Hey guys,
We have Alfresco Community version up and running on our local windows 2008 server. We have the SSL certificates in place.
We are in the process of setting up reverse proxy for Alfresco. There are many outdated documentations to complete this however none of the steps are working.
We are trying to accomplish reverse proxy so that all incoming requests for the main alfresco server, which runs on Tomcat gets wrapped automatically to SSL. (http to https).
Do you guys have an updated current documentation(s) to help us accomplish this?
For your reference we are attaching our config files.( global properties and server.xml )
Please provide any documents for configuring Alfresco reverse proxy for version 5.2.
alfresco.global.properties:::
###############################
## Common Alfresco Properties #
###############################
dir.root=C:/ALFRES~1/alf_data
index.recovery.mode=FULL
### dir.root=//optimus.mysite.local/Alfresco$
dir.contentstore=//optimus.mysite.local/Alfresco$/contentstore
dir.contentstore.deleted=//optimus.mysite.local/Alfresco$/contentstore.deleted
activities.feed.notifier.enabled=false
alfresco.context=alfresco
alfresco.host=Alfresco.mysite.com
alfresco.port=8081
### alfresco.port.ssl=8443
alfresco.protocol=https
alfresco.allowWrite=true
alfresco.enableMultiThreadedTracking=true
share.context=share
share.host=Alfresco.mysite.com
share.port=8081
### share.port.ssl=8443
share.protocol=https
share.allowWrite=true
share.enableMultiThreadedTracking=true
opencmis.context.override=true
opencmis.context.value=
opencmis.servletpath.override=true
opencmis.servletpath.value=
opencmis.server.override=true
opencmis.server.value=https://alfresco.mysite.com
### Open CMIS Added by Nat 7/27/2017
### opencmis.context.override=true
### opencmis.context.value=
### opencmis.servletpath.override=true
### opencmis.servletpath.value=
### opencmis.server.override=true
### opencmis.server.value=https://alfresco.mysite.com/alfresco/api
### worker location ###
worker.list=ajp13_worker
worker.ajp13_worker.port=8009
worker.ajp13_worker.host=Alfresco.mysite.com
worker.ajp13_worker.type=ajp13
worker.ajp13_worker.lbfactor=1
### mysql properties ###
db.username=solr_Remote
db.password=mypassword!
db.name=alfrescodb
db.host=AlfrescoSQLSF.mysite.com
db.port=3306
db.pool.max=275
db.driver=org.gjt.mm.mysql.Driver
db.url=jdbc:mysql://${db.host}:${db.port}/${db.name}?useSSL=false&useUnicode=yes&characterEncoding=UTF-8
db.pool.validate.query=SELECT 1
# The server mode. Set value here
# UNKNOWN | TEST | BACKUP | PRODUCTION
system.serverMode=UNKNOWN
### FTP Server Configuration ###
ftp.port=21
### RMI registry port for JMX ###
alfresco.rmi.services.port=50500
### External executable locations ###
ooo.exe=C:/ALFRES~1/LIBREO~1/App/libreoffice/program/soffice.exe
ooo.enabled=true
ooo.port=8100
img.root=C:\\alfresco-community\\imagemagick
img.coders=${img.root}\\modules\\coders
img.config=${img.root}
img.gslib=${img.root}\\lib
img.exe=${img.root}\\convert.exe
jodconverter.enabled=false
jodconverter.officeHome=C:/ALFRES~1/LIBREO~1/App/libreoffice
jodconverter.portNumbers=8100
### Initial admin password ###
alfresco_user_store.adminpassword=547ea0f8df36ac1d500931e4dcb1aa60
### E-mail site invitation setting ###
notification.email.siteinvite=false
### License location ###
dir.license.external=C:/ALFRES~1
### Solr indexing ###
index.subsystem.name=solr4
dir.keystore=${dir.root}/keystore
solr.host=Alfresco.mysite.com
solr.port.ssl=8443
solr.secureComms=https
### Allow extended ResultSet processing
security.anyDenyDenies=false
### Smart Folders Config Properties ###
smart.folders.enabled=true
### Remote JMX (Default: disabled) ###
alfresco.jmx.connector.enabled=false
### CIFS ###
cifs.enabled=true
cifs.serverName=alfrescoA
cifs.hostannounce=true
cifs.domain=mysite.com
cifs.broadcast=xx.xx.xx.xx
cifs.localname=${localname}A
### cifs.localname=Alfresco.mysite.comA
cifs.urlfile.prefix=http://${localname}:${port}/alfresco/
### cifs.urlfile.prefix=http://Alfresco.mysite.com:8080/alfresco/
cifs.pseudoFiles.enabled=false
cifs.pseudoFiles.explorerURL.enabled=false
cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
cifs.pseudoFiles.shareURL.enabled=false
cifs.pseudoFiles.shareURL.fileName=__Share.url
## Added by Nat 7/26/2017
##alfresco.authentication.authenticateCIFS=true
### Sample Exchange settings ###
mail.host=cybertron02.mysite.local
mail.port=25
mail.protocol=smtp
mail.smtps.starttls.enable=false
mail.smtp.auth=false
mail.testmessage.send=true
mail.testmessage.to_many=['dshah@mysite.com','nfast@mysite.com','ifraser@mysite.com']
mail.testmessage.subject=Alfrescotest
mail.testmessage.text=123testalfrescom
### Inbound email configuration ###
email.inbound.enabled=true
# Inbound email server settings
email.server.enabled=true
# email.server.port=25
email.server.port=993
# email.server.domain=imap.gmail.com
email.server.domain=mysite.com
email.server.hideTLS=false
email.server.enableTLS=true
email.server.requireTLS=false
email.inbound.unknownUser=anonymous
email.server.allowed.senders=.*
### ntlm properties ###
ntlm.authentication.sso.enabled=true
## nf 7/26/2017 ##ntlm.authentication.sso.enabled=false
### authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm,ldap2:ldap-ad
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap,passthru1assthru
### ldap properties ###
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ldap.authentication.allowGuestLogin=false
#do not allow guest logon
ldap.authentication.userNameFormat=%s@mysite.local
#your login is the same like user name in windows
ldap.authentication.java.naming.provider.url=ldap://dc02.mysite.local:389
#adress of ldap server
ldap.authentication.defaultAdministratorUserNames=administrator
#users with admin rights
ldap.synchronization.java.naming.security.principal=administrator@mysite.local
#ldap local administrator on your server
ldap.synchronization.java.naming.security.credentials=mypassword
#password to ldap_admin@yourdomain.com
ldap.synchronization.groupSearchBase=dc=mysite,dc=local
#groups for alfresco, cn=Security_Groups,ou=Alfresco,dc=your_domain,dc=com must exist in Your ldap
ldap.synchronization.userSearchBase=dc=mysite,dc=local
#users for alfresco, cn=User_Accounts,ou=Alfresco,dc=your_domain,dc=com must exist in Your ldap
ldap.authentication.active=true
ldap.synchronization.active=true
### Quotas ###
system.usages.enabled=true
### Ntlm ###
alfresco.authentication.allowGuestLogin=false
alfresco.authentication.authenticateCIFS=true
### ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false
### Passthru ###Dont know if this will work
passthru.authentication.useLocalServer=true
passthru.authentication.domain=mysite.com
passthru.authentication.servers=Alfresco.mysite.com\\xx.xx.xx.xx
passthru.authentication.guestAccess=true
passthru.authentication.defaultAdministratorUserNames=admin
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true
### Synchronisation Active Directory ###
### synchronization.import.cron=0 0/30 9-18 ? * MON-FRI
synchronization.synchronizeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true
### Transformations
ffmpeg.exe=C:\\alfresco-community\\ffmpeg\\bin\\ffmpeg
### Needed for video thumbnails ###
# ffmpeg.thumbnail
# ================
content.transformer.ffmpeg.thumbnail.priority=50
content.transformer.ffmpeg.thumbnail.extensions.3g2.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.3gp.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.asf.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.avi.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.avx.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.flv.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.mov.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.movie.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.mp4.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.mpeg2.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.mpg.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.ogv.jpg.supported=true
content.transformer.ffmpeg.thumbnail.extensions.wmv.jpg.supported=true
### Needed for video transformations ###
# ffmpeg.flv
# ==========
content.transformer.ffmpeg.flv.priority=50
content.transformer.ffmpeg.flv.extensions.3g2.flv.supported=true
content.transformer.ffmpeg.flv.extensions.3gp.flv.supported=true
content.transformer.ffmpeg.flv.extensions.asf.flv.supported=true
content.transformer.ffmpeg.flv.extensions.avi.flv.supported=true
content.transformer.ffmpeg.flv.extensions.avx.flv.supported=true
content.transformer.ffmpeg.flv.extensions.mov.flv.supported=true
content.transformer.ffmpeg.flv.extensions.movie.flv.supported=true
content.transformer.ffmpeg.flv.extensions.mp4.flv.supported=true
content.transformer.ffmpeg.flv.extensions.mpeg2.flv.supported=true
content.transformer.ffmpeg.flv.extensions.mpg.flv.supported=true
content.transformer.ffmpeg.flv.extensions.ogv.flv.supported=true
content.transformer.ffmpeg.flv.extensions.wmv.flv.supported=true
# ffmpeg.mp4
# ==========
content.transformer.ffmpeg.mp4.priority=50
content.transformer.ffmpeg.mp4.extensions.3g2.mp4.supported=true
content.transformer.ffmpeg.mp4.extensions.3gp.mp4.supported=true
content.transformer.ffmpeg.mp4.extensions.asf.mp4.supported=true
content.transformer.ffmpeg.mp4.extensions.avx.mp4.supported=true
content.transformer.ffmpeg.mp4.extensions.mov.mp4.supported=true
content.transformer.ffmpeg.mp4.extensions.movie.mp4.supported=true
content.transformer.ffmpeg.mp4.extensions.mpeg2.mp4.supported=true
content.transformer.ffmpeg.mp4.extensions.mpg.mp4.supported=true
content.transformer.ffmpeg.mp4.extensions.wmv.mp4.supported=true
# The avi and ogv to mp4 transformations did not work with ffmpeg 0.8.6
# Please check the latest ffmpeg documentation for the latest information
# content.transformer.avi.mp4.extensions.mpg.mp4.supported=true
# content.transformer.ogv.mp4.extensions.wmv.mp4.supported=true
# ffmpeg.mp3
# ==========
content.transformer.ffmpeg.mp3.priority=50
content.transformer.ffmpeg.mp3.extensions.aiff.mp3.supported=true
content.transformer.ffmpeg.mp3.extensions.au.mp3.supported=true
content.transformer.ffmpeg.mp3.extensions.m4a.mp3.supported=true
content.transformer.ffmpeg.mp3.extensions.oga.mp3.supported=true
content.transformer.ffmpeg.mp3.extensions.wav.mp3.supported=true
::::::::::::::::::::::::::::::::::::::::::::::::
Server.XML
:::::::::::::::::::::::::::::::::::::::::::::::::::
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<!-- Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /-->
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<!-- Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /-->
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080proxyName="alfresco.mysitesf.com" proxyPort="443"
-->
<Connector port="8080" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol"
connectionTimeout="20000"
redirectPort="8443" maxHttpHeaderSize="32768" proxyName="alfresco.mysitesf.com" proxyPort="8443"
maxThreads="200" minSpareThreads="10"
enableLookups="false" acceptCount="10"
scheme="https" secure="true"
/>
<Connector port="8081" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol"
connectionTimeout="20000"
redirectPort="8443" maxHttpHeaderSize="32768" proxyName="alfresco.mysitesf.com" proxyPort="8443"
maxThreads="200" minSpareThreads="10"
enableLookups="false" acceptCount="10"
scheme="https" secure="true"
/>
<!-- Connectors for reverse proxy (nginx)
<Connector port="8081" address="alfresco.mysitesf.com"
URIEncoding="UTF-8" protocol="HTTP/1.1"
maxThreads="300" connectionTimeout="6000000" maxHttpHeaderSize="32768"
redirectPort="443" disableUploadTimeout="false"
proxyPort="443" scheme="https" secure="false"
sslProtocol="TLS" maxSavePostSize="-1"/>
<Connector port="8082" address="alfresco.mysitesf.com"
URIEncoding="UTF-8" protocol="HTTP/1.1"
maxThreads="300" connectionTimeout="6000000" maxHttpHeaderSize="32768"
redirectPort="80" disableUploadTimeout="false"
proxyPort="80" scheme="http" secure="false"
maxSavePostSize="-1"/>
-->
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool" proxyName="alfresco.mysitesf.com" proxyPort="443"
port="8080" URIEncoding="UTF-8" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" maxHttpHeaderSize="32768" />
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" URIEncoding="UTF-8" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" maxHttpHeaderSize="32768" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" URIEncoding="UTF-8" protocol="AJP/1.3" redirectPort="8443" proxyName="alfresco.mysitesf.com" proxyPort="8443" />
<!--
<Connector port="7009" address="alfresco.mysitesf.com"
URIEncoding="UTF-8" protocol="AJP/1.3" redirectPort="443"
scheme="https" secure="true" maxThreads="500" maxSavePostSize="-1" />
<Connector port="7010" address="alfresco.mysitesf.com"
URIEncoding="UTF-8" protocol="AJP/1.3" redirectPort="80"
scheme="http" secure="true" maxThreads="500" maxSavePostSize="-1"/>
-->
<Connector port="8443" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" keystoreFile="C:\alfresco-community/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS"
secure="true" connectionTimeout="240000" truststoreFile="C:\alfresco-community/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"
clientAuth="want" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" maxHttpHeaderSize="32768" maxSavePostSize="-1"
/>
<!--
<Connector port="443" URIEncoding="UTF-8"
protocol="HTTP/1.1"
SSLEnabled="true" maxThreads="150" scheme="https"
keystoreFile="C:\alfresco-community\alf_data\keystore\CertsFromSolr\solr-ssl.keystore.jks"
keystorePass="mysite"
keystoreType="JCEKS"
truststoreFile="C:\alfresco-community\alf_data\keystore\CertsFromSolr\solr-ssl.keystore.jks"
truststorePass="mysite"
truststoreType="JCEKS"
secure="true" connectionTimeout="240000"
clientAuth="want"
sslProtocol="TLS"
allowUnsafeLegacyRenegotiation="true"
maxHttpHeaderSize="32768"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
<!--
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/>
-->
</Host>
</Engine>
</Service>
</Server>
The problem isn't necessarily that the guides are outdated - the core concepts for setting up a Reverse Proxy for Alfresco have not changed since I started working with Alfresco in 2010. The problem for most people is just that there are multiple options to choose from, some guides / blog posts may be rather high-level and a lot of people doing this for the first time simply lack the experience to comprehend the guides / documentation (however well written) on the first and second tries.
The Alfresco documentation about SSL + reverse proxy for production environment focusses on Apache HTTPd with mod_jk. A lot of community members, like Keensoft, also use this general approach. Some prefer Nginx for its performance advantages (though I hardly ever encountered a use case where the proxy was the performance bottleneck). I usually use Apache HTTPd with mod_proxy...
It would have been better if you had attached your configuration files as attachments instead of including them with your text - that would make it easier to separate the individual files. Some properties you have set seem a bit strange and I am having a hard time comprehending how / where you did come up with them, e.g. alfresco.enableMultiThreadedTracking=true and share.enableMultiThreadedTracking=true in alfresco-global.properties.
Hi:
A simple example for the configuration of Apache with mod_proxy may be:
Alfresco tomcat behind apache httpd proxy configuration
And another interesting setup for nginx is the one that it is done by the Loftux Ubuntu Installer for Alfresco:
alfresco-ubuntu-install/nginx at master · loftuxab/alfresco-ubuntu-install · GitHub
Hope it helps.
Regards.
--C.
You mean the "Loftux Ubuntu Installer for Alfresco" or "Loftux Alfresco Installer on Ubuntu"... it should not be confused as an official installer which someone casual reader might do.
Yes Axel, the Loftux one. That's right.
Regards.
--C.
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.