Hi, i’ve a xwiki installed behind a nginx which acts as https proxy (to an http connector).
I get an error when i try to modify a page: couldn’t lock the page
because this action uses a http request, while the server is https
http://xwiki.r-mes.ovh/xwiki/bin/lock/Labo/Projet%20technique/temptest/WebHome?ajax=1&action=edit&language=fr
Except this request in this case, the wiki works well with https. I can even walk around this problem by using wyswyg option of modify button.
Would you have an idea of why xwiki would use http in some cases, and where it could take/build the http url from?
Any suggestion welcome.
Hi emenard!
If you have a connection from a frontend, then there are several places where things can go wrong and the backend server thinks the conversation is using http instead of https.
a) first you can check one setting in the XWiki UI in the “Wiki Index”; even if you have only one wiki, there should be an entry for it as “Main Wiki”. On the right columns in the table there is an “edit” action; if you click on that, you see some settings, one of them being “Secure (SSL):”. If this is not set to “yes”, then you can click on “edit” (like on any other wiki page) to change the setting.
b) it might also be that the servlet engine tries to guess the protocol and guesses wrong. As you are using nginx as https proxy and (likely) tomcat as servlet engine, there is a configuration tweak to the server.xml of tomcat documented here:
https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Configuration/#HHTTPS2FSSL
I hope this helps!
1 Like
Hi ClemensRobbenhaar,
Thanx for answering, maybe will i find ideas in this guide. The ssl option in xwiki was already set, and regarding my nginx and server.xml configuration, i’m searching the right combination (i’m not very familiar with these configs). I’ll tell if i get over it.
Hi back,
I tried and adapt a little the nginx config given in your link, and it solved my problem.
Thank you very much!!!
My config in case it helps someone:
I just changed my real server name by xwiki.domain.tld
If someone reads this later, I suggest not to forget the a) part in ClemensRobbenhaar answer, and first follow his link as it contains more generic and complete information.
I have proxy-pass instructions as my xwiki is xwiki directory ( not at /)
# nginx site config (in /etc/nginx/sites-available)
#################
server {
if ($host = xwiki.domain.tld) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name xwiki.domain.tld;
location ~ /.well-known {
allow all;
}
rewrite ^ https://$server_name$request_uri? permanent;
# may have to config logrotate on these files
access_log /var/log/nginx-xwiki/access.log;
error_log /var/log/nginx-xwiki/error.log;
}
server {
listen 443;
server_name xwiki.domain.tld;
root /var/www/html;
#!! à reconsidérer
# client_max_body_size 0;
ssl on;
ssl_certificate /etc/letsencrypt/live/xwiki.domain.tld/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/xwiki.domain.tld/privkey.pem; # managed by Certbot
access_log /var/log/nginx-xwiki/access_ssl.log;
error_log /var/log/nginx-xwiki/error_ssl.log;
location / {
proxy_pass http://localhost:8080/xwiki/;
}
location /xwiki {
proxy_pass http://localhost:8080/xwiki/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Scheme $scheme;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8080;
break;
}
}
location ~ /.well-known {
allow all;
}
}
########################################
# xerver.xml from /etc/tomcat8/
##################
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
secure="true"
/>
<Engine name="Catalina" defaultHost="localhost">
<!-- this valve wasn't set
<Valve className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="127\.0\.[0-1]\.1"
remoteIpHeader="x-forwarded-for"
requestAttributesEnabled="true"
protocolHeader="x-forwarded-proto"
protocolHeaderHttpsValue="https"></Valve>
<!-- until here -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
###############"Glad to hear that you were able to solve your problem, seemingly even in not much more time than one hour, and also good to get the feedback that the official documentation is readable enough to be useful! 
1 Like
One hour, that was at the very end, after your advice
1 Like