topic Re: How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???) in Alfresco Forum

How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

michaelzietlow — Wed, 30 Jun 2021 16:55:39 GMT

I am running Community7.0 behind a reverse proxy (HAPROXY) which redirects all HTTP(80) traffic to use HTTPS(443). NGINX's alfresco.conf has ssl_certificate specified so my connections to the outside world are secure. Since communication between NGINX and ALFRESCO on the box itself are all http://127.0.0.1:8080, all connected clients are instructed to use HTTP(80). This, of course, gets redirected to HTTPS(443) by HAPROXY so everything stays encrypted however all these necessary redirects are messy IMO.

QUESTION 1:
My research leads me to a thread that instructs adding the following to my global properties file and I want to know if this will tell all clients to use HTTPS(443) when coming back into HAPROXY so it doesn't have to redirect everything?

alfresco.context=alfresco
alfresco.host=alfresco.YourDomainGoesHere.com
alfresco.port=443
alfresco.protocol=https

share.context=share
share.host=${alfresco.host}
share.port=${alfresco.port}
share.protocol=${alfresco.protocol}

QUESTION 2:
I recall my original Alfresco5.2 build using HTTPS on port :8443 for nginx to tomcat communication so the redirect issue I see now never came up. Is there a SSL Certificate installation guide for Community7.0 to encrypting traffic HTTPS(8443)?

Re: How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

michaelzietlow — Wed, 30 Jun 2021 22:49:07 GMT

I was able to get this to happen by defining an SSL/TLS HTTP/1.1 Connector on port 8443 following the instructions here: https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html#Configuration

/etc/opt/alfresco/tomcat/conf/server.xml:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/opt/keystore/keystore.jks"
                         certificateKeystorePassword="changeit"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Then change all the proxy_pass http://127.0.0.1:8080 lines to use https://127.0.0.1:8443 in nginx conf
/etc/nginx/conf.d/alfresco.conf:

...
        location /share/ {
            proxy_pass https://localhost:8443;
	    proxy_set_header    X-Forwarded-Proto https;
            proxy_set_header    X-Real-IP        $remote_addr;
            proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header	X-NginX-Proxy    true;
	    proxy_set_header	Host		 $http_host;
            proxy_set_header	Upgrade          $http_upgrade;
            proxy_pass_header	Set-Cookie;
	    proxy_redirect 	http://$host	https://$host;
        }
...

Now I don't see all the constant 302 redirect messages in my logs.

Re: How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

EddieMay — Mon, 05 Jul 2021 13:23:30 GMT

Hi @michaelzietlow

Congratulations on figuring this out yourself & also thanks for updating your thread on how you did - super helpful!

Cheers,