SHARE login error when running Nginx with SSL on port 443

cancel
Showing results for 
Search instead for 
Did you mean: 
renato_fritola
Active Member II

SHARE login error when running Nginx with SSL on port 443

Hello, I have been using Alfresco for some time now through Docker. I recently had to configure Nginx to run on port 443 using SSL. After making this change only in Nginx the Share application can no longer communicate with Alfresco. When logging in the following error occurs:

Spoiler
Something is wrong with this page ...

We may have encountered an error, or maybe something has been removed or deleted, so check to see if the URL is correct.

It is also possible that you do not have permission to view the page (it may be part of a private site) or that an internal error has occurred. Contact your IT staff.

If you are trying to access the home page and it is no longer available, change it by clicking its name on the toolbar.

Where should I change in SHARE so that it can connect to alfresco?

Thank you very much in advance.

5 Replies
angelborroy
Expert

Re: SHARE login error when running Nginx with SSL on port 443

Take a look at this project:

https://github.com/Alfresco/alfresco-docker-installer

Basically, you need to add the proxy properties to Tomcat connector.

https://github.com/Alfresco/alfresco-docker-installer/blob/master/generators/app/templates/images/sh...

Software Engineer in Alfresco Search Team.
loftux
Established Member

Re: SHARE login error when running Nginx with SSL on port 443

You can find sample nginx configuration here
https://github.com/loftuxab/alfresco-ubuntu-install/blob/master/nginx/alfresco.conf.ssl

You should also verify you CSRFPolicy configuration in share-config-custom, see a sample here

https://github.com/loftuxab/alfresco-ubuntu-install/blob/master/tomcat/share-config-custom.xml#L23

 

heiko_robert
Established Member II

Re: SHARE login error when running Nginx with SSL on port 443

You'll see the reason in tomcat's catalina.out (repository tier). As @loftux stated the CSRFPolicy may be your issue. If you only want to access share from your nginx the easiest way would be to set alfresco.host and alfresco.port to your nginx virtual host. So you don't need open up / configure the default CSRFPolicy .

In nginx you should also set the X-Forwarded-* header to remap them in tomcat's server.xml to avoid trouble with DAV and AOS. e.g. by setting RemoteIpValve:

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
          remoteIpHeader="x-forwarded-for"
          remoteIpProxiesHeader="x-forwarded-by"
          protocolHeader="x-forwarded-proto"
        />

best practice is also to set up custom (tomcat) connectors to be used by nginx only. This example listens only on localhost and expects requests using http (take a look on scheme and secure):

        <!-- Connectors for reverse proxy (nginx) -->
        <Connector port="8081" address="localhost" URIEncoding="UTF-8" protocol="HTTP/1.1"
           maxThreads="300" connectionTimeout="600000" maxHttpHeaderSize="32768"
           redirectPort="443" disableUploadTimeout="false"
           proxyPort="443" scheme="https" secure="false" sslProtocol="TLS"
           maxSavePostSize="-1"
           />
        <Connector port="8082" address="localhost" URIEncoding="UTF-8" protocol="HTTP/1.1"
           maxThreads="300" connectionTimeout="600000" maxHttpHeaderSize="32768"
           redirectPort="80" disableUploadTimeout="false"
           proxyPort="80" scheme="http" secure="false"
           maxSavePostSize="-1"
           />

last, but not least you need to set the external url for AOS

aos.baseUrlOverwrite=https://alfresco.mycompany.com/alfresco/aos

since aos does not respect the proxyName for the online edit action in share.

renato_fritola
Active Member II

Re: SHARE login error when running Nginx with SSL on port 443

Hello, I was able to make the SHARE application connect to alfresco by adding the content in Dockerfile as:

https://github.com/keensoft/docker-alfresco/wiki/Running-the-service-behind-an-SSL-Proxy

But now, when I access SHARE, I have the following error: 

 

2019-09-20 16:31:29,757  ERROR [extensions.webscripts.AbstractRuntime] [http-nio-8080-exec-9] Exception from executeScript: 08200045 Wrapped Exception (with status template): 08200162 Request failed 500 /solr/alfresco/afts?wt=json&locale=pt_BR&stats=true&rows=0&stats.field=content.size&stats.facet=%40%7Bhttp%3A%2F%2Fwww.alfresco.org%2Fmodel%2Fcontent%2F1.0%7Dcreator.__
org.springframework.extensions.webscripts.WebScriptException: 08200045 Wrapped Exception (with status template): 08200162 Request failed 500 /solr/alfresco/afts?wt=json&locale=pt_BR&stats=true&rows=0&stats.field=content.size&stats.facet=%40%7Bhttp%3A%2F%2Fwww.alfresco.org%2Fmodel%2Fcontent%2F1.0%7Dcreator.__
        at org.springframework.extensions.webscripts.AbstractWebScript.createStatusException(AbstractWebScript.java:1139)
        at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:171)
        at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:519)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:450)
        at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:595)
        at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:664)
        at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:435)
        at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:315)
        at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:399)
        at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:210)
        at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
        at org.alfresco.repo.web.scripts.AlfrescoWebScriptServlet.service(AlfrescoWebScriptServlet.java:43)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
        at jdk.internal.reflect.GeneratedMethodAccessor561.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at jdk.internal.reflect.GeneratedMethodAccessor558.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.alfresco.module.aosmodule.service.ContextRootFilter.doFilter(ContextRootFilter.java:93)
        at jdk.internal.reflect.GeneratedMethodAccessor558.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
        at jdk.internal.reflect.GeneratedMethodAccessor558.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.alfresco.web.app.servlet.ClearSecurityContextFilter.doFilter(ClearSecurityContextFilter.java:53)
        at jdk.internal.reflect.GeneratedMethodAccessor558.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.alfresco.repo.search.impl.lucene.LuceneQueryParserException: 08200162 Request failed 500 /solr/alfresco/afts?wt=json&locale=pt_BR&stats=true&rows=0&stats.field=content.size&stats.facet=%40%7Bhttp%3A%2F%2Fwww.alfresco.org%2Fmodel%2Fcontent%2F1.0%7Dcreator.__
        at org.alfresco.repo.search.impl.solr.AbstractSolrQueryHTTPClient.postQuery(AbstractSolrQueryHTTPClient.java:108)
        at org.alfresco.repo.search.impl.solr.SolrQueryHTTPClient.postSolrQuery(SolrQueryHTTPClient.java:1115)
        at org.alfresco.repo.search.impl.solr.SolrQueryHTTPClient.postSolrQuery(SolrQueryHTTPClient.java:1108)
        at org.alfresco.repo.search.impl.solr.SolrQueryHTTPClient.executeStatsQuery(SolrQueryHTTPClient.java:313)
        at org.alfresco.repo.search.impl.solr.SolrQueryHTTPClient.executeStatsQuery(SolrQueryHTTPClient.java:1)
        at org.alfresco.repo.search.impl.solr.SolrQueryLanguage.executeStatsQuery(SolrQueryLanguage.java:62)
        at org.alfresco.repo.search.impl.solr.SolrStatsService.query(SolrStatsService.java:61)
        at jdk.internal.reflect.GeneratedMethodAccessor670.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.alfresco.repo.management.subsystems.SubsystemProxyFactory$1.invoke(SubsystemProxyFactory.java:79)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
        at com.sun.proxy.$Proxy253.query(Unknown Source)
        at org.alfresco.repo.web.scripts.solr.StatsGet.executeImpl(StatsGet.java:126)
        at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:64)
        ... 107 more

 

 

fedorow
Established Member II

Re: SHARE login error when running Nginx with SSL on port 443

1. Witch tomcat server.xml sould contein "RemoteIpValve": repo or share?

2. The same question is about "Connectors for reverse proxy (nginx)" ?

3. Does it requaired parameter aos.sitePathOverwrite=/alfresco/aos ?