Ask Question
« General Questions on Nuxeo

HTTPS reverse proxy now fails with HTTP 404 with upgrade to 5.9.5 -- is it my fault, or bug in latest release?

Hi,

We have our Nuxeo Tomcat servers configured in a standard way behind nginx to provide load balancing and HTTPS. They worked fine through each upgrade from 5.9.2 to the current 5.9.5. However, with the latest installation, requests that come through the load balancer result in the Nuxeo 404 page when you click on any link within the initial page. The initial page after login (view of the default domain) works correctly.

I have looked at the incoming request URLs on the Tomcat server side and they are identical. Nothing appears in the Nuxeo application logs. Circumventing the load balancer to log directly into the Nuxeo Tomcat server works correctly.

Any suggestions on how to proceed troubleshooting this will be welcome.

Steven Huwig
Member (2.3K)   3   5   6 		08/15/2014 ( History)
1 votes
2 answers
4944 views
ANSWER
ANSWERS

Hello, the problem comes from https://jira.nuxeo.com/browse/NXP-14885

It will be fixed in next fasttrack. When it will be fixed, there won't be anymore needed to add the nuxeo-virtual-host header, and everything will be based on the x-forwarded-* standard headers.

For the moment, please deactivate those headers when talking to Nuxeo.

Thank you for having pointed the problem.

Damien Metzler
Member (1.9K)   1   3   4 		08/18/2014 ( History)
1 votes
Damien Metzler
Please follow https://jira.nuxeo.com/browse/NXP-14970 for the fix
08/18/2014

My nginx configuration was passing X-Forwarded-Proto back to the Tomcat server. I removed this. The system now behaves correctly.

Of course, I would prefer to continue passing X-Forwarded-Proto.

As a guess I think it must have something to do with https://jira.nuxeo.com/browse/NXP-14885 but I don't know if it is a code bug, a documentation bug, or a user bug.

My nginx configuration is very simple.

 upstream nuxeo {
   server 10.10.10.37:8080;
 }

 map $cookie_jsessionid $sticky_backend {
   default bad_gateway;
   ~[^\.]+\.nxworker1 10.10.10.37:8080;
 }

 server {
   listen 443 ssl;
   server_name nuxeo-lb.local;
   ssl_certificate /etc/ssl/certs/<%= @ssl_cert_prefix %>.chained.crt;
   ssl_certificate_key /etc/ssl/certs/<%= @ssl_cert_prefix %>.key;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme; # remove this line and it works
   proxy_set_header nuxeo-virtual-host "https://${server_name}/";
   proxy_http_version 1.1;
   client_max_body_size 0;

   location = / {
     rewrite ^(.*)$ /nuxeo$1 last;
   }

   location ^~ /nuxeo {
     error_page 502 = @rrfallback;
     proxy_pass http://$sticky_backend;
   }

   location @rrfallback {
     proxy_pass http://nuxeo;
   }
 }

We also use the OpenID Google Connect plugin at https://github.com/nuxeo/nuxeo-platform-login/tree/release-5.9.5/nuxeo-platform-login-openid if this might make a difference.

Steven Huwig
Member (2.3K)   3   5   6 		08/15/2014 ( History)
0 votes
Follow
Tags
Linked Questions
Related Questions
Any time frame for Tomcat 8 support ?
Java Client sessions and Load Balancer in High Availability
Feature request: Make connection and keep-alive timeouts configurable
Nuxeo IDE Test
Nuxeo Cluster - Load Balancer - Session replication failed
Error on batch/upload rest api with multiple servers
Apache https questions
upgrade from 5.7.1 to 5.7.2
Edit Group Error and Lag