I'm currently trying to connect CMIS Explorer (Android app) to Nuxeo DM 5.5. In my current setup, Nuxeo runs behind an SSO solution called LemonLDAP, acting as a reverse proxy. The SSO part works well - through mod_sso. The publicly accessible URL uses HTTPS. There's no service listening on plain HTTP.
In order to CMIS clients to connect, I asked my SSO proxy to do just plain reverse-proxying (no authentication or redirection of any kind) on ^/nuxeo/atom/cmis.*. I also asked Nuxeo to stop using FORM_AUTH or PROXY_AUTH on such URLs, by adding a custom contribution. This part works well : curl -k "https://my.public.host/nuxeo/atom/cmis" answers with a bit of application/atomsvc+xml.
But clients still don't work, and I read what's in the "atomsvc+xml". And there I found numerous URLs starting with http://my.public.host/... There's clearly no way it's going to work without https, but how could I explain Nuxeo not to publish plain HTTP URLs?
The Nuxeo CMIS connector, based on OpenCMIS, doesn't take into account the
There's an OpenCMIS ticket (CMIS-500) about properly taking into account the
You may also try to use standard Tomcat
Finally something that I think will always work is the Tomcat RemoteIpValve that you can add to your
Ok. Long time no see. I just upgraded my Debian Squeeze test install to Nuxeo 5.6, which seems to come with openCmis 0.7.0 and Tomcat 6.0.35. Just as expected. Cool.
My frontend Apache HTTP uses mod_proxy to do its work, and sets headers as follows :
(the rest being done with a "ProxyPreserveHost" directive)
Then on my Nuxeo host, I set up a Tomcat Valve looking like this :
Until I comment this, Nuxeo refuses to start, without giving any clear error. If commented, it works, but then x-forwarded-proto isn't took into account (which sounds logical).
Could there be something to install before being able to use that valve? From what grep/strings gives me, there's mention of RemoteIpValve in catalina.jar, so...