HTTPS reverse proxy now fails with HTTP 404 with upgrade to 5.9.5 -- is it my fault, or bug in latest release?

Hi,

We have our Nuxeo Tomcat servers configured in a standard way behind nginx to provide load balancing and HTTPS. They worked fine through each upgrade from 5.9.2 to the current 5.9.5. However, with the latest installation, requests that come through the load balancer result in the Nuxeo 404 page when you click on any link within the initial page. The initial page after login (view of the default domain) works correctly.

I have looked at the incoming request URLs on the Tomcat server side and they are identical. Nothing appears in the Nuxeo application logs. Circumventing the load balancer to log directly into the Nuxeo Tomcat server works correctly.

Any suggestions on how to proceed troubleshooting this will be welcome.

1 votes

2 answers

2453 views

ANSWER



Hello, the problem comes from https://jira.nuxeo.com/browse/NXP-14885

It will be fixed in next fasttrack. When it will be fixed, there won't be anymore needed to add the nuxeo-virtual-host header, and everything will be based on the x-forwarded-* standard headers.

For the moment, please deactivate those headers when talking to Nuxeo.

Thank you for having pointed the problem.

1 votes



Please follow https://jira.nuxeo.com/browse/NXP-14970 for the fix
08/18/2014


My nginx configuration was passing X-Forwarded-Proto back to the Tomcat server. I removed this. The system now behaves correctly.

Of course, I would prefer to continue passing X-Forwarded-Proto.

As a guess I think it must have something to do with https://jira.nuxeo.com/browse/NXP-14885 but I don't know if it is a code bug, a documentation bug, or a user bug.

My nginx configuration is very simple.

 upstream nuxeo {
   server 10.10.10.37:8080;
 }

 map $cookie_jsessionid $sticky_backend {
   default bad_gateway;
   ~[^\.]+\.nxworker1 10.10.10.37:8080;
 }

 server {
   listen 443 ssl;
   server_name nuxeo-lb.local;
   ssl_certificate /etc/ssl/certs/<%= @ssl_cert_prefix %>.chained.crt;
   ssl_certificate_key /etc/ssl/certs/<%= @ssl_cert_prefix %>.key;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme; # remove this line and it works
   proxy_set_header nuxeo-virtual-host "https://${server_name}/";
   proxy_http_version 1.1;
   client_max_body_size 0;

   location = / {
     rewrite ^(.*)$ /nuxeo$1 last;
   }

   location ^~ /nuxeo {
     error_page 502 = @rrfallback;
     proxy_pass http://$sticky_backend;
   }

   location @rrfallback {
     proxy_pass http://nuxeo;
   }
 }

We also use the OpenID Google Connect plugin at https://github.com/nuxeo/nuxeo-platform-login/tree/release-5.9.5/nuxeo-platform-login-openid if this might make a difference.

0 votes