Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
RE: How to use nginx reverse proxy with Liferay 7.0?
Mirto Silvio Busico, modified 7 Years ago.
Regular Member
Posts: 240
Join Date: 1/18/12
Recent Posts
Hi all,
I'm trying to use nginx as a reverse proxy in front of a liferay 7.0
The configuration below
In the instance the virtual host is set to "myserver.mydomain.it"
Anyone knows how to configure nginx reverse proxy?
I'm trying to use nginx as a reverse proxy in front of a liferay 7.0
The configuration below
server {
listen 443 ssl;
ssl_certificate /root/sslcerts/servizi.crt;
ssl_certificate_key /root/sslcerts/servizi.key;
access_log /var/log/nginx/myserver.access.log;
error_log /var/log/nginx/myserver.error.log;
root /var/www/reverse;
set $proxy_upstream_name "-";
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name "myserver" "myserver.mydomain.it";
location / {
set $proxy_upstream_name "myserver.mydomain.it";
proxy_pass http://10.220.90.86:8080;
}
}
In the instance the virtual host is set to "myserver.mydomain.it"
Anyone knows how to configure nginx reverse proxy?
Although targeting Apache httpd, I think you're facing the same concern from https://community.liferay.com/blogs/-/blogs/fronting-liferay-tomcat-with-apache-httpd-daemon-revisted.
Liferay normally builds URLs from the incoming connection request details; when you are proxying, the incoming URL will have the proxy IP, not the actual client IP.
By configuring to pass the incoming connection details and configuring Liferay to use the headers instead of the request itself, Liferay will construct the URLs correctly.
Liferay normally builds URLs from the incoming connection request details; when you are proxying, the incoming URL will have the proxy IP, not the actual client IP.
By configuring to pass the incoming connection details and configuring Liferay to use the headers instead of the request itself, Liferay will construct the URLs correctly.
What David says.
Personally, I prefer to proxy through AJP, rather than through HTTP, because this protocol covers all the issues transparently.
If you stay on HTTP: On Apache httpd, there's a directive named "ProxyPreserveHost" that needs to be included, and it will make Liferay (or tomcat) aware of the differing hostname that it should use to create a URL. I'll leave the translation to the nginx world to you.
Personally, I prefer to proxy through AJP, rather than through HTTP, because this protocol covers all the issues transparently.
If you stay on HTTP: On Apache httpd, there's a directive named "ProxyPreserveHost" that needs to be included, and it will make Liferay (or tomcat) aware of the differing hostname that it should use to create a URL. I'll leave the translation to the nginx world to you.
Mirto Silvio Busico, modified 7 Years ago.
Regular Member
Posts: 240
Join Date: 1/18/12
Recent Posts
Thanks a lot Olaf.
I'm using this Apache configuration
Please can you share the Nginx translation?
P.S.
I'm trying to integrate Neo4j in Liferay and I found that Neo4j needs a tcp stream proxy. Nginx support proxyng tcp strams but do not support ajp.
So seems that using Apache as proxy I can have liferay but not Neo4j and using Nginx I can have Neo4j but not Liferay.
Any solution that manages Liferay and Neo4j is good for me.
I'm using this Apache configuration
<virtualhost *:443>
ServerAdmin m.busico@ieee.org
ServerName myserver.mydomain.it
ErrorLog /var/log/apache2/error443.log
LogLevel warn
CustomLog /var/log/apache2/access443.log combined
DocumentRoot /var/www/myserver
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<filesmatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</filesmatch>
<directory usr lib cgi-bin>
SSLOptions +StdEnvVars
</directory>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / ajp://icons:8009/
ProxyPassReverse / ajp://icons:8009/
</virtualhost> Please can you share the Nginx translation?
P.S.
I'm trying to integrate Neo4j in Liferay and I found that Neo4j needs a tcp stream proxy. Nginx support proxyng tcp strams but do not support ajp.
So seems that using Apache as proxy I can have liferay but not Neo4j and using Nginx I can have Neo4j but not Liferay.
Any solution that manages Liferay and Neo4j is good for me.
Mirto Silvio BusicoI didn't leave it out, so that you have something to figure out. Personally, I'm working on Apache httpd typically. I could have provided you with the httpd-config that you quoted. But I'm not that familiar with nginx to provide one sample out of the box.
Please can you share the Nginx translation?
To correct my statement: I'll leave the translation work to you or anyone else who speaks nginx fluently. Sorry...
Mirto Silvio Busico, modified 7 Years ago.
Regular Member
Posts: 240
Join Date: 1/18/12
Recent Posts
Thanks.
If I'll hava success, I'll share the result here.
If I'll hava success, I'll share the result here.
Somebody (or something) deleted my previous comment that I made on 2019-02-04 ; here it is again:
I have something like the following for dev/test purposes.
I have something like the following for dev/test purposes.
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name myserver.mydomain.it; | |
| return 301 https://$server_name$request_uri; | |
| } | |
| upstream liferay7-app-server { | |
| server localhost:8080 max_fails=3 fail_timeout=30s; | |
| } | |
| server { | |
| # Ensure that HTTP/2 is enabled for the server | |
| listen 443 ssl http2; | |
| listen [::]:443 ssl http2; | |
| server_name myserver.mydomain.it; | |
| ssl on; | |
| ssl_certificate ssl/star.domain.ca.chained.crt; | |
| ssl_certificate_key ssl/star.domain.ca.key; | |
| location / { | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_redirect http:// https://; | |
| proxy_pass http://liferay7-app-server; | |
| } | |
| } |
An example of a running configuration. Works for me, but your mileage may vary.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 100m;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
upstream liferay_upstream {
server 127.0.0.1:8080 max_fails=3 fail_timeout=30s;
}
server {
listen 80;
listen [::]:80;
server_name [yourfqdn];
return 301 https://[yourfqdn]$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl;
server_name [yourfqdn];
root /opt/liferay;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
ssl on;
ssl_certificate /etc/nginx/ssl/mydomain.crt;
ssl_certificate_key /etc/nginx/ssl/isdms.key;
# Use only TLS
ssl_protocols TLSv1.1 TLSv1.2;
# Tell client which ciphers are available
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# Enable HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
# Optimize session cache
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 4h;
# Enable session tickets
ssl_session_tickets on;
# Remove version number on errors
server_tokens off;
location / {
proxy_pass http://liferay_upstream;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Real-Port $server_port;
proxy_set_header X-Real-Scheme $scheme;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 180s;
proxy_connect_timeout 10s;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
add_header X-Cached-Status $upstream_cache_status;
gzip_comp_level 3;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
Mirto Silvio Busico, modified 7 Years ago.
Regular Member
Posts: 240
Join Date: 1/18/12
Recent Posts
Thanks to all; I'll try asap