Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CMIS behind a reverse-proxy?

Go to answer
OlivierM_
Star Contributor
Star Contributor

‎03-15-2012 07:04 AM

I'm currently trying to connect CMIS Explorer (Android app) to Nuxeo DM 5.5. In my current setup, Nuxeo runs behind an SSO solution called LemonLDAP, acting as a reverse proxy. The SSO part works well - through mod_sso. The publicly accessible URL uses HTTPS. There's no service listening on plain HTTP.

In order to CMIS clients to connect, I asked my SSO proxy to do just plain reverse-proxying (no authentication or redirection of any kind) on ^/nuxeo/atom/cmis.*. I also asked Nuxeo to stop using FORM_AUTH or PROXY_AUTH on such URLs, by adding a custom contribution. This part works well : curl -k "https://my.public.host/nuxeo/atom/cmis" answers with a bit of application/atomsvc+xml.

But clients still don't work, and I read what's in the "atomsvc+xml". And there I found numerous URLs starting with http://my.public.host/. There's clearly no way it's going to work without https, but how could I explain Nuxeo not to publish plain HTTP URLs?

1 ACCEPTED ANSWER

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator

‎03-15-2012 11:25 AM

The Nuxeo CMIS connector, based on OpenCMIS, doesn't take into account the Nuxeo-Virtual-Host header for URL generation.

There's an OpenCMIS ticket (CMIS-500) about properly taking into account the X-Forwarded-Host and X-Forwarded-Proto headers which the proxy should send, which will provide a fix for these headers in the next Nuxeo version.

You may also try to use standard Tomcat proxyName and proxyPort configuration parameters in server.xml, but I'm not sure if they will provide you correctly with https URLs. This has to be tried. See the Tomcat Proxy Support documentation for more. Please tell us if this works for you.

Finally something that I think will always work is the Tomcat RemoteIpValve that you can add to your server.xml, see this comment of CMIS-500 for details on how to use it for CMIS (use a Nuxeo-appropriate <Location> of course).

View answer in original post

11 REPLIES 11

Go to answer
OlivierM_
Star Contributor
Star Contributor

‎03-15-2012 07:33 AM

Just to skip the most obvious answers

0 Kudos

Go to answer
Benjamin_Jalon1
Elite Collaborator
Elite Collaborator

‎03-15-2012 08:24 AM

Please use answers for answers and comment for comment. This is important for the community.

0 Kudos

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator

‎03-15-2012 11:25 AM

The Nuxeo CMIS connector, based on OpenCMIS, doesn't take into account the Nuxeo-Virtual-Host header for URL generation.

There's an OpenCMIS ticket (CMIS-500) about properly taking into account the X-Forwarded-Host and X-Forwarded-Proto headers which the proxy should send, which will provide a fix for these headers in the next Nuxeo version.

You may also try to use standard Tomcat proxyName and proxyPort configuration parameters in server.xml, but I'm not sure if they will provide you correctly with https URLs. This has to be tried. See the Tomcat Proxy Support documentation for more. Please tell us if this works for you.

Finally something that I think will always work is the Tomcat RemoteIpValve that you can add to your server.xml, see this comment of CMIS-500 for details on how to use it for CMIS (use a Nuxeo-appropriate <Location> of course).

Go to answer
seanradford
Confirmed Champ
Confirmed Champ
In response to Florent_Guillau

‎04-13-2012 06:38 AM

It is a shame that CMIS-500 has been closed without any resolution. Think I might just apply the XForwardedHeaders patch for out set-up.

0 Kudos

Go to answer
ron_1
Star Contributor
Star Contributor
In response to Florent_Guillau

‎04-13-2012 11:34 AM

I believe the OpenCMIS 0.7.0 release includes the fix for CMIS-500, namely a new ProxyFilter that "can be used where the combination of the correct Apache reverse proxy config and Tomcat RemoteIpValve is not possible (no Apache reverse proxy, No Apache Tomcat)." It is not clear when Nuxeo will upgrade to this OpenCMIS release. Nevertheless, the next Nuxeo release is expected to be based on Tomcat 6.0.35 that includes RemoteIpValve. If you are using the Nuxeo Tomcat distribution, RemoteIpValve should be sufficient to solve this issue.

0 Kudos

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator
In response to Florent_Guillau

‎04-15-2012 09:49 PM

Nuxeo 5.6-SNAPSHOT will be upgraded to OpenCMIS 0.7.0 once it's released (which is soon).

0 Kudos

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator
In response to Florent_Guillau

‎04-15-2012 09:50 PM

And btw current Nuxeo 5.6-SNAPSHOT is already using Tomcat 6.0.35.

0 Kudos

Go to answer
ron_1
Star Contributor
Star Contributor
In response to Florent_Guillau

‎10-14-2012 12:48 AM

Would be great if the [Nuxeo reverse proxy documentation][1] was updated to describe the recommended Nuxeo CMIS reverse proxy configuration. This is especially true since this topic appears to be a popular one based on the number of views.

0 Kudos

Go to answer
OlivierM_
Star Contributor
Star Contributor

‎12-18-2012 12:03 PM

Ok. Long time no see. I just upgraded my Debian Squeeze test install to Nuxeo 5.6, which seems to come with openCmis 0.7.0 and Tomcat 6.0.35. Just as expected. Cool.

My frontend Apache HTTP uses mod_proxy to do its work, and sets headers as follows :

RequestHeader append X-Forwarded-Proto "https"

(the rest being done with a "ProxyPreserveHost" directive)

Then on my Nuxeo host, I set up a Tomcat Valve looking like this :

<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="192\.168\.1\.33" protocolHeader="x-forwarded-proto" />

Until I comment this, Nuxeo refuses to start, without giving any clear error. If commented, it works, but then x-forwarded-proto isn't took into account (which sounds logical).

Could there be something to install before being able to use that valve? From what grep/strings gives me, there's mention of RemoteIpValve in catalina.jar, so...

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC