Nginx proxy for ssl issue

I am using docker compose for xwiki/10/mysql-tomcat. I would like to setup nginx to handle SSL for listening to 443 port, then proxy pass to 8080, which is what xwiki is listening to.

By following https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Installation/InstallationWAR/InstallationTomcat/#HNginxproxyingforTomcatapplications, I run into issues when trying to create a page using template. Create page without template is fine.

The error message on browser console is:

Access to XMLHttpRequest at ā€˜http://localhost/rest/jobstatus/refactoring/create/1545271795343-382?media=jsonā€™ (redirected from ā€˜https://localhost/bin/preview/Sandbox/3213211312/WebHomeā€™) from origin ā€˜https://localhostā€™ has been blocked by CORS policy: Response to preflight request doesnā€™t pass access control check: Redirect is not allowed for a preflight request.

My Nginx config is:

server {
  listen 80;
  server_name localhost;
  return 301 https://$host$request_uri; 
}
#Proxy https to 8080 port inside docker container
server {
listen 443;

ssl on;
ssl_certificate /etc/nginx/ssl/abc.crt;
ssl_certificate_key /etc/nginx/ssl/abc.key;
ssl_trusted_certificate /etc/nginx/ssl/abc/TrustedRoot.crt;

server_name localhost;

location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Scheme $scheme;
if (!-f $request_filename) {
  proxy_pass http://127.0.0.1:8080; break; 
}
}

location ~ /.well-known{
  allow all; }
}

Iā€™ve already made the changes on server.xml and set xwiki.url.protocol=https on xwiki.cfg. Please help.

Hi,

I canā€™t offer any solution, but this might be related to or even be the same issue as Page hangs on save (Save 0%...). However, save is successful

My nginx config (sites-enabled) was this:

upstream tomcat {
server 127.0.0.1:8080 fail_timeout=0;
keepalive 64;
}

#HTTP
server {
listen 80; #if this is not a default server, remove ā€œdefault_serverā€
listen [::]:80 ipv6only=on;

server_name wiki.XXX.de;

#redirect non-SSL to SSL
location / {
    rewrite     ^ https://wiki.XXX.de   permanent;
}

}

https server
server {
listen 443 ssl http2; # we enable HTTP/2 here (previously SPDY)
server_name wiki.XXX.de; # this domain must match Common Name (CN) in the SSL certificate

#ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_certificate /etc/nginx/ssl/STAR_XXX_de.pem;
ssl_certificate_key /etc/nginx/ssl/STAR_XXX_de.pem;

# If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
# This works because IE 11 does not present itself as MSIE anymore
if ($http_user_agent ~ "MSIE" ) {
    return 303 https://browser-update.org/update.html;
}

location / {
try_files $uri /xwiki;
}

location /xwiki {
client_max_body_size 20M;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_request_headers on;
proxy_set_header Connection ā€œkeep-aliveā€;
proxy_store off;
proxy_headers_hash_max_size 512;

proxy_pass http://127.0.0.1:8080/xwiki;

}
}

Thanks all. Will try it out and reply back!

Hi @MB-gam Have you tried creating page with template? Are you able to click save & view without error?

HI @felher yes it certainly look like the same issues. Iā€™m trying to setup nginx in front of the docker container. Looks like the wiki.home is not being used somewhere in the xwiki source code. it still refers to wrong url.

Yepp, if it is only text it works.
If i take pictures with copy&paste in it i get a error message, but all is savedā€¦

This issue seems similar to Page hangs on save (Save 0%...). However, save is successful - #25 by tmortagne (setup issue with the application server and not exactly XWiki itself).

How you have fixed it? what configuration did you do?

No I didnā€™t find a way to fix it. We just tell the users to tolerate this ā€¦

Iā€™m running similar setup.
To fix multiple issues related to ā€œserving unsecure content over HTTPSā€, ā€œBlocked by CORSā€, etc
I had to modify server.xml. Documentation says itā€™s going to be:

<Engine name="Catalina" defaultHost="localhost">
  <Valve className="org.apache.catalina.valves.RemoteIpValve"
    internalProxies="127\.0\.[0-1]\.1"
    remoteIpHeader="x-forwarded-for"
    requestAttributesEnabled="true"
    protocolHeader="x-forwarded-proto"
    protocolHeaderHttpsValue="https"/>

but in case you use docker, nginx proxy wonā€™t be 127.0.0.1, so I just remove internalProxies line:

<Engine name="Catalina" defaultHost="localhost">
  <Valve className="org.apache.catalina.valves.RemoteIpValve"
    remoteIpHeader="x-forwarded-for"
    requestAttributesEnabled="true"
    protocolHeader="x-forwarded-proto"
    protocolHeaderHttpsValue="https"/>
1 Like

Thank you, @unadequate. It worked. Fixed the error ā€˜Failed to lock the pageā€™.

My xwiki configuration: Xwiki (on Tomcat9) behind Nginx reverse proxy with SSLs.