08-15-2014 12:59 AM
Hi,
We have our Nuxeo Tomcat servers configured in a standard way behind nginx to provide load balancing and HTTPS. They worked fine through each upgrade from 5.9.2 to the current 5.9.5. However, with the latest installation, requests that come through the load balancer result in the Nuxeo 404 page when you click on any link within the initial page. The initial page after login (view of the default domain) works correctly.
I have looked at the incoming request URLs on the Tomcat server side and they are identical. Nothing appears in the Nuxeo application logs. Circumventing the load balancer to log directly into the Nuxeo Tomcat server works correctly.
Any suggestions on how to proceed troubleshooting this will be welcome.
08-18-2014 01:48 PM
Hello, the problem comes from https://jira.nuxeo.com/browse/NXP-14885
It will be fixed in next fasttrack. When it will be fixed, there won't be anymore needed to add the nuxeo-virtual-host header, and everything will be based on the x-forwarded-* standard headers.
For the moment, please deactivate those headers when talking to Nuxeo.
Thank you for having pointed the problem.
08-15-2014 07:11 PM
My nginx configuration was passing X-Forwarded-Proto back to the Tomcat server. I removed this. The system now behaves correctly.
Of course, I would prefer to continue passing X-Forwarded-Proto.
As a guess I think it must have something to do with https://jira.nuxeo.com/browse/NXP-14885 but I don't know if it is a code bug, a documentation bug, or a user bug.
My nginx configuration is very simple.
upstream nuxeo {
server 10.10.10.37:8080;
}
map $cookie_jsessionid $sticky_backend {
default bad_gateway;
~[^\.]+\.nxworker1 10.10.10.37:8080;
}
server {
listen 443 ssl;
server_name nuxeo-lb.local;
ssl_certificate /etc/ssl/certs/<%= @ssl_cert_prefix %>.chained.crt;
ssl_certificate_key /etc/ssl/certs/<%= @ssl_cert_prefix %>.key;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; # remove this line and it works
proxy_set_header nuxeo-virtual-host "https://${server_name}/";
proxy_http_version 1.1;
client_max_body_size 0;
location = / {
rewrite ^(.*)$ /nuxeo$1 last;
}
location ^~ /nuxeo {
error_page 502 = @rrfallback;
proxy_pass http://$sticky_backend;
}
location @rrfallback {
proxy_pass http://nuxeo;
}
}
We also use the OpenID Google Connect plugin at https://github.com/nuxeo/nuxeo-platform-login/tree/release-5.9.5/nuxeo-platform-login-openid if this might make a difference.
08-18-2014 01:48 PM
Hello, the problem comes from https://jira.nuxeo.com/browse/NXP-14885
It will be fixed in next fasttrack. When it will be fixed, there won't be anymore needed to add the nuxeo-virtual-host header, and everything will be based on the x-forwarded-* standard headers.
For the moment, please deactivate those headers when talking to Nuxeo.
Thank you for having pointed the problem.
08-18-2014 03:46 PM
Please follow https
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.