Hi there,

I’m having trouble getting cmdbuild behind a reverse nginx proxy to work. The proxy runs on another node, not locally.

Accessing the installation directly (http), is possible and works without any problems. Login and behavior is like I know it. Behind the proxy (http->https) however, the cmdbuild login window loads, but without the language selector. Typing in my user credentials and pressing enter results in absolutely nothing. No log file shows anything.

http://cmdbuild.local.install/cmdbuild (works)
https://my.nginx.node/cmdbuild (only shows the login window)

I tried fiddling with the org.apache.catalina.valves.RemoteIpValve Attributes, but the result was always exactly the same: the login window showed

I played around with the virtual hosts settings, again no result, and no change.

None of the articles I found online helped, or did anything, also the advice here in the forum wasn’ successfull. (entry “cmdbuild behind apache proxy”)

Since the logging is awfully silent, I don’t think that the nginx config is the problem. So I tried to bump up the internal logging. Unfortunately, I cannot change it because of a missing password.

# sh cmdbuild.sh restws getloggers
(...)
java.lang.IllegalArgumentException: invalid auth dir = /var/lib/tomcat9/webapps/cmdbuild/../../temp
(...)
Exception in thread "main" java.lang.NullPointerException: missing 'password' param for user = system
(...)

Now I’m a bit at a loss here.

• Can someone tell me how I can bump up the logging to get more details on whats going on?
• And (ideally) also tell me where my mistake lies, or just where I could dig deeper?

In any way, many thanks and best regards

Max

A part of my server.xml


(…)

my.nginx.node

The relevant nginx part:
location /cmdbuild {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_pass http://172.18.1.18:8080;

My system:

• Ubuntu 20.04
• Tomcat9 (9.0.31-1ubuntu0.1)
• cmdbuild 3.3.1
• remote: nginx/1.10.3 (Ubuntu 16.04)

I was a bit tired yesterday, today I used the obvious browser tools and noticed, the following issue, which leads to the page not completely being loaded.

Mixed Content: The page at 'https://my.nginx.node/cmdbuild/ui/#login' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://my.nginx.node/cmdbuild/services/rest/v3/boot/status?_dc=1234567884637'. This request has been blocked; the content must be served over HTTPS.

With this information, I found an entry in the forums (Subject: “CMDBuild via https”), but the suggested solution is using apache, and not nginx. And everywhere I look, the nginx config should more or less look exactly the same like mine.

I also checked the official nginx documentation on how to host a tomcat application behind a nginx reverse proxy with ssl. But it showed me basically the same setup I used.

I know that it should be possible, because I saw this setup working somewhere else in the past.
But at the moment I still don’t have a clue, and would appreciate any help.

Hello,
I recently encountered a similar issue in Apache 2.4. I had to:

• Enable ProxyPreserveHost On (I’m not sure what the nginx equivalent would be) to ensure that the requested host name was being passed to Tomcat.
• Set Header always set Content-Security-Policy "upgrade-insecure-requests" so a Content-Security-Policy header was sent instructing browsers to always request content with HTTPS.
  I hope this helps!

Try to change in conf/server.xml

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"/>

to

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           proxyName="my.nginx.node"
           proxyPort="443"
           scheme="https"/>

Thanks for the feedback! I changed my cmdb approach for the time being as I had to move on. So I cannot test the suggested change in server.xml at the moment. Will do, when I change back to the intended setup. Hope this can still be helpful to other people.

@rahimov It’s work for me. Thanks, Rahimov.

Ensure that CMDBuild is configured to work with a reverse proxy. Look for configuration options related to proxy settings. CMDBuild might need to be aware that its behind a proxy, and you may need to adjust it

THANKS ! It worked for me with NGINX !

For the ones who are using nginx :

#Inside your nginx `server {}` block add:
add_header Content-Security-Policy "upgrade-insecure-requests";

It worked for me thanks a lot !

Hi,
Share the reverse proxy configuration steps. am tried lot its not working. Please share the configuration steps.

Hi,

Did you check that Tomcat is configured properly to interpret these headers. Add the RemoteIpValve in your server.xml like this:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
       remoteIpHeader="x-forwarded-for"
       protocolHeader="x-forwarded-proto"
       protocolHeaderHttpsValue="https"/>

Thanks

this is working fine, however use for my.nginx.node the domain name of the url of your proxy