cancel
Showing results for 
Search instead for 
Did you mean: 

How to tell Alfresco clients to all use HTTPS? (share.port=??? & share.protocol=???)

michaelzietlow
Confirmed Champ
Confirmed Champ

  I am running Community7.0 behind a reverse proxy (HAPROXY) which redirects all HTTP(80) traffic to use HTTPS(443).   NGINX's alfresco.conf has ssl_certificate specified so my connections to the outside world are secure.   Since communication between NGINX and ALFRESCO on the box itself are all http://127.0.0.1:8080, all connected clients are instructed to use HTTP(80).  This, of course, gets redirected to HTTPS(443) by HAPROXY so everything stays encrypted however all these necessary redirects are messy IMO.

QUESTION 1:
   My research leads me to a thread that instructs adding the following to my global properties file and I want to know if this will tell all clients to use HTTPS(443) when coming back into HAPROXY so it doesn't have to redirect everything?

alfresco.context=alfresco
alfresco.host=alfresco.YourDomainGoesHere.com
alfresco.port=443
alfresco.protocol=https

share.context=share
share.host=${alfresco.host}
share.port=${alfresco.port}
share.protocol=${alfresco.protocol}

QUESTION 2:
I recall my original Alfresco5.2 build using HTTPS on port :8443 for nginx to tomcat communication so the redirect issue I see now never came up.   Is there a SSL Certificate installation guide for Community7.0 to encrypting traffic HTTPS(8443)?

1 ACCEPTED ANSWER

michaelzietlow
Confirmed Champ
Confirmed Champ

I was able to get this to happen by defining an SSL/TLS HTTP/1.1 Connector on port 8443 following the instructions here: https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html#Configuration

/etc/opt/alfresco/tomcat/conf/server.xml:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/opt/keystore/keystore.jks"
                         certificateKeystorePassword="changeit"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Then change all the proxy_pass http://127.0.0.1:8080 lines to use https://127.0.0.1:8443 in nginx conf
/etc/nginx/conf.d/alfresco.conf:

...
location /share/ { proxy_pass https://localhost:8443; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_pass_header Set-Cookie; proxy_redirect http://$host https://$host; }
...


Now I don't see all the constant 302 redirect messages in my logs.

View answer in original post

2 REPLIES 2

michaelzietlow
Confirmed Champ
Confirmed Champ

I was able to get this to happen by defining an SSL/TLS HTTP/1.1 Connector on port 8443 following the instructions here: https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html#Configuration

/etc/opt/alfresco/tomcat/conf/server.xml:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/opt/keystore/keystore.jks"
                         certificateKeystorePassword="changeit"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Then change all the proxy_pass http://127.0.0.1:8080 lines to use https://127.0.0.1:8443 in nginx conf
/etc/nginx/conf.d/alfresco.conf:

...
location /share/ { proxy_pass https://localhost:8443; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_pass_header Set-Cookie; proxy_redirect http://$host https://$host; }
...


Now I don't see all the constant 302 redirect messages in my logs.

EddieMay
World-Class Innovator
World-Class Innovator

Hi @michaelzietlow 

Congratulations on figuring this out yourself & also thanks for updating your thread on how you did - super helpful!

Cheers,

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.