Executing Liferay behing a Nginx reverse proxy - nginx

I am trying to test the last version of Liferay (Liferay 7.0-ga4) and install it behind a reverse proxy (nginx). I am using docker and docker compose for testing purposes, and I create a dummy domain docker.domain.com.
Liferay works fine if I access directly to its url and no reverse proxy is configured.
Also, I have success to install Liferay behind the nginx server if I use the root location:
location / {
proxy_pass http://liferay:8080;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
Where liferay in the proxy_pass section is the name of the docker container linked in the docker compose. And Liferay's options:
web.server.host=docker.domain.com
web.server.protocol=http
web.server.http.port=80
To configure the reverse proxy in Liferay. The results is correct if I type http://docker.domain.com/:
I can login, accept terms and conditions, ... everything seems fine.
But when I use a location that is not root (i.e /lifeay), I have issues with links, images, and css in general.
With a configuraion in nginx similar to:
location /liferay {
proxy_pass http://liferay:8080;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
And adding as suggested here to Liferay's configuration:
portal.proxy.path=/liferay
When accessing to http://docker.domain.com/liferay all url are messed up and CSS are not shown. Here I attach an screenshot of the final result:
It is interesting the line
http://docker.domain.com/liferay/liferay
Where "liferay" appears two times in the url. Some errors appear at the liferay's tomcat log:
12:48:29,019 WARN [http-nio-8080-exec-3][code_jsp:172] {code="404", msg="/liferay/o/mentions-web/css/mentions.css", uri=/liferay/o/mentions-web/css/mentions.css}
12:48:29,021 WARN [http-nio-8080-exec-8][code_jsp:172] {code="404", msg="/liferay/o/frontend-css-web/main.css", uri=/liferay/o/frontend-css-web/main.css}
....
Obviously some files are not found. I have created a simple example with docker github to test it only spending a few minutes if somebody is interested. Still, I am pretty sure that something is missing in my Liferay configuration, but I am not able to figure out what. At least I am not able to find any clue in the official documentation.

Seems that the problem was with the the trailing slash in proxy_pass. It is what makes a difference. Following this example, the nginx configuration file will be:
location /liferay {
return 302 /liferay/;
}
location /liferay/ {
proxy_pass http://liferay:8080/;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
And now seems that Liferay CSS and URLs are correctly working.

Related

GeoServer web UI redirects to vanilla HTTP

I have the standalone version of GeoServer 2.21.0 running behind an NGINX reverse proxy. Whenever I attempt to do anything with the web UI, Wicket is redirecting me to HTTP when I need it to send me to HTTPS.
The server does serve up map tiles correctly. It's just that the web UI is completely dysfunctional as it's running over HTTPS and GeoServer redirects everything to HTTP for some reason.
I also have the CSRF whitelist set but I'm having problems before CSRF comes into play. If I do so much as go to https://myserver/geoserver it redirects me to http://myserver/geoserver/web/?0 which doesn't work.
I have a GeoServer instance running behind NGINX. NGINX is configured like this:
location / {
proxy_pass http://127.0.0.1:9191/; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
I have the Proxy Base URL configured to https://myserver/geoserver and Use headers for Proxy URL is enabled.
What might be causing this? A Google search wasn't very helpful.
The answer was proxy_redirect ~*http://[^/]+(/.*)$ $1;
This rules tells NGINX to remove everything from the beginning http all the way up through the hostname in the redirect so that the redirect sends the user to the reverse proxy's (i.e. NGINX) host.
relevant answer

How to configure Nginx so the proxy_pass also aply to in-site requests?

So let me introduce you to my context: I have a several containers deployed and I'd like to use nginx as reverse proxy so I can target my other containers (which are API's) through something like this: https://example.mysite.com/services/whatever_the_api.
I managed to get to a point where the proxy_pass works like a charm but now I have a problem: when my API admin page loads, it tries to find the assets like this : https://example.mysite.com/assets/... ditching the /services/api/ part.
Here is my /etc/nginx/config.d/sample.conf file :
server {
listen myhost:80;
server_name myhost;
location ^~ /services/apiName/ {
proxy_pass http://myapp:1338/;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
If anyone knows what is the configuration material I'm missing, I'll be grateful to hear about it.

Accessing WSO2-APIM using Nginx

I am accessing my wso2 apim,store and publisher using Nginx.
and want to access using the following:
wso2 api manager to be accessed using nginx url as:
https://nginx-ip/wso2am/carbon
wso2 store to be accessed using nginx url as:
https://nginx-ip/wso2am/store
wso2 store to be accessed using nginx url as:
https://nginx-ip/wso2am/publisher
I tried using nested location block inside location block but wasn't successful.
So, now I am working by having a location block for all of them separately but the same also doesn't works.
Here is my nginx configuration file for store:
location /wso2am/store/
{
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://wso2-ip:9443/store/;
proxy_redirect https://$http_host/store/ /wso2am/store/;
proxy_cookie_path / /wso2am/;
limit_rate 25M;
#limit_req zone=wso2am burst=100 nodelay;
}
For the above configuration the GUI for store doesn't appears properly.
Similarly for publisher and carbon(for apim management console).
And the nested nginx configuration is as follows:
location /wso2am/ {
location /wso2am/store/
{
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://wso2-ip:9443/store/;
proxy_redirect https://$http_host/oauth2/callback /oauth2/callback;
proxy_redirect https://$http_host/ /wso2am/store/;
proxy_redirect https://$http_host/wso2am/ /wso2am/store/;
proxy_redirect https://$http_host/store/ /wso2am/store/;
proxy_cookie_path / /wso2am/;
limit_rate 25M;
}
}
Where do I have to change in headers or any other location to go correct?
Update 1:
My wso2am store and publisher are working after incorporating the comments and using the following nginx conf:
location /wso2am/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://wso2-apim-ip:9443/;
proxy_redirect https://$http_host/carbon/ /wso2am/carbon/;
proxy_redirect https://$http_host/store/ /wso2am/store/;
proxy_redirect https://$http_host/publisher/ /wso2am/publisher/;
proxy_cookie_path / /wso2am/;
}
Note: But using the above configuration,I login to apim-carbon,I get logged in and then if I click on any of the options on the home page such as list,add.I get logged out and the reason behind it after investigation was the CSRF token is not being sent in the request while accessing it using Nginx.
How can the csrfprevention.js issue be resolved keeping it true.?
Disclamer: this is an incomplete answer, for I am myself digging into this question
I faced the very same issue with both wso2am and wso2ei. I am pretty sure that we need to edit /repository/conf/carbon.xml in this section (I must admit that the comments are not crystal clear):
<!--
Webapp context root of WSO2 Carbon management console.
-->
<WebContextRoot>/wso2am</WebContextRoot>
<!--
Proxy context path is a useful parameter to add a proxy path when a Carbon server is fronted by reverse proxy. In addition
to the proxy host and proxy port this parameter allows you add a path component to external URLs. e.g.
URL of the Carbon server -> https://10.100.1.1:9443/carbon
URL of the reverse proxy -> https://prod.abc.com/appserver/carbon
appserver - proxy context path. This specially required whenever you are generating URLs to displace in
Carbon UI components.
-->
<MgtProxyContextPath>/</MgtProxyContextPath>
<ProxyContextPath>/wso2am</ProxyContextPath>
The following works if your Nginx listen to 443 in SSL mode (couldn't do it with HTTP because of the redirections -> make a self signed certificate if you plan to use it on a local network)
location /wso2am {
proxy_pass https://wso2_apimanager_container:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_ssl_verify off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /wso2am/store {
proxy_pass https://wso2_apimanager:9443/store;
}
location /wso2am/publisher {
proxy_pass https://wso2_apimanager:9443/publisher;
}
location /wso2am/admin {
proxy_pass https://wso2_apimanager:9443/admin;
}
}
It works but I am not completely sure why. Can someone explain to me in which aspect <MgtProxyContextPath> differs from </MgtProxyContextPath> and from <WebContextRoot>?
allow proxy for admin publisher and store: to make /publisher, /store and /admin accessible, you need to edit the end of their respective site.json located in /repository/deployment/server/jaggeryapps/name_of_the_service/site/conf/site.json . For /publisher, you would write:
"reverseProxy" : {
"enabled" : "auto", // values true , false , "auto" - will look for X-Forwarded-* headers
"host" : "some.ip.or.domain", // If reverse proxy do not have a domain name use IP
"context":"/wso2am/publisher",
//"regContext":"" // Use only if different path is used for registry
},
Still have issue with the login though
You can follow this guide [1] to configure WSO2 API Manager with Nginx.
[1] -
https://docs.wso2.com/display/AM260/Configuring+the+Proxy+Server+and+the+Load+Balancer

How to enforce a rewrite or redirect for an nginx reverse proxyed location

I am trying to use Nginx to reverse proxy a node.js app on a sub-directory of my main website which is also reversed proxied.
The / reverse proxy works as expected however the second location does not load any assets...
I am using the below config:
location / {
proxy_pass http://192.168.1.104:3000/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /new/ {
proxy_pass http://192.168.1.65:3000/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
This works in as much as when I go to the ./new url I can see the default page of the node.js app but no images, css or js assets are loaded.
When I check the browser console I can see loading errors that show that the browser is trying to load the assets from the / location...
Also the links shown on the page loaded at ./new also point to the / location so they also do not work...
I have been trying to work out how to resolve this for days and have seen that rewrite or return commands in the nginx.conf file can be used to redirect the browser but none of these seem to work to correct my issue... or I may be mis-understanding how to use them as I see a 'too many redirects' error page when trying to load from the ./new url...
I would really appreciate any pointers on how I can resolve this.
Thanks.
You need to modify your app to prepend its root path to urls, nginx does not alter proxied content.

nginx reverse proxy images and css are not loaded

I try to configure an nginx reverse proxy to access a Jenkins instance. I can open the authentication page but there is no CSS and no image. It works perfectly when direct access.
All works as if the reverse proxy does not rewrite correctly URLs defined in the html source page. Have I missed something ?
Here is my nginx configuration :
location /jenkins {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect false;
proxy_pass http://jenkins:8080/;
}
I found the solution. The nginx reverse proxy works well but Jenkins need some customization to work with reverse proxy.
The final nginx configuration :
location /jenkins/ {
proxy_pass http://jenkins:8080/jenkins/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
And the tutorial to configure jenkins behind nginx reverse proxy which solved my problem
I don't know if above statement worked for OP but I know that altering location name line did the trick for me:
location ^~ /jenkins/ {
proxy_pass http://jenkins:8080/jenkins/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
If you use the Jenkins with docker. You can add the environment part of compose file as below:
environment:
JENKINS_OPTS: "--prefix=/jenkins"
in the nginx conf file. proxy_pass must refer to the http://IP-ADDRESS:PORT/jenkins/. As mentioned before, the link as a reference is very usefull.

Resources