Nginx Reverse Proxy with Kerberos SSO

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
neilecker
Active Member II

Nginx Reverse Proxy with Kerberos SSO

Jump to solution

Has anyone successfully implemented nginx as a reverse proxy for Alfresco with SSO enabled?  The below simplified configuration does work except for the SSO part so maybe I'm missing some header?   Attempting to access /share results in an authentication challenge when it should pass the kerberos ticket automatically.

The strange part is, if I have Fiddler open (which is a proxy itself) to have a look at the traffic, SSO does work.

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name devdocs.myserver.ca;

ssl on;
include snippets/myserver-ssl.conf;
include snippets/myserver-ssl-params-tls1.conf;

client_max_body_size 100M;

access_log /var/log/nginx/devdocs.myserver.ca.access.log;
error_log /var/log/nginx/devdocs.myserver.ca.error.log;

location / {
proxy_http_version 1.1;
proxy_pass_request_headers on;

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_pass http://10.10.100.220:8080/;
}
}

I can use Apache (and I have an instance that is configured correctly for SSO to work) but we were hoping to standardize on nginx for our SSL offloading and proxying needs.

Thanks,

Neil

1 Solution

Accepted Solutions
neilecker
Active Member II

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

For anyone who reads this it turns out the above configuration was fine.  What had changed was in our DNS.  I had switched from an "A record" which pointed the url of our Alfresco instance directly at the IP address of the proxy server to a cname which pointed at the name of the proxy server.  After this, Kerberos did not function with either nginx or apache.  So this somehow matters when passing Kerberos authentication though I'm not certain why, something to do with how the headers are passed that I don't understand I'm sure.

In the end, I switched back to an "A record" and Kerberos SSO works as expected.

View solution in original post

4 Replies
neilecker
Active Member II

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

For anyone who reads this it turns out the above configuration was fine.  What had changed was in our DNS.  I had switched from an "A record" which pointed the url of our Alfresco instance directly at the IP address of the proxy server to a cname which pointed at the name of the proxy server.  After this, Kerberos did not function with either nginx or apache.  So this somehow matters when passing Kerberos authentication though I'm not certain why, something to do with how the headers are passed that I don't understand I'm sure.

In the end, I switched back to an "A record" and Kerberos SSO works as expected.

View solution in original post

fedorow
Senior Member

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

I can't force Kerberos SSO works behind a nginx proxy. Can you tall me differences of configurations compared to documented method from docs.alfresco.com?

neilecker
Active Member II

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

Hi Serge,

I'm not sure which documented method you mean, the examples provided on docs.alfresco.com seem to be only for Apache.  What I showed earlier was the complete configuration used for nginx (with some names and paths changed).

fedorow
Senior Member

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

Neil thanks! I have got SSO two days ago. It took some dancing with a tambourine, but it works now. Your configuration helps me check my conf file. Thanks!