlinks appropriately set:
ln -s /etc/nginx/sites-available/examplesite1.com /etc/nginx/sites-enabled/examplesite1.com
ln -s /etc/nginx/sites-available/examplesite2.com /etc/nginx/sites-enabled/examplesite2.com
If I change 'default_server' to my url, it breaks the nginx config
listen 443 ssl http2 www.examplesite1.com;
Error
nginx: [emerg] invalid parameter "www.examplesite1.com" in /etc/nginx/sites-enabled/examplesite1.com:18
nginx: configuration file /etc/nginx/nginx.conf test failed
The problem is if I keep default_server like this it then does not forward proxy to my nginx server and goes to my default server, which is my nginx index.html landing page which is not desired.
I realised my mistake
This code was never reached in the first server block so needed to go into the listen:443 server block:
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:8000;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
The reference to default_server did not break it but I have removed it anyway.
Updated now:
server {
listen 80;
server_name examplesite1.com www.examplesite1.com;
# redirect to https
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
server_name examplesite1.com www.examplesite1.com;
# remove redirect and replae with proxy stuff here...
listen 443 ssl;
listen [::]:443 ssl;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:8000;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
I'm trying to set up Keycloak, however the tutorials expect me to visit http://localhost:8080, but I'm setting it up on a remote host and need to access the admin console externally. I've tried to expose it via Nginx. Keycloak Administration Console seems to work with the new domain name and port seamlessly, but it still tries to use the "http" urls instead of the "https" ones (I've the Nginx configured to redirect HTTP to HTTPS and I want to keep it that way for security reasons). I have found the problem is that it internally sets a variable:
var authServerUrl = 'http://example.com/auth';
While the correct url would be https://example.com/auth.
As a result, when I open https://example.com/auth/admin/master/console/ in the browser, I get the error:
Refused to frame 'http://example.com/' because it violates the following Content Security Policy directive: "frame-src 'self'".
How to fix that? The Nginx config I use is:
server {
server_name example.com;
listen 80;
listen [::]:80;
location / {
return 301 https://$server_name$request_uri;
}
}
ssl_session_cache shared:ssl_session_cache:10m;
server {
server_name example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
# ... <SSL and Gzip config goes here> ...
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080;
client_max_body_size 16m;
}
}
You are doing SSL offloading in the nginx, but you need to forward information that https schema was used also to the Keycloak (X-Forwarded-Proto header). Try this:
server {
server_name example.com;
listen 80;
listen [::]:80;
location / {
return 301 https://$server_name$request_uri;
}
}
ssl_session_cache shared:ssl_session_cache:10m;
server {
server_name example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
# ... <SSL and Gzip config goes here> ...
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
client_max_body_size 16m;
}
}
I have one Cloud Server and 2 domain.
I have one success but second domain not working.
working conf;
server {
listen 80;
listen [::]:80;
server_name www.fromthepast.org fromthepast.org;
access_log /var/log/nginx/fromthepast-access.log main;
error_log /var/log/nginx/fromthepast-error.log;
location / {
proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8080/;
}
}
You can see enter the website fromthepast.org its working correct.
wrong conf
server {
listen 80;
listen [::]:80;
server_name www.suyla.org suyla.org;
access_log /var/log/nginx/suylaaccess.log main;
error_log /var/log/nginx/suyla-error.log;
location / {
proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8080/denizhan;
}
}
actually its working but not correct. you can see enter suyla.org > redirect http://suyla.org:8080/denizhan
i dont want :8080 port, just suyla.org or suyla.org/denizhan
How can i do multi domain config NGINX with tomcat ?
i fixed it. example;
/etc/nginx/conf.d
server {
listen 80;
listen [::]:80;
server_name www.suyla.org suyla.org;
access_log /var/log/nginx/suyla-access.log main;
error_log /var/log/nginx/suyla-error.log;
location / {
proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8082/;
}
}
and redirejct 8082
one more config > ../tomcat/conf/server.xml
<Service name="denizhan">
<Connector port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000"
redirectPort="8444" />
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Context path="" docBase="/opt/tomcat/webapps/denizhan" reloadable="false" useHttpOnly="true">
<Manager pathname=""/>
</Context>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_accessss_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
if i want one more domain and app, i will redirect 8083, thankx for all
Try to change your config to something like that:
server {
listen 80;
server_name www.suyla.org suyla.org;
access_log /var/log/nginx/suylaaccess.log main;
error_log /var/log/nginx/suyla-error.log;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://localhost:8080/denizhan;
}
}
I have a Flask API and a Swagger UI generated with Flask Restplus. The API runs in a Docker container behind an Nginx container which serves it over HTTP.
Here is a health check endpoint which confirms the API is running:https://mobydq.net/mobydq/api/v1/health
{"message":"MobyDQ API running in production mode"}
However, the Swagger which is supposed to load at the following URL does not load at all: https://mobydq.net/mobydq/api/doc
Here is the Nginx configuration:
http {
upstream api {
server api:5434;
}
upstream app {
server app:3000;
}
# Server for https
server {
listen 443 ssl http2;
server_name mobydq.net;
ssl_certificate /etc/letsencrypt/live/mobydq.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mobydq.net/privkey.pem;
# Location for MobyDQ Flask API
location /mobydq {
limit_req zone=default burst=20;
proxy_pass http://api;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Location for MobyDQ Web App
location / {
limit_req zone=default burst=20;
proxy_pass http://app;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Default server to redirect http requests to https
server {
listen 80 default_server;
server_name mobydq.net;
listen [::]:80 default_server;
location ~ /.well-known {
root /var/www/letsencrypt;
}
location / {
return 301 https://$host$request_uri;
}
}
}
Any idea why the Swagger is not loading? I looked into the http requests sent when loading the page but it did not help much. I can only see the favicon loading:
I also looked at the console and saw an error but I'm not able to tell what it means:
The problem was that Nginx did not properly redirect the http requests when trying to get the resources from Swagger (the JSON configuration file in particular).
The issue has been fixed by changing the Nginx configuration as follow:
[...]
# Location for MobyDQ Flask API
location ~ ^/(mobydq|swaggerui) {
limit_req zone=default burst=20;
proxy_pass http://api;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
[...]