cancel
Showing results for 
Search instead for 
Did you mean: 

Best practize to configure Alfresco behind a webproxy

nettania
Confirmed Champ
Confirmed Champ

Hi,

can someone give me some hints how to configure Alfresco behind a webproxy (Watchguard)?

  • The communication between alfresco tomcat and webproxy should be non encrypted to improve performance.
  • The communication between client and webproxy is secured by SSL.
  • On the webproxy I have enabled TLS/SSL offload, port 80 and port 443 are redirected to port 8080 on the tomcat which is not encrypted.

Trying to change the filename or the description, when I use SSL in my broweser results in the following error log:

2019-09-05 09:16:18,089 INFO  [org.springframework.extensions.webscripts.servlet.CSRFFilter] [http-nio-8080-exec-44] Possible CSRF attack noted when asserting referer header 'https://files.*/share/page/site/management/document-details?nodeRef=workspace://SpacesStore/03ee7d34-94d6-49d4-92c6-f15131398eea'. Request: POST /share/proxy/alfresco/slingshot/doclib/activity
2019-09-05 09:16:18,089 ERROR [org.alfresco.web.site] [http-nio-8080-exec-44] javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://files.*share/page/site/management/document-details?nodeRef=workspace://SpacesStore/03ee7d34-94d6-49d4-92c6-f15131398eea'. Request: POST /share/proxy/alfresco/slingshot/doclib/activity, FAILED TEST: Assert referer POST /share/proxy/alfresco/slingshot/doclib/activity :: referer: 'https://

Performing the same operation if I do not use SSL in the browser succeeds. I understand the error message, but I do not know how to change the configuration that I do not need to use https on the tomcat if using ssl when connecting to the webproxy.

Thanks,

Florian

1 REPLY 1

heiko_robert
Star Collaborator
Star Collaborator

Hi Florian,

I don't have experience with Watchguard but there are some points which are more or less generic:

  • tomcat needs to know the hostname (proxyName), port (proxyPort) and protocol the end user called you could
    • pass protocol and host in header variables to be mapped on tomcat in tomcat you could use RemoteIpValve to automatically map IP, host and protocol
    • hard code protocol, host, port by defining multiple tomcat connectors setting scheme, proxyPort in the connector attributes
  • in alfresco-global.properties the value of share.host will be whitelisted in the Alfresco Share "CSRF Token Filter". Please read Cross-Site Request Forgery (CSRF) filters for Share | Alfresco Documentation to understand how to configure/change the behavior of that filter.