Hi,
I have some trouble with the XWiki in a Docker container behind an Apache2 reverse proxy.
The forwarding itself is working but the autentication for the XHR isn’t working correctly.
There is a documentation for Nginx prepared:
Question:
Is there any documentation for Apache as well? Especially how to set the Headers as mentioned in the comment:
“Set X-Forwarded-For and X-Forwarded-Proto headers on HTTPS guard server(on which Apache httpd or Nginx runs)!”
I’m not an expert in Tomcat neither Apache and feel a bit lost.
Setting up an apache reverse proxy for xwiki is relatively straight forward, although you may wish to call a friend who knows how to configure apache properly to make sure you have all the correct apache modules enabled, and your vhost configuration correct.
Thanx for the useful tips, I have seen before already and it solved at least the routing problem earlier on. https://opa-wetterwachs.de/xwiki/ → http://127.0.0.1:38080/xwiki
(it took me a while to recognize the docker-container option to add the /xwiki)
This error doesn’t occur when I call the site directly unsecured without reverse proxy
https://:38080/xwiki/
And now I don’t know how to proceed as I’m not the deepest expert in Tomcat and Apache.
Could be a CORS problem or a Header problem.
I have spent now several hours with different proposals to change the Tomcat server and web config files but no improvement.
The best would be a solution out of the box.
I’ve studied the Installation guide for XWiki but there is just an example for Nginx I cannot use unfortunately and therefore clean config would help me a lot.
But at any way, do you know what I can test just to find out where the problem principally can come from?
I’ve found the problem.
I was completely on the wrong trip as I have thought it is either problem with the request headers or with CORS. Even I played a longer time with Tomcat and the different reverse proxy protocol options as nothing runs out of the box and need configuration
But at the end it was mod_security that caused the problem and I had to fix it with some SecRuleRemoveById rules. means you are right, it is Apache raises the error but caused somewhere in Tomcat and should be considered by the XWiki team. I cannot imagine to be the only one using mod_security.
I’m using a stock ubuntu distribution and libapache2-mod-security2 is not installed by default which is why I don’t have the problem.
mod_security is not part of the default apache installation, so it’s not surprising there is no documentation in the xwiki documentation about it. It’d be like asking the xwiki documentation to include rules on how to configure every firewall to make sure xwiki can communicate over the internet.
Hello,
I’ve been trying to get xwiki to work on a docker container for a week now.
I guess I have a redirection error with the urls because i got “404” error .
And I can’t find any documentation that could help me with this. If you have already set up an xwiki container with an Apache server, i need your help.
Container conf :
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ea2c4b260451 xwiki:lts-postgres-tomcat "docker-entrypoint.s…" 12 minutes ago Up 12 minutes 8080/tcp, 0.0.0.0:8080->80/tcp, :::8080->80/tcp xwiki
634235624b2c postgres:13 "docker-entrypoint.s…" 5 days ago Up 12 minutes 5432/tcp xwiki-postgres
This is too late, but might be usefull for others.
If you have already set up an xwiki container with an Apache server, i need your help.
This is the config I use.
<VirtualHost *:80>
ServerAdmin contact@mydomain.com
DocumentRoot "/path/to/apache/html/files"
ServerName wiki.mydomain.com
# Redirect the example.com to the www.example.com
# See https://serverfault.com/questions/120488/redirect-url-within-apache-virtualhost#120507
RewriteEngine on
RewriteCond %{HTTP_HOST} ^mydomain.com
RewriteRule ^/(.*)$ http://www.mydomain.com/$1 [L,R=301,E=nocache:1]
## Set the response header if the "nocache" environment variable is set
## in the RewriteRule above.
Header always set Cache-Control "no-store, no-cache, must-revalidate" env=nocache
## Set Expires too ...
Header always set Expires "Thu, 01 Jan 1970 00:00:00 GMT" env=nocache
ErrorLog ${APACHE_LOG_DIR}/wiki_example_com-error.log
CustomLog ${APACHE_LOG_DIR}/wiki_example_com-access.log combined
# definit les fichiers index, dans l'ordre de preference.
DirectoryIndex index.php index.php3 index.html index.htm
ErrorDocument 401 /errorpages/401_Authorization_Required.html
ErrorDocument 403 /errorpages/403_Forbidden.html
ErrorDocument 404 /errorpages/404_Not_Found.html
# INTERDIT LA NAVIGATION DANS LES REPERTOIRES
Options -Indexes
<IfModule mod_proxy.c>
ProxyRequests Off
<Proxy *>
Require all granted
</Proxy>
# See : https://stackoverflow.com/a/65430414
# This avoid relying on Regular Expressions.
# ProxyPass can take "!" as a second parameter, in which case it doesn't proxy the matching URL.
# This is for the Cerbot process for SSL Certificates renewal.
ProxyPass /.well-known !
ProxyPass /htdocs_static !
# This domain name is set in the /etc/hosts file of the server : myserver.mylocalnetwork1.lan
ProxyPass /xwiki http://myserver.mylocalnetwork1.lan:8080/xwiki
ProxyPassReverse /xwiki http://myserver.mylocalnetwork1.lan:8080/xwiki
</IfModule>
</VirtualHost>
I use another VirtualHost for the www.mydomain.com domain (for static files, or Nextcloud, or PHP apps).
This config allow to have the XWiki pages served, and also some static pages served, by Apache Httpd, on the same domain (wiki.mydomain.com).
is not needed anymore.
See : Bug 61234 Summary: Add X-Forwarded-Proto to backend requests
but this need to be checked and confirmed
In the documentation page, the config is for SSL and Https secured reverse proxy way.
With Tomcat.
My sample is for Http on port 80, for quick and easy configuration with some Apache Httpd server in front.
With Jetty.
Nice for quick and easy setup and testing something.
For dev (with Httpd server in place) or for some trials of miscellanous configuration before to go to Integration => Pre-prod => Prod.
This config is running ok with some SSL and Https in the front (port 443 on Apache Httpd), and the reverse proxy running with simple http en port 8080 to Jetty.
Though I never did intensive testing nor prod run like that.
I added the ability to serve some static pages.
To be able to setup and renew the SSL Certificates, and to serve a few static html or php pages aside with the wiki.
I think it would be usefull to update the example config for already including realtime editing.
Im currently evaluating if we change from nginx to apache in the future, as seemingly everyone that uses SSO also uses apache - I can’t tell if its just coincidence or if it is more difficult to accomplish with nginx.
For realtime editing to work, the ProxyPass config line has to be expanded with " upgrade=websockets"
example: ProxyPass /xwiki http://localhost:8080/xwiki nocanon upgrade=websocket
At least this small modification was required for realtime to work in a small test, I don’t know if additional configuration is required. With nginx I had to add 4 lines of configuration for the same thing.
Im not sure if there are downsides to always having this websockets upgrade parameter on (even when not using realtime editing), but in my opinion it is helpful for both newer admins and also the realtime project if it “just works”.
Indeed, good point. It’s not something that was experimented much on xwiki.org yet, and it’s not really my area of expertise so putting your suggestion as is for now.
Just found out that I made a mistake and wrote websockets by accident, the apache configuration example page had the wrong written one included. It does not produce errors, but also its not working to upgrade websocket connections for realtime editing.
I already fixed the apache2 configuration example page. If anyone is running into the problem that realtime editing is not working over apache2, please check and make sure, that the line is correctly written with upgrade=websocket (websocket without s!).