XJetty documentation for https? ("failed to lock page" errors)

Hello,

currently there is only a public documentation how to configure tomcat for https, which is required even when using reverse proxies like nginx otherwise errors (such as “failed to lock page”) will happen. For XJetty I can not find such information.
With https configured in nginx with XJetty (15.9 .DEB package) of course the same issues occur.

Link for the Tomcat Configuration:
Tomcat Installation (XWiki.org)

Where is the correlating file to make the same kind of configuration changes for the XJetty installations (.DEB package) and what exactly does need to be changed in them?

I would not recommend to setup the application server for direct HTTPS access, what we generally do is give to an HTTP proxy like Apache HTTPD or NGINX the job of dealing with HTTPS (in which case there is nothing to do on jetty or tomcat side usually). See Installation (XWiki.org).

Yeah I have done that, but without changing anything in xjetty, many buttons like editing of pages in XWIKI responses in http instead of https (if I understood the issue correctly).

As referenced in the tomcat documentation:

If you are using another server as a HTTPS proxy (such as Nginx, Apache httpd or HAProxy), follow the instructions below to avoid unexpected errors (such as “failed to lock page”).

Or explaned here: Message “failed to lock the page” when tring to edit a page - Help / Discuss - XWiki Forum

• If using HTTPS for accessing XWiki, several modifications have to be made to ensure proper functionality. Since urls are generated from relative path (/xwiki/bin/show/Space/Page), Tomcat has to know which protocol to use, otherwise JSON requests with redirect fails (attachment uploads, extension updating, etc.)

This is the exact problem and for tomcat some small things have to be configured (and after setting them the “failed to lock page” and similar errors are gone) so I guess the same is necessary for xjetty too - the question is where and how.

And the proxy is supposed to tell it that by forwarding the right information, as seen in Setting up Apache HTTPD (XWiki.org) (I don’t know NGINX very well so not sure if the example for it is fully accurate or not but the Apache one is what is used in production without any modification of Tomcat).

The nginx is set up accordingly like on the Xwiki tomcat9 configuration documentation for https with the headers:

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Scheme $scheme;

And as I understand it, because of exactly what you have said, the the tomcat https configuration documentation lists these necessary modifications so that tomcat starts listening to the reverse proxy’s protocol headers by modifying the tomcat Valve:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
       ….
       **remoteIpHeader="x-forwarded-for"**
       **protocolHeader="x-forwarded-proto"**
       …
</Valve>

As well as modification the tomcat Connector:

<Connector port="8080"
            ...
            **secure="true"**
            **scheme="https"**
            …
</Connector>

Without this, the tomcat in the .DEB package runs into the issues of not knowing the protocol, when using for example nginx with https.
After doing the two referred modifications https with nginx and tomcat9 works good.

But as xjetty behaves with the same issues just as tomcat9 without modifications, I estimate that xjetty needs similar modifications when enabling https on the reverse proxy?

Or is xjetty listening to other headers by default which would mean nginx needs to be configured differently when serving for xjetty?

Both myxwiki.org and xwiki.org use the Tomcat based Debian package and don’t set any of that, it only have the Apache setup I indicated.

But then why is this behavior exactly documented in xwikis tomcat https configuration documentation, it is exactly what I ran into xwiki 15.9 tomtomcat9 Debian package and now running into with the xjetty Debian package of 15.9:

Configuring tomcat for https

Although allowing users to directly connect to tomcat is not recommended, for a variety of reasons it may be desirable to configure tomcat to serve pages over an https connection. Since urls are generated from relative path (/xwiki/bin/show/Space/Page), Tomcat has to know which protocol to use, otherwise JSON requests with redirect fails such as in attachment uploads, extension updating, etc.

If you are using another server as a HTTPS proxy (such as Nginx, Apache httpd or HAProxy), follow the instructions below to avoid unexpected errors (such as “failed to lock page”).

Anyways I have maybe found the solution for making jetty aware of the forward headers:
https://serverfault.com/questions/671152/https-to-http-reverse-proxy-on-jetty-9

Apparently jetty has an function to enable forward header detection that needs to be enabled by uncommenting in an default installation . I‘ll try if the same can be done on the XJetty installation tomorrow.

I never needed that with Tomcat 9 and Apache (this documentation is pretty old, so maybe it was needed with Tomcat 7 for example).

One difference I notice when looking at my Apache configuration is that you did not mention Forwarded (which is actually the only standard in HTTP, the others are, from what I understand, more old stuff that used to be the most common headers used before the actual standard was introduced). In the Apache configuration example I linked it’s:

  ## Workaround for https://bz.apache.org/bugzilla/show_bug.cgi?id=58001 (ProxyPreserveHost does not includes Forwarded)
  RequestHeader set Forwarded "proto=https"

Thank you, probably the headers I use with nginx from the documentation are indeed old / deprecated, I will try the new header in nginx tomorrow!

Edit:
Interestingly, the nginx documentation vor java web applications is still refering to the X-Forwarded (non standardized way): Java servers like Jetty, GlassFish and Tomcat | NGINX

But there is a documentation for the new standardized way you reffered to: Using the Forwarded header | NGINX

I had no success setting nginx standard forwarded headers for XJetty.

Also now I tried using apache2 instead of nginx using your linked configuration as base:
Setting up Apache HTTP Server (XWiki.org)

The same issue occurs with SSL: “failed to lock page” when trying to edit a page.

OK. Would be great if you could create a BUG issue on Loading..., I will try to find some time to reproduce and debug what could be the problem (there is probably something missing in XJetty in general).

I created it (hopefully correctly, It my first time using Jira):
[XWIKI-21601] XJetty “failed to lock page” when using https - XWiki.org JIRA

Same Problem for me, do you have a working NGINX or Apache2 konfiguration ?

Regards Eckhard

[XWIKI-21601] XJetty “failed to lock page” when using https - XWiki.org JIRA
It seems that it’s fixed with the next update.

Installed 15.10.2 on Debian 12 with NGinx and it works.
Thank You for this quick fix.

Regards Eckhard

Great, thanks for the confirmation @ecki !