Help

How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
michaelzietlow
Active Member II
‎30 Jun 2021 5:55 PM

How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

Jump to solution

  I am running Community7.0 behind a reverse proxy (HAPROXY) which redirects all HTTP(80) traffic to use HTTPS(443).   NGINX's alfresco.conf has ssl_certificate specified so my connections to the outside world are secure.   Since communication between NGINX and ALFRESCO on the box itself are all http://127.0.0.1:8080, all connected clients are instructed to use HTTP(80).  This, of course, gets redirected to HTTPS(443) by HAPROXY so everything stays encrypted however all these necessary redirects are messy IMO.

QUESTION 1:
   My research leads me to a thread that instructs adding the following to my global properties file and I want to know if this will tell all clients to use HTTPS(443) when coming back into HAPROXY so it doesn't have to redirect everything?

alfresco.context=alfresco
alfresco.host=alfresco.YourDomainGoesHere.com
alfresco.port=443
alfresco.protocol=https

share.context=share
share.host=${alfresco.host}
share.port=${alfresco.port}
share.protocol=${alfresco.protocol}

QUESTION 2:
I recall my original Alfresco5.2 build using HTTPS on port :8443 for nginx to tomcat communication so the redirect issue I see now never came up.   Is there a SSL Certificate installation guide for Community7.0 to encrypting traffic HTTPS(8443)?

0 Kudos
Reply
1 Solution

Accepted Solutions
michaelzietlow
Active Member II
‎30 Jun 2021 11:49 PM

Re: How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

Jump to solution

I was able to get this to happen by defining an SSL/TLS HTTP/1.1 Connector on port 8443 following the instructions here: https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html#Configuration

 

/etc/opt/alfresco/tomcat/conf/server.xml:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/opt/keystore/keystore.jks"
                         certificateKeystorePassword="changeit"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Then change all the proxy_pass http://127.0.0.1:8080 lines to use https://127.0.0.1:8443 in nginx conf
/etc/nginx/conf.d/alfresco.conf:

...
        location /share/ {
            proxy_pass https://localhost:8443;
	    proxy_set_header    X-Forwarded-Proto https;
            proxy_set_header    X-Real-IP        $remote_addr;
            proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header	X-NginX-Proxy    true;
	    proxy_set_header	Host		 $http_host;
            proxy_set_header	Upgrade          $http_upgrade;
            proxy_pass_header	Set-Cookie;
	    proxy_redirect 	http://$host	https://$host;
        }
...


Now I don't see all the constant 302 redirect messages in my logs.

View solution in original post

Reply
2 Replies
michaelzietlow
Active Member II
‎30 Jun 2021 11:49 PM

Re: How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

Jump to solution

I was able to get this to happen by defining an SSL/TLS HTTP/1.1 Connector on port 8443 following the instructions here: https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html#Configuration

 

/etc/opt/alfresco/tomcat/conf/server.xml:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/opt/keystore/keystore.jks"
                         certificateKeystorePassword="changeit"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Then change all the proxy_pass http://127.0.0.1:8080 lines to use https://127.0.0.1:8443 in nginx conf
/etc/nginx/conf.d/alfresco.conf:

...
        location /share/ {
            proxy_pass https://localhost:8443;
	    proxy_set_header    X-Forwarded-Proto https;
            proxy_set_header    X-Real-IP        $remote_addr;
            proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header	X-NginX-Proxy    true;
	    proxy_set_header	Host		 $http_host;
            proxy_set_header	Upgrade          $http_upgrade;
            proxy_pass_header	Set-Cookie;
	    proxy_redirect 	http://$host	https://$host;
        }
...


Now I don't see all the constant 302 redirect messages in my logs.

Reply
EddieMay
Alfresco Employee
‎5 Jul 2021 2:23 PM

Re: How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

Jump to solution

Hi @michaelzietlow 

Congratulations on figuring this out yourself & also thanks for updating your thread on how you did - super helpful!

Cheers,

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!
0 Kudos
Reply
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.