Help

Nginx Reverse Proxy with Kerberos SSO

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
neilecker
Active Member II
‎5 Mar 2019 5:05 PM

Nginx Reverse Proxy with Kerberos SSO

Jump to solution

Has anyone successfully implemented nginx as a reverse proxy for Alfresco with SSO enabled?  The below simplified configuration does work except for the SSO part so maybe I'm missing some header?   Attempting to access /share results in an authentication challenge when it should pass the kerberos ticket automatically.

The strange part is, if I have Fiddler open (which is a proxy itself) to have a look at the traffic, SSO does work.

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name devdocs.myserver.ca;
 
  ssl on;
  include snippets/myserver-ssl.conf;
  include snippets/myserver-ssl-params-tls1.conf;
  
  client_max_body_size 100M;

  access_log /var/log/nginx/devdocs.myserver.ca.access.log;
  error_log /var/log/nginx/devdocs.myserver.ca.error.log;

  location / {
    proxy_http_version 1.1;
    proxy_pass_request_headers on;

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_pass http://10.10.100.220:8080/;
  }
}

I can use Apache (and I have an instance that is configured correctly for SSO to work) but we were hoping to standardize on nginx for our SSL offloading and proxying needs.

Thanks,

Neil

0 Kudos
Reply
1 Solution

Accepted Solutions
neilecker
Active Member II
‎19 Mar 2019 5:18 PM

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

For anyone who reads this it turns out the above configuration was fine.  What had changed was in our DNS.  I had switched from an "A record" which pointed the url of our Alfresco instance directly at the IP address of the proxy server to a cname which pointed at the name of the proxy server.  After this, Kerberos did not function with either nginx or apache.  So this somehow matters when passing Kerberos authentication though I'm not certain why, something to do with how the headers are passed that I don't understand I'm sure.

In the end, I switched back to an "A record" and Kerberos SSO works as expected.

View solution in original post

0 Kudos
Reply
7 Replies
neilecker
Active Member II
‎19 Mar 2019 5:18 PM

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

For anyone who reads this it turns out the above configuration was fine.  What had changed was in our DNS.  I had switched from an "A record" which pointed the url of our Alfresco instance directly at the IP address of the proxy server to a cname which pointed at the name of the proxy server.  After this, Kerberos did not function with either nginx or apache.  So this somehow matters when passing Kerberos authentication though I'm not certain why, something to do with how the headers are passed that I don't understand I'm sure.

In the end, I switched back to an "A record" and Kerberos SSO works as expected.

0 Kudos
Reply
fedorow
Senior Member II
‎23 Apr 2019 10:19 AM

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

I can't force Kerberos SSO works behind a nginx proxy. Can you tall me differences of configurations compared to documented method from docs.alfresco.com?

0 Kudos
Reply
neilecker
Active Member II
‎2 May 2019 4:04 PM

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

Hi Serge,

I'm not sure which documented method you mean, the examples provided on docs.alfresco.com seem to be only for Apache.  What I showed earlier was the complete configuration used for nginx (with some names and paths changed).

0 Kudos
Reply
fedorow
Senior Member II
‎5 May 2019 5:09 AM

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

Neil thanks! I have got SSO two days ago. It took some dancing with a tambourine, but it works now. Your configuration helps me check my conf file. Thanks!

0 Kudos
Reply
jbrasil
Active Member II
‎17 Jul 2020 9:53 PM

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

Hi neilecker,
The Alfresco Content Services mobile app does not communicate with sites that have the ssl protocol.
I installed Let's Encrypt on a website.
Sites with http connects normally
When trying to connect through the application, the following error message occurs:

Save Account
Couldn't save account. Check your account settings with your IT Team
Retry with diagnostic
Done

Clicking on Retry with diagnosis.
Go through the steps with the exception of Checking repository connection

Any configuration to be done?
Thank you.
José Roberto.

0 Kudos
Reply
fedorow
Senior Member II
‎18 Jul 2020 10:17 PM

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

Mobile app works througth CMIS. Check alfresco.global.properties for CMIS configuration:

opencmis.context.override=false
opencmis.context.value=
opencmis.servletpath.override=false
opencmis.servletpath.value=
opencmis.server.override=true
opencmis.server.value=https://<external-proxy-host-name>

 Use https://<external-proxy-host-name>/alfresco in the account configuration of Mobile App.

Reply
jbrasil
Active Member II
‎20 Jul 2020 3:51 PM

Re: Nginx Reverse Proxy with Kerberos SSO

Jump to solution

Ok fedorow
It worked.
Thank you very much.

0 Kudos
Reply
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.