How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

cancel
Showing results for 
Search instead for 
Did you mean: 
michaelzietlow
Active Member II

How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

Jump to solution

  I am running Community7.0 behind a reverse proxy (HAPROXY) which redirects all HTTP(80) traffic to use HTTPS(443).   NGINX's alfresco.conf has ssl_certificate specified so my connections to the outside world are secure.   Since communication between NGINX and ALFRESCO on the box itself are all http://127.0.0.1:8080, all connected clients are instructed to use HTTP(80).  This, of course, gets redirected to HTTPS(443) by HAPROXY so everything stays encrypted however all these necessary redirects are messy IMO.

QUESTION 1:
   My research leads me to a thread that instructs adding the following to my global properties file and I want to know if this will tell all clients to use HTTPS(443) when coming back into HAPROXY so it doesn't have to redirect everything?

alfresco.context=alfresco
alfresco.host=alfresco.YourDomainGoesHere.com
alfresco.port=443
alfresco.protocol=https

share.context=share
share.host=${alfresco.host}
share.port=${alfresco.port}
share.protocol=${alfresco.protocol}

QUESTION 2:
I recall my original Alfresco5.2 build using HTTPS on port :8443 for nginx to tomcat communication so the redirect issue I see now never came up.   Is there a SSL Certificate installation guide for Community7.0 to encrypting traffic HTTPS(8443)?

1 Solution

Accepted Solutions
michaelzietlow
Active Member II

Re: How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

Jump to solution

I was able to get this to happen by defining an SSL/TLS HTTP/1.1 Connector on port 8443 following the instructions here: https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html#Configuration

 

/etc/opt/alfresco/tomcat/conf/server.xml:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/opt/keystore/keystore.jks"
                         certificateKeystorePassword="changeit"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Then change all the proxy_pass http://127.0.0.1:8080 lines to use https://127.0.0.1:8443 in nginx conf
/etc/nginx/conf.d/alfresco.conf:

...
location /share/ { proxy_pass https://localhost:8443; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_pass_header Set-Cookie; proxy_redirect http://$host https://$host; }
...


Now I don't see all the constant 302 redirect messages in my logs.

View solution in original post

2 Replies
michaelzietlow
Active Member II

Re: How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

Jump to solution

I was able to get this to happen by defining an SSL/TLS HTTP/1.1 Connector on port 8443 following the instructions here: https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html#Configuration

 

/etc/opt/alfresco/tomcat/conf/server.xml:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/opt/keystore/keystore.jks"
                         certificateKeystorePassword="changeit"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Then change all the proxy_pass http://127.0.0.1:8080 lines to use https://127.0.0.1:8443 in nginx conf
/etc/nginx/conf.d/alfresco.conf:

...
location /share/ { proxy_pass https://localhost:8443; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_pass_header Set-Cookie; proxy_redirect http://$host https://$host; }
...


Now I don't see all the constant 302 redirect messages in my logs.

View solution in original post

EddieMay
Community Manager
Community Manager

Re: How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

Jump to solution

Hi @michaelzietlow 

Congratulations on figuring this out yourself & also thanks for updating your thread on how you did - super helpful!

Cheers,

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!