CMIS behind a reverse-proxy?
I'm currently trying to connect CMIS Explorer (Android app) to Nuxeo DM 5.5. In my current setup, Nuxeo runs behind an SSO solution called LemonLDAP, acting as a reverse proxy. The SSO part works well - through mod_sso. The publicly accessible URL uses HTTPS. There's no service listening on plain HTTP.
In order to CMIS clients to connect, I asked my SSO proxy to do just plain reverse-proxying (no authentication or redirection of any kind) on ^/nuxeo/atom/cmis.*. I also asked Nuxeo to stop using FORM_AUTH or PROXY_AUTH on such URLs, by adding a custom contribution. This part works well : curl -k “https://my.public.host/nuxeo/atom/cmis” answers with a bit of application/atomsvc+xml.
But clients still don't work, and I read what's in the “atomsvc+xml”. And there I found numerous URLs starting with http://my.public.host/... There's clearly no way it's going to work without https, but how could I explain Nuxeo not to publish plain HTTP URLs?
The Nuxeo CMIS connector, based on OpenCMIS, doesn't take into account the Nuxeo-Virtual-Host
header for URL generation.
There's an OpenCMIS ticket (CMIS-500) about properly taking into account the X-Forwarded-Host
and X-Forwarded-Proto
headers which the proxy should send, which will provide a fix for these headers in the next Nuxeo version.
You may also try to use standard Tomcat proxyName
and proxyPort
configuration parameters in server.xml
, but I'm not sure if they will provide you correctly with https
URLs. This has to be tried. See the Tomcat Proxy Support documentation for more. Please tell us if this works for you.
Finally something that I think will always work is the Tomcat RemoteIpValve that you can add to your server.xml
, see this comment of CMIS-500 for details on how to use it for CMIS (use a Nuxeo-appropriate <Location>
of course).
Ok. Long time no see. I just upgraded my Debian Squeeze test install to Nuxeo 5.6, which seems to come with openCmis 0.7.0 and Tomcat 6.0.35. Just as expected. Cool.
My frontend Apache HTTP uses mod_proxy to do its work, and sets headers as follows :
RequestHeader append X-Forwarded-Proto "https"
(the rest being done with a “ProxyPreserveHost” directive)
Then on my Nuxeo host, I set up a Tomcat Valve looking like this :
<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="192\.168\.1\.33" protocolHeader="x-forwarded-proto" />
Until I comment this, Nuxeo refuses to start, without giving any clear error. If commented, it works, but then x-forwarded-proto isn't took into account (which sounds logical).
Could there be something to install before being able to use that valve? From what grep/strings gives me, there's mention of RemoteIpValve in catalina.jar, so…
For some reason, it finally worked without changing anything : Nuxeo accepted to start with the Valve directive, and the CMIS servlets answered with the right protocol.
Just for the sake of completeness, if anyone needs to set this up as well : my Valve directive was in /var/lib/nuxeo/server/templates/common-base/conf/server.xml.nxftl (or else it would be deleted upon regeneration), and right after
`<Engine name="Catalina" defaultHost="localhost"jvmRoute="${nuxeo.server.jvmRoute}">`
RequestHeader append nuxeo-virtual-host "https://my.public.host/"