I am running Community7.0 behind a reverse proxy (HAPROXY) which redirects all HTTP(80) traffic to use HTTPS(443). NGINX's alfresco.conf has ssl_certificate specified so my connections to the outside world are secure. Since communication between NGINX and ALFRESCO on the box itself are all http://127.0.0.1:8080, all connected clients are instructed to use HTTP(80). This, of course, gets redirected to HTTPS(443) by HAPROXY so everything stays encrypted however all these necessary redirects are messy IMO.
QUESTION 1:
My research leads me to a thread that instructs adding the following to my global properties file and I want to know if this will tell all clients to use HTTPS(443) when coming back into HAPROXY so it doesn't have to redirect everything?
alfresco.context=alfresco alfresco.host=alfresco.YourDomainGoesHere.com alfresco.port=443 alfresco.protocol=https share.context=share share.host=${alfresco.host} share.port=${alfresco.port} share.protocol=${alfresco.protocol}
QUESTION 2:
I recall my original Alfresco5.2 build using HTTPS on port :8443 for nginx to tomcat communication so the redirect issue I see now never came up. Is there a SSL Certificate installation guide for Community7.0 to encrypting traffic HTTPS(8443)?
Solved! Go to Solution.
I was able to get this to happen by defining an SSL/TLS HTTP/1.1 Connector on port 8443 following the instructions here: https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html#Configuration
/etc/opt/alfresco/tomcat/conf/server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="/opt/keystore/keystore.jks" certificateKeystorePassword="changeit" type="RSA" /> </SSLHostConfig> </Connector>
Then change all the proxy_pass http://127.0.0.1:8080 lines to use https://127.0.0.1:8443 in nginx conf
/etc/nginx/conf.d/alfresco.conf:
...
location /share/ { proxy_pass https://localhost:8443; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_pass_header Set-Cookie; proxy_redirect http://$host https://$host; }
...
Now I don't see all the constant 302 redirect messages in my logs.
I was able to get this to happen by defining an SSL/TLS HTTP/1.1 Connector on port 8443 following the instructions here: https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html#Configuration
/etc/opt/alfresco/tomcat/conf/server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="/opt/keystore/keystore.jks" certificateKeystorePassword="changeit" type="RSA" /> </SSLHostConfig> </Connector>
Then change all the proxy_pass http://127.0.0.1:8080 lines to use https://127.0.0.1:8443 in nginx conf
/etc/nginx/conf.d/alfresco.conf:
...
location /share/ { proxy_pass https://localhost:8443; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_pass_header Set-Cookie; proxy_redirect http://$host https://$host; }
...
Now I don't see all the constant 302 redirect messages in my logs.
Congratulations on figuring this out yourself & also thanks for updating your thread on how you did - super helpful!
Cheers,
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.