Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-11955

share.protocol and alfresco.protocol configuration parameters are not taken into account

    Details

    • Bug Priority:
      Category 2
    • ACT Numbers:

      159559

      Description

      raising this one as a blocker as due to MNT-11394
      we cannot command from the proxy the protocol used (via X-Forwarded-Proto and
      Front-End-Https) leaving us WITHOUT any solution when using a hardware proxy

      How to reproduce?
      =================
      1) create a SSL proxy
      You can use a hardware SSL proxy or emulate one: the simplest proxy to configure is nginx:

      a) create the server certificate and key

      # Create the CA Key and Certificate for signing Client Certs
      openssl genrsa -des3 -out ca.key 4096
      openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj '/CN=Alex CA'
      
      # Create the Server Key, CSR, and Certificate
      openssl genrsa -des3 -out server.key 1024
      (or 
      openssl genrsa  -out server.key 1024)
      openssl req -new -key server.key -out server.csr -subj '/CN=madona.example.foo'
      
      # We're self signing our own server cert here.  This is a no-no in production.
      openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
      

      b) you should end up with two files

      server.crt
      server.key
      

      copy them into

      /etc/nginx/ssl
      

      c) configure your nginx /etc/nginx/sites-enabled with:

      server {
      	listen 443;
      	server_name madona.example.foo;
              ssl on;
              ssl_certificate /etc/nginx/ssl/server.crt;
              ssl_certificate_key /etc/nginx/ssl/server.key; 
      	location / {
        		 proxy_pass        http://localhost:8080;
      		 proxy_set_header        Host $host;
      		 proxy_set_header        X-Forwarded-Proto https;
      		 }
      }
      

      2) install a plain vanilla 4.2.2 (linux pg tomcat) with

      alfresco.protocol=https
      share.protocol=https
      

      3) start alfresco
      4) test it:

      curl --insecure -v https://madona.example.foo/alfresco
      

      and

      curl --insecure -v https://madona.example.foo/share
      

      Results:
      =======

      curl --insecure -v https://madona.example.foo/alfresco
      
      < HTTP/1.1 302 Moved Temporarily
      * Server nginx/1.4.7 is not blacklisted
      < Server: nginx/1.4.7
      < Date: Fri, 18 Jul 2014 14:11:56 GMT
      < Transfer-Encoding: chunked
      < Connection: keep-alive
      < Location: http://madona.example.foo/alfresco/
      
      curl --insecure -v https://madona.example.foo/share
      
      < HTTP/1.1 302 Moved Temporarily
      * Server nginx/1.4.7 is not blacklisted
      < Server: nginx/1.4.7
      < Date: Fri, 18 Jul 2014 14:13:08 GMT
      < Transfer-Encoding: chunked
      < Connection: keep-alive
      < Location: http://madona.example.foo/share/
      

      The scheme protocol is wrong: we see in the redirect URL (Location: HTTP header) the 'http' protocol.

      Expected result:
      ===============
      The scheme (protocol) used in the Location is 'https' and not 'http' as per the documentation:
      http://docs.alfresco.com/4.2/concepts/sysadmin-subsystem-props.html
      of

      alfresco.protocol
      share.protocol
      

      Note:
      ====

      vti.server.external.protocol=https
      vti.server.protocol=https
      

      may be affected too.

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedissues Closed Issues
                  Reporter:
                  amadon Alex Madon [X] (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 1 day, 4 hours
                    1d 4h

                      Structure Helper Panel