As promised here is our minimalistic running configuration with SSL and Realtime WYSIWYG working behind nginx. We are running XWiki 15.10 on Debian 11 with the tomcat9 .DEB Package.
The default nginx configuration still aplies and includes the tomcat9.conf file.
Content of file: /etc/nginx/conf.d/tomcat9.conf (replace the capslock stuff):
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
rewrite ^ https://YOURWIKISERVER.YOURDOMAIN.YORTLD$request_uri? permanent;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
gzip off;
server_name YOURWIKISERVER.YOURDOMAIN.YORTLD;
# Normally root should not be accessed, however, root should not serve files that might compromise the security of your server.
root /var/www/html;
# Configuration to avoid Request Entity too large error 413
client_max_body_size 0;
#ssl on;
ssl_certificate YOUR-CERTIFICATE-FILE.crt;
ssl_certificate_key YOUR-CERTIFICATE-KEY.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers DEFINE CHIPHERS HERE;
location / {
# All "root" requests will have /xwiki appended AND redirected to mydomain.com
rewrite ^ $scheme://$server_name/xwiki$request_uri? permanent;
}
location ^~ /xwiki {
# If path starts with /xwiki - then redirect to backend: XWiki application in Tomcat
# Read more about proxy_pass: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support is required for Realtime WYSIWYG, also it's neccessary to set home URL and URL protocol in the xwiki.cfg
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
the xwiki configuration file under /etc/xwiki/xwiki.cfg needs to be modified:
xwiki.home=https://YOURWIKISERVER.YOURDOMAIN.YORTLD/
xwiki.url.protocol=https
Please note, that this is an quite minimal configuration so you should take it with an grain of salt. My knowledge about nginx and xwiki are currently still quite limited. This configuration should help as a baseline.
If you have tips on how to improve / secure the configuration I would be very glad to hear them!