I do specify the hostname in the installer. I ran the installer twice. One
time I said no SSL with port 80 only. The second time I said SSL with port
80 and 443.
In the installer, you should specify the hostname and ports that are
used publicly by your clients.
I.e., if you are behind a load balancer, you would specify the hostname
or IP address of the load balancer.
Perhaps you didn't specify the hostname that nginx is using?
Because the export to CSV and publishers generate fully-qualified links
(URLs) to binary content inside their generated documents, they need to be
able to reconstruct the full public URL to the server. On Tomcat, these
long-lived actions run in a background Executor that doesn't have access to
a ServletContext and therefore cannot determine the server URL without a
static configuration value. Similarly, when changing passwords, the
javascript construct the full public URL to the change-password servlet
(this was to support a cross-site call when the main access was using
http:// and the secure access was using https:// -- the installer doesn't
provide this option, though via manual configuration you can configure
that).
The questions during the installer gather this information.
I suspect the IP address or hostname is messed up.
On Wed, Aug 26, 2015 at 12:46 PM, mack...@gmail.com wrote:
Hi Mitch,
Thanks for your answer. Yes we generated the war file with your
installer and yes I answered no to the SSL certificate since I don't use
the cert in Tomcat but in nginx.
We just did what you suggested and unfortunately it doesn't work. We get
a warning:
"The webpage has a redirect loop"
Is there a comprehensive documentation of the options in the installer
that I have missed? Would be really good to know what each answer means and
how it will behave.
Our interest is in how to run ODK behind a reverse nginx proxy and
therefore I wonder about the ports 80 and 443 since these are not the
actual ports that Tomcat runs on. We run Tomcat on 8080 and proxy 80 and
443 to that port.
Do we need to active another connector in Tomcat to get port 8443
working and proxy 443 traffic there?
Thanks for any suggestion to solve this problem.
Armin
On Wednesday, August 26, 2015 at 2:03:22 PM UTC-4, Mitch Sundt wrote:
Did you use the ODK Aggregate installer to generate your WAR file?
It sounds like you did not select that you had an SSL certificate for
your server when you ran the installer, so the configuration is attempting
to use http: instead of SSL.
Re-run the installer specifying that you have an SSL cert, and that
you want to use port 80 and 443 and specify the hostname that users can use
to contact your server.
You should then be able to simply use that WAR file and not change
anything manually.
On Tue, Aug 25, 2015 at 12:38 PM, colind...@gmail.com wrote:
To follow up on this. We have made progress (I am working with Armin
on this).
We have changed the settings in the ODKAggregate-settings.jar, setting
security.server.port=80
security.server.securePort=443
This change has allowed us to successfully change passwords, but only
over http. That is, if logged in to Aggregate on https, changing a pw in
the Admin tab will prompt an alert:
JSON change-password request to
http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords failed.
Looking in the console, we can see:
Mixed Content: The page at '
https://epione.lmbutler.net/DisclosureR01/Aggregate.html' was loaded over
HTTPS, but requested an insecure script '
http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords?user…=colinm&digestAuthHash=6505d484f7124e905fb8bf8128e3324e&callback=callback0'.
This request has been blocked; the content must be served over HTTPS.
Running over http allows password changes just fine (which makes
sense, given the above).
Any thoughts on how to get password changes over HTTPS, or other
directions we might look?
Thanks
On Tuesday, August 25, 2015 at 2:26:21 PM UTC-4, mack...@gmail.com wrote:
Hello,
We are having trouble getting ODK to work nicely behind a nginx
proxy. The problem we see is that the user can call the ODK instance via
https, but when we try to change the password, the interaction fails since
the JSON call is directed via http to port 8080 (screenshot
https://www.dropbox.com/s/9pvugby2o89r27k/Screenshot%202015-08-25%2014.19.37.png?dl=0).
Tomcat runs on 8080 but the port is closed via a firewall.
So here is what we would like to achieve:
- nginx is the proxy and handles SSL encryption
- Tomcat and ODK know that they are behind a proxy and play nice.
How can I achieve this? I have tried the installer with and without
SSL, changing ports from 8080 to 80 (8443 to 443) but either I get too many
redirect warnings in the browser or the page loads but password resets go
to 8080 or 8443 and that doesn't work (ports blocked).
What is the correct answer in the installer to generate a war file
that plays well behind a proxy?
How do I change server.xml of Tomcat to support this correctly?
Here is my server.xml connector:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="300000"
URIEncoding="UTF-8"
maxPostSize="16777216"
redirectPort="8443"
scheme="https"
proxyPort="443"
/>
nginx setting:
location / {
proxy_set_header X_Forwarded_Proto https;
proxy_set_header X-Forwarded-For
proxy_set_header Host $host;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://127.0.0.1:8080/;
proxy_read_timeout 60;
}
Any thoughts on what I could try to further trouble shoot? Right now
I am able to login via a HTTPS connection but when I attempt to change a
user password it fails since the request is a HTTP request on port 8080.
Armin
--
--
Post: opend...@googlegroups.com
Unsubscribe: opendatakit...@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en
You received this message because you are subscribed to the Google
Groups "ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com
--
--
Post: opend...@googlegroups.com
Unsubscribe: opendatakit...@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en
You received this message because you are subscribed to the Google
Groups "ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com