[SOLVED] Axelor behind nginx as a reverse proxy

English Forum Technical
1

Hi,

would anyone mind to share the receipe for running nginx as a reverse proxy in front of Axelor ?

What I’d like to do is:

  • run nginx with ssl on a server
  • run Axelor on another server (jetty on port 8080, no ssl)
  • have nginx act as a reverse proxy for Axelor

I have tried something like this:

server {
listen 443;
server_name www.mydomain.com;

location /erp {
    proxy_pass http://192.168.0.25:8080/axelor;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header  Host $http_host;
}

}

But this does not work (ssl error)… Removing the proxy_set_header directives does not help.

If I forget the ssl part and simply listen on 80 and proxy_pass to jetty, it kinda works: I get to the login screen, but it won’t accept my user and password… (I’m stuck on the login screen)

So… if someone has hints on this, I’ll be thankful :slight_smile:

Regards,
Franck

2

to enable ssl you have to setup a server certificate. You can use Certbot (let’s encrypt) to create a free server certificate.

See https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-with-nginx-server-blocks-on-ubuntu-16-04.

Be care, Reverse-Proxy could be dangerous in case of any misconfiguration. For exemple your forgot proxy_redirect off. Look at https://www.redelijkheid.com/blog/2017/1/29/configure-nginx-as-a-secure-reverse-proxy

3

Ok, I found one error: I forgot the ssl directive in my server block, as in:

listen 443 ssl;

Now I have a consistent behaviour with or without https: my user/password is never recognized when using the reverse proxy…

4

Ok, I found the problem. Security in Axelor is done using Apache Shiro. Shiro will use cookies with a path, that might need to be rewritten when using a reverse proxy.

See https://stackoverflow.com/questions/26508492/shiro-spring-application-appending-jsessionid-to-each-url

So I added the following directive in nginx:

proxy_cookie_path /originalwarname /;

This worked.

5

Nice to know. This problem is not applicable if using Apache a reverse.

6

Yep. Not sure however that this has to do with Nginx vs Apache. I rather think that the fact the I change the url when reverse proxying was the problem.
The url (location) used on the nginx side is not the same as the url (web context) used on the servlet (jetty9) side. I think this is why I have to change the security cookie to make the url match.

Anyway, this is now documented :slight_smile:

Thanks @femtonext for the feedback.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.