[xwiki-users] Reverse proxy problems
Hi, I recently deployed XWiki Enterprise behind an Apache HTTP server acting as a reverse proxy. This was done in order to map the XWiki web interface into our intranet namespace and to perform SSL termination. To get this working, I had to resort to a few hacks and workarounds due to the fact that not all parts of XWIki Enterprise seem to be friendly towards reverse proxies. A workable solution was eventually achieved through config file changes and the addition of some Apache URL rewrite rules (e.g. redirect all requests for "http://foo.com/xwiki/bar" to "https://foo.com/xwiki/bar"). Today, I had to deploy another XWiki instance behind an Apache HTTP server, again for reasons of namespace consolidation and SSL termination. However, this time I do not have as much freedom as I had on the previous server and are finding myself stuck at this point. Examples of specific issues are that URLs of skin resources are served using the HTTP (i.e. insecure) protocol and some redirects are generated for the local address instead of the proxied address (e.g. login page from unauthorised and default post login redirect page). I'm not looking for particular solutions to these issues as much as trying to establish how likely I am to get this right and whether I'm trying to fit a square peg into a round hole. Specific questions as follows: 1. Did anyone manage to successfully deploy XWiki behind an HTTP reverse proxy without resorting to hacks and workarounds ? If so, please share some information about the magic configuration. Does the problem, perhaps, lie with Apache's reverse proxy module or its interaction with XWiki ? 2. Is my expectation to have XWiki working behind an HTTP reverse proxy misplaced ? If not, and XWiki does intend to support this, are the issues I describe above well known or should I report them somewhere ? Also, what can I do to help and contribute to such an effort ? 3. Are these issues due to the platform or the layers above it (e.g. skins and apps) ? Does the platform provide a "right way" that the layers above it can use to generate URLs that would always work correctly through a reverse proxy ? BTW, thanks for a great product! Regards, Gerhard -- Gerhard Esterhuizen Director Yila Consulting (Pty) Ltd PO Box 50461, Waterfront 8002, South Africa Phone: +27 82 370 9737 Fax: 086 549 5635 [email protected] align. architect. execute.
Gerhard Esterhuizen schrieb:
Hi,
I recently deployed XWiki Enterprise behind an Apache HTTP server acting as a reverse proxy. This was done in order to map the XWiki web interface into our intranet namespace and to perform SSL termination. To get this working, I had to resort to a few hacks and workarounds due to the fact that not all parts of XWIki Enterprise seem to be friendly towards reverse proxies. A workable solution was eventually achieved through config file changes and the addition of some Apache URL rewrite rules (e.g. redirect all requests for "http://foo.com/xwiki/bar" to "https://foo.com/xwiki/bar").
Today, I had to deploy another XWiki instance behind an Apache HTTP server, again for reasons of namespace consolidation and SSL termination. However, this time I do not have as much freedom as I had on the previous server and are finding myself stuck at this point. Examples of specific issues are that URLs of skin resources are served using the HTTP (i.e. insecure) protocol and some redirects are generated for the local address instead of the proxied address (e.g. login page from unauthorised and default post login redirect page).
I'm not looking for particular solutions to these issues as much as trying to establish how likely I am to get this right and whether I'm trying to fit a square peg into a round hole. Specific questions as follows:
1. Did anyone manage to successfully deploy XWiki behind an HTTP reverse proxy without resorting to hacks and workarounds ? If so, please share some information about the magic configuration. Does the problem, perhaps, lie with Apache's reverse proxy module or its interaction with XWiki ?
2. Is my expectation to have XWiki working behind an HTTP reverse proxy misplaced ? If not, and XWiki does intend to support this, are the issues I describe above well known or should I report them somewhere ? Also, what can I do to help and contribute to such an effort ?
3. Are these issues due to the platform or the layers above it (e.g. skins and apps) ? Does the platform provide a "right way" that the layers above it can use to generate URLs that would always work correctly through a reverse proxy ?
BTW, thanks for a great product!
Regards,
Gerhard
Hi, maybe you are interested in my recent posting on short urls. I'v been struggling with the same issues and would like to see some more information on the wiki pages. That's what I ended up with: http://n2.nabble.com/Short-Urls-configuration-tt4869739.html#a4869739 The last 'VirtualHost' configuration is working for me - no problems so far. best regards Andreas
Hi Andreas, On 15 April 2010 13:33, Andreas Hahn <[email protected]> wrote:
maybe you are interested in my recent posting on short urls. I'v been struggling with the same issues and would like to see some more information on the wiki pages. That's what I ended up with: http://n2.nabble.com/Short-Urls-configuration-tt4869739.html#a4869739
The last 'VirtualHost' configuration is working for me - no problems so far.
Thanks for the response. When I read your configs, I realised that I omitted the ProxyPassReverse line (I only took the settings from my working mod_rewrite.conf and forgot to check my mod_proxy.conf as well). I also experimented with some of the xwiki.cfg options, particularly with those mentioned at http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HAuthenti..., without much joy. Regards, Gerhard -- Gerhard Esterhuizen Director Yila Consulting (Pty) Ltd PO Box 50461, Waterfront 8002, South Africa Phone: +27 82 370 9737 Fax: 086 549 5635 [email protected] align. architect. execute.
... Or you can use http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Performances#HModProxyAJ... (see http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html ) example: /etc/httpd/conf/httpd.conf : <IfModule mod_proxy.c> ProxyRequests Off ## NPM: see
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Performances#HModProxyAJ...
ProxyPreserveHost On </IfModule> /etc/httpd/conf.d/proxy_ajp.conf: LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
# general redirect for Xwiki application
ProxyPass /xwiki/ ajp://127.0.0.1:8009/xwiki/ -- Niels. http://nielsmayer.com
participants (3)
-
Andreas Hahn -
Gerhard Esterhuizen -
Niels Mayer