cancel
Showing results for 
Search instead for 
Did you mean: 

SSO doesn't work with reverse proxy

vgusev2007
Champ in-the-making
Champ in-the-making
Hi all!

I use Alfresco 4.2.2 Enterprice on a Linux platform.

I have setup SSO via: http://docs.alfresco.com/4.2/tasks/auth-kerberos-ADconfig.html it works fine. But, I need to setup a reverse proxy (I use nginx). It works too, but SSO.


PLEASE read my logs and sheme, I'd like if you help me.


So, I have the following scheme:

Webbrowser (Firefox) -> https://portal.company.ru (server A with nginx as a reverse proxy) -> http://alfresco-prd.company.local:8080 (alfresco local server)


So, if I connect to alfresco without server A, I have success, but when I use nginx I have fail… Smiley Sad

Please read my logs:


2014-07-17 09:48:03,169  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-2] New Kerberos auth request from 192.168.9.2 (192.168.9.2:50938)
2014-07-17 09:48:03,169  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-2] Issuing login challenge to browser.
2014-07-17 09:48:03,216  ERROR [org.alfresco.fileserver] [http-bio-8080-exec-3] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
….
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
   at java.lang.Thread.run(Thread.java:722)
Caused by: KrbException: Checksum failed
   at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102)
   at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94)
   at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:177)
   at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
   at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
   at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
   … 36 more
Caused by: java.security.GeneralSecurityException: Checksum failed
   at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:408)
   at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:91)
   at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:100)
   … 42 more
2014-07-17 09:48:03,217  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-3] No SPNEGO response, Kerberos logon failed
2014-07-17 09:48:03,218  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-3] Failed SPNEGO authentication.
2014-07-17 09:48:03,218  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-3] Clearing session.
2014-07-17 09:48:03,218  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-3] Issuing login challenge to browser.
2014-07-17 09:48:03,267  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-4] Login page requested, chaining …


I have the following ngnix conf:


root@gateway:~# cat /etc/nginx/conf.d-backup/alfresco.conf
proxy_cache_path /var/cache/nginx/alfresco levels=1 keys_zone=alfrescocache:256m max_size=512m inactive=1440m;

upstream alfresco {
server alfresco-prd.company.local:8080;
}

upstream sharepoint {
server alfresco-prd.company.local:7071;
}

server {
listen 80 ;
server_name portal.company.ru www.portal.company.ru
server_name_in_redirect off;
rewrite ^ https://$host$request_uri? permanent;
}

server {
listen 443 ssl;
server_name portal.company.ru www.portal.company.ru;
root /etc/nginx/conf.d/alfresco;
index index.html index.htm;
rewrite ^/$ /share;

ssl on;
ssl_certificate /etc/nginx/conf.d/alfresco/alfserver.crt;
ssl_certificate_key /etc/nginx/conf.d/alfresco/alfserver.key;

   location /robots.txt {
        alias /etc/nginx/conf.d/alfresco/robots.txt;
   }

   location / {
   try_files $uri $uri/ /index.html;
   }

error_page 502 503 504 /maintenance.html;

   location = /maintenance.html {
   root /etc/nginx/conf.d/alfresco;
   }

   location /alfresco {
   client_max_body_size 0;
   proxy_http_version 1.1;
   proxy_set_header Host $http_host;
   proxy_pass http://alfresco;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Server $host;
   }

   location /share {
   client_max_body_size 0;
   proxy_http_version 1.1;
   proxy_pass http://alfresco;
   proxy_set_header Host $http_host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Server $host;
   }

   location /share/proxy/alfresco {
   client_max_body_size 0;
   proxy_http_version 1.1;
   proxy_pass http://alfresco;
   proxy_set_header Host $http_host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Host $http_host;
   proxy_set_header X-Forwarded-Server $host;
   proxy_intercept_errors on;
   error_page 502 503 504 =401 /maintenance.html;
   }

   location /share/res/ {
   proxy_http_version 1.1;
   proxy_pass http://alfresco;
   proxy_set_header Host $http_host;
   proxy_cache alfrescocache;
   proxy_cache_min_uses 1;
   proxy_cache_valid 200 302 1440m;
   proxy_cache_valid 404 1m;
   proxy_cache_use_stale updating error timeout invalid_header http_500 http_502 http_503 http_504;
   }
}

server {
listen 7070 ssl;
server_name portal.company.ru;
ssl on;
ssl_certificate /etc/nginx/conf.d/alfresco/alfserver.crt;
ssl_certificate_key /etc/nginx/conf.d/alfresco/alfserver.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

   location / {
   client_max_body_size 0;
   proxy_http_version 1.1;
   proxy_buffering off;
   proxy_pass http://sharepoint;
   proxy_set_header Host $http_host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Host $http_host;
   proxy_set_header X-Forwarded-Server $host;
   }
}


I think it is bad because I rewrite hostname during in reverse proxy…

I have setup different SPN in kerberos: portal.company.ru alfresco-prd.company.local without success. Smiley Sad


Is it possible to use reverse proxy with alfresco and SSO?
4 REPLIES 4

kimberlydeborah
Champ in-the-making
Champ in-the-making
The reverse proxy based approach is quite flexible and supports multiple SSO solutions. This approach is considered the best practice when configuring SSO for CentraSite.

I have setup mod_jk + apache - it works fine for me.

we use mod_proxy_ajp + apache and this works fine (Ubuntu 4.2.e/f and Ubuntu 12.04 LTS) but this aproach has other problems since Alfresco Share is so hungry in terms of http threads per share page. It is not easy to scale with several hundred concurrent users if you use apache reverse proxy. You need to tune apache for that.
I've seen a lot of configs which solves this issue much better with nginx but I haven't seen a working nginx config so far which has no problem with WebDAV, SPP, Kerberos.

Are there any nginx experts having experience with Alfresco config working with WebDAV, SPP and Kerberos?

I don't use ajp. I use: jk

It lookss like this one:


<VirtualHost *:80>
        ServerName test.company.ru
        ServerAlias www.test.company.ru
        Redirect / https://test.company.ru/share
</VirtualHost>
<virtualhost *:443>
        ServerName test.company.ru
        ServerAlias www.test.company.ru
        SSLEngine On
        SSLCertificateFile /etc/apache2/cert/test.company.ru.crt
        SSLCertificateKeyFile /etc/apache2/cert/test.company.ru.key
        SSLCACertificateFile /etc/apache2/cert/SSL123_CA_Bundle.pem
        ErrorDocument   503     "/custom_errors/maintenance.html"
        RedirectMatch ^/$ /share/
        jkMount /alfresco ajp13_worker
        jkMount /alfresco/* ajp13_worker
        jkMount /share ajp13_worker
        jkMount /share/* ajp13_worker