Details
-
Type:
Service Pack Request
-
Status: Closed (View Workflow)
-
Resolution: Not a bug
-
Affects Version/s: 4.2.2
-
Fix Version/s: None
-
Component/s: Alfresco Explorer, Share Application
-
Labels:None
-
Environment:linux pg tomcat
-
Bug Priority:
Category 2
-
ACT Numbers:
159559
Description
raising this one as a blocker as due to MNT-11394
we cannot command from the proxy the protocol used (via X-Forwarded-Proto and
Front-End-Https) leaving us WITHOUT any solution when using a hardware proxy
How to reproduce?
=================
1) create a SSL proxy
You can use a hardware SSL proxy or emulate one: the simplest proxy to configure is nginx:
a) create the server certificate and key
# Create the CA Key and Certificate for signing Client Certs openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj '/CN=Alex CA' # Create the Server Key, CSR, and Certificate openssl genrsa -des3 -out server.key 1024 (or openssl genrsa -out server.key 1024) openssl req -new -key server.key -out server.csr -subj '/CN=madona.example.foo' # We're self signing our own server cert here. This is a no-no in production. openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
b) you should end up with two files
server.crt server.key
copy them into
/etc/nginx/ssl
c) configure your nginx /etc/nginx/sites-enabled with:
server {
listen 443;
server_name madona.example.foo;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
}
}
2) install a plain vanilla 4.2.2 (linux pg tomcat) with
alfresco.protocol=https share.protocol=https
3) start alfresco
4) test it:
curl --insecure -v https://madona.example.foo/alfresco
and
curl --insecure -v https://madona.example.foo/share
Results:
=======
curl --insecure -v https://madona.example.foo/alfresco < HTTP/1.1 302 Moved Temporarily * Server nginx/1.4.7 is not blacklisted < Server: nginx/1.4.7 < Date: Fri, 18 Jul 2014 14:11:56 GMT < Transfer-Encoding: chunked < Connection: keep-alive < Location: http://madona.example.foo/alfresco/
curl --insecure -v https://madona.example.foo/share < HTTP/1.1 302 Moved Temporarily * Server nginx/1.4.7 is not blacklisted < Server: nginx/1.4.7 < Date: Fri, 18 Jul 2014 14:13:08 GMT < Transfer-Encoding: chunked < Connection: keep-alive < Location: http://madona.example.foo/share/
The scheme protocol is wrong: we see in the redirect URL (Location: HTTP header) the 'http' protocol.
Expected result:
===============
The scheme (protocol) used in the Location is 'https' and not 'http' as per the documentation:
http://docs.alfresco.com/4.2/concepts/sysadmin-subsystem-props.html
of
alfresco.protocol share.protocol
Note:
====
vti.server.external.protocol=https vti.server.protocol=https
may be affected too.
Attachments
Issue Links
- is related to by
-
MNT-11990
vti sharepoint server does not respect If: HTTP headers as defined in rfc2518
- Closed
-
MNT-12611
CLONE - vti sharepoint server does not respect If: HTTP headers as defined in rfc2518
- Closed
-
MNT-12612
Hot fix request for EJ Group - vti sharepoint server does not respect If: HTTP headers as defined in rfc2518
- Closed
- relates to
-
MNT-11394 Support hardware SSL proxy - ability to set the scheme based on a header value
- Closed
