1

so I've been trying to reverse proxy Alfresco 5.0.d Community through our Nginx reverse proxy. Currently the reverse proxy is being used to serve only our helpdesk. This is the first time I've set up a reverse proxy so please bear with me. The main goal of this reverse proxy is to TLS encrypt all of our internal web apps to the internet using Let's Encrypt issued certificates.

I've managed to have success reverse proxying Alfresco from http internally to http externally or http:// x.x.x.x:8080/share to http:// alfresco.companyname.com and this works perfectly as far as I can tell. The server block config I used for that is: 

server {
listen 80;
server_name alfresco.companyname.com;
rewrite ^/$ /share;
  location / {
      root  /share/;
      proxy_pass http://x.x.x.x:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;
    }      
}

We aren't comfortable leaving the server on an un-encrypted connection so I've been trying to get TLS enabled on this set up as well but I keep getting greeted with an error page after login.

Alfresco Error message

The server block with SSL enabled: 

server {
listen 443 ssl;
server_name alfresco.companyname.com;
ssl on;
ssl_certificate /etc/ssl/certs/alfrescochained.pem;
ssl_certificate_key /etc/ssl/private/alfrescopriv.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_prefer_server_ciphers on;
rewrite ^/$ /share;
  location / {
      root  /share/;
      proxy_pass http://x.x.x.x:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;
    }      
}

Alfresco error logs aren't being very informative and I'm new to Nginx (I tried Apache to begin with but ran into a lot of issues). Anyone have any recommended things to try?

Craig
  • 148
  • 4
Kent
  • 11
  • 1
  • 4

2 Answers2

0

This is just a guess. But Alfresco might issue an insecure login cookie that the secure front-end is (quite rightly) not returning. So the login process just dies in a heap.

If Alfresco supports it, there is a header which is commonly used to inform it that the client connection is in fact secure. Try:

proxy_set_header  X-Forwarded-Proto  $scheme;
Richard Smith
  • 11,859
  • 2
  • 18
  • 26
0

I've resolved the issue. I replaced http://x.x.x.x:8080 with https://x.x.x.x:8443. At first I forgot to replace http with https but I remembered to do that and now it's working. I was getting insecure page warnings to do with the connection within Chrome. I stepped out of the office and my login cookies expired and after signing back in the insecure warnings went away, so it may have been to do with that.

Kent
  • 11
  • 1
  • 4