Configuring Silverpeas behind an Apache or an Nginx reverse-proxy Miguel Moquillon Configuring Silverpeas behind an Apache or an Nginx reverse-proxy

A reverse-proxy is usually used to give a single one-point access to different services or applications. It is also used to handle TLS connections and then the required certificates.

The configuration of Silverpeas behind an Apache or an Nginx reverse-proxy is quite straightforward.
In this example we want to configure a reverse-proxy that is handling TLS and proxyfying a Silverpeas running in a Wildfly server on port 8000.

Defines the configuration of your site as following. The [...] means your own specific configuration for your site and that isn't covered by this document.

<VirtualHost site.domaine.tld:443> ServerName site.domaine.tld:443 [...] SSLEngine On SSLProxyEngine On SSLCertificateFile PATH_OF_YOUR_CRT SSLCertificateKeyFile PATH_OF_YOUR_CERTIFICATE_KEY SSLCertificateChainFile PATH_OF_YOUR_CERTIFICATE_CHAIN_PEM SSLVerifyClient None SSLCipherSuite !ADH:!DSS:!RC4:HIGH:+3DES SSLCompression Off SSLHonorCipherOrder On SSLProtocol all -SSLv2 -SSLv3 ProxyTimeout 300 ProxyVia Off ProxyRequests Off ProxyPreserveHost On # Silverpeas ProxyPass /weblib http://127.0.0.1:8000/weblib ProxyPassReverse /weblib http://127.0.0.1:8000/weblib ProxyPass /silverpeas http://127.0.0.1:8000/silverpeas ProxyPassReverse /silverpeas http://127.0.0.1:8000/silverpeas ProxyPass /website http://127.0.0.1:8000/website ProxyPassReverse /website http://127.0.0.1:8000/website ProxyPass /help_fr http://127.0.0.1:8000/help_fr ProxyPassReverse /help_fr http://127.0.0.1:8000/help_fr RewriteEngine On RewriteRule ^/$ /silverpeas [R,L] Header set Access-Control-Max-Age "1000" Header set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, X-STKN" # This parameter is important for Wildfly Header set X-Forwarded-Proto "https" [...] </VirtualHost>

Defines the configuration of your site as following. The [...] means your own specific configuration for your site and that isn't covered by this document.

[...] server { listen 443; server_name site.domaine.tld; [...] ssl on; ssl_certificate_key PATH_OF_YOUR_CERTIFICATE_KEY; ssl_certificate PATH_OF_YOUR_CERTIFICATE_CHAIN_PEM; ssl_stapling on; ssl_stapling_verify on; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; ssl_prefer_server_ciphers on; client_max_body_size 2048M; location / { proxy_pass http://127.0.0.1:8000/; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; } rewrite ^/$ /silverpeas break; [...] }

Now, you just have to update one attribute of the HTTP listener of the Undertow Web server embedded in Wildfly. For doing, go to the JBOSS_HOME/bin directory and, run Wildfly in administration mode only, enable the proxy forwarding and then stop Wildfly:

$ ./standalone.sh -c standalone-full.xml --admin-only & [...] $ ./jboss-cli.sh --connect -c "/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)" {"outcome" => "success"} $ ./jboss-cli.sh --connect -c "/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket)" {"outcome" => "success"} $ ./jboss-cli.sh --connect -c "shutdown"

Now, you just have to create a configuration for a socket binding to handle TLS connections (here proxy-https) and then update the HTTP listener of the Undertow Web server embedded in Wildfly. For doing, go to the JBOSS_HOME/bin directory and, run Wildfly in administration mode only, create and use a socket binding for TLS connections, and enable the proxy forwarding, and then stop Wildfly:

$ ./standalone.sh -c standalone-full.xml --admin-only & [...] $ ./jboss-cli.sh --connect -c "/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)" {"outcome" => "success"} $ ./jboss-cli.sh --connect -c "/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)" {"outcome" => "success"} $ ./jboss-cli.sh --connect -c "/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)" {"outcome" => "success"} $ ./jboss-cli.sh --connect -c "shutdown"