Cmdbuild behind nginx reverse proxy

Hi there,

I’m having trouble getting cmdbuild behind a reverse nginx proxy to work. The proxy runs on another node, not locally.

Accessing the installation directly (http), is possible and works without any problems. Login and behavior is like I know it. Behind the proxy (http->https) however, the cmdbuild login window loads, but without the language selector. Typing in my user credentials and pressing enter results in absolutely nothing. No log file shows anything.

http://cmdbuild.local.install/cmdbuild (works)
https://my.nginx.node/cmdbuild (only shows the login window)

I tried fiddling with the org.apache.catalina.valves.RemoteIpValve Attributes, but the result was always exactly the same: the login window showed

I played around with the virtual hosts settings, again no result, and no change.

None of the articles I found online helped, or did anything, also the advice here in the forum wasn’ successfull. (entry “cmdbuild behind apache proxy”)

Since the logging is awfully silent, I don’t think that the nginx config is the problem. So I tried to bump up the internal logging. Unfortunately, I cannot change it because of a missing password.

# sh cmdbuild.sh restws getloggers
(...)
java.lang.IllegalArgumentException: invalid auth dir = /var/lib/tomcat9/webapps/cmdbuild/../../temp
(...)
Exception in thread "main" java.lang.NullPointerException: missing 'password' param for user = system
(...)

Now I’m a bit at a loss here.

  • Can someone tell me how I can bump up the logging to get more details on whats going on?
  • And (ideally) also tell me where my mistake lies, or just where I could dig deeper?

In any way, many thanks and best regards

Max

A part of my server.xml


(…)

my.nginx.node

The relevant nginx part:
location /cmdbuild {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_pass http://172.18.1.18:8080;

My system:

  • Ubuntu 20.04
  • Tomcat9 (9.0.31-1ubuntu0.1)
  • cmdbuild 3.3.1
  • remote: nginx/1.10.3 (Ubuntu 16.04)

I was a bit tired yesterday, today I used the obvious browser tools and noticed, the following issue, which leads to the page not completely being loaded.

Mixed Content: The page at 'https://my.nginx.node/cmdbuild/ui/#login' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://my.nginx.node/cmdbuild/services/rest/v3/boot/status?_dc=1234567884637'. This request has been blocked; the content must be served over HTTPS.

With this information, I found an entry in the forums (Subject: “CMDBuild via https”), but the suggested solution is using apache, and not nginx. And everywhere I look, the nginx config should more or less look exactly the same like mine.

I also checked the official nginx documentation on how to host a tomcat application behind a nginx reverse proxy with ssl. But it showed me basically the same setup I used.

I know that it should be possible, because I saw this setup working somewhere else in the past.
But at the moment I still don’t have a clue, and would appreciate any help.

Hello,
I recently encountered a similar issue in Apache 2.4. I had to:

  • Enable ProxyPreserveHost On (I’m not sure what the nginx equivalent would be) to ensure that the requested host name was being passed to Tomcat.
  • Set Header always set Content-Security-Policy "upgrade-insecure-requests" so a Content-Security-Policy header was sent instructing browsers to always request content with HTTPS.
    I hope this helps!

Try to change in conf/server.xml

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"/>

to

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           proxyName="my.nginx.node"
           proxyPort="443"
           scheme="https"/>