Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL termination with Share front end

t16
Champ in-the-making
Champ in-the-making

‎01-24-2015 05:01 PM

Hi,

Again sorry for all the threads, this should be the last for a while.

I have a problem with SSL termination on an HAproxy load balancer..

I used the DevOps blog for Alfresco with HAproxy as a guide, and it partially works but with an odd behaviour.

Having a port 80 AND a port 443 front end, enables me to do any troubleshooting, and what I notice is that going straight to https://myserver/share/page/userxx/dashboard/ works like a charm.

However is issue occurs when just using the /share URL.

When hitting up the home page using https it will reload/redirect to the http front end. We are using NTLM passthru, could it be something to do with that?

So when going to https://server/share, after authenticating, the browser reloads up the dashboard with http (not https) back at the dashboard page.

How can SSL termination be achieved with NTLM? Is there some code in the index page on the share app thats preventing NTLM with SSL termination with HAproxy?

Like I said, going straight to https://server/share/page/userxx/dashboard is wonderful, all SSL and everything is happy. The issue occurs only when going directly to the /share URL.

Im sure its something simple, but my brain is fried!!

Labels:
0 Kudos
1 REPLY 1

t16
Champ in-the-making
Champ in-the-making

‎01-24-2015 06:48 PM

OK I found the answer for this if there is anyone out there wishing to to NTLM Passthru authentication, AND have SSL offload on a loadbalanced Share front end!!

Since share bounces the request a few times between the browser and itself, you need to add "redirect scheme https if !{ ssl_fc }" to your HAproxy config to catch these "redirects" back to the client during NTLM auth.

No idea why it doesnt happen when going straight to the user dashboard, perhaps there is no auth required when there is a live session cookie, but visiting the /share home page will instigate an authentication regardless for best security..?

Either way, thats the solution, a happy person here!

Loving the flexibility of Alfresco, and how you can easily mess around and create your own architecture by splitting the bits off onto different servers etc.

The fact its so portable and you can move share around, and offload SOLR etc etc is rather amazing.

Now I have SSL working on a load balanced front end share cluster, the only thing left is to bring up 2 x SOLR boxes to serve the Main repository cluster.

GIven the fact I have SSL on the front end, and also a shared content store via NFS, any tips on what I need to do in order to get 2 x SOLR boxes speaking to the alfresco cluster via SSL?

If the Keystore is on the shared content store, how does that affect both Repository servers in the cluster?

Still learning here.

Thanks!

0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC