On Wednesday, May 15, 2013 1:52:11 PM UTC-4, jason.p....@gmail.com wrote:

Hi there. I am totally new to ODK Aggregate, but have followed the
project over the years, and am finally glad to have a chance to work with
it. My first task however was to setup an ODK Aggregate server using an
SSL-enabled reverse proxy. The current documentation descries a situation
where there is not a reverse proxy (such as Nginx or Apache) in front of
the Tomcat server for ODK Aggregate. The documented approach uses ipchains
to forward the traffic to the correct ports on Tomcat, but getting SSL
enabled in Tomcat can be a bit of a hassle, especially if you already have
a webserver with SSL enabled. I thought I would share my experience with
the group for future benefit, as I could not find this documentation
readily available anywhere.

This a real bare-bones install, and any comments would be most welcome.

This will describe an installation using Tomcat and Nginx as the
SSL-enabled reverse proxy. There will be no encryption between the reverse
proxy and Tomcat. All values in {} should be replaced with your actual
values

First, install Tomcat as per normal, but you need to alter the
server.xml file as follows.

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           scheme="https"
           proxyName=" {odk.foo.com}"
            proxyPort="443"
     />

Next, setup Nginx with the following server block, adjusting to suit
your needs.

server {
listen 443;
ssl on;
server_name {odk.foo.com};

ssl_certificate {/etc/ssl/my.crt};
ssl_certificate_key {/etc/ssl/my.key};
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {
proxy_set_header X_Forwarded_Proto https;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://localhost:8080/;

}
}

I also added a redirect to only allow secure access

server {
listen 80;
server_name {odk.foo.com};
rewrite ^ https://{odk.foo.com}$request_uri? permanent;
}

Next, I did a standard install of ODK using the jar installer, but then
hacked the ODKAggregate-settings.jar to to look like this
...

should be REQUIRES_SECURE_CHANNEL but can't unless SSL is available.

security.server.secureChannelType=ANY_CHANNEL
#security.server.secureChannelType=REQUIRES_SECURE_CHANNEL

either REQUIRES_INSECURE_CHANNEL to secure nothing

or REQUIRES_SECURE_CHANNEL to secure everything

security.server.channelType=ANY_CHANNEL
#security.server.channelType=REQUIRES_SECURE_CHANNEL

When running under Tomcat, you need to set the hostname and port for

the server so that the background tasks can generate

properly-constructed

links in their documents and in their publications to the

external services.

This is configured during install. If blank, discovers an IP address

security.server.hostname={odk.foo.com}
#security.server.hostname=192.168.15.200
#security.server.hostname=opendatakit.appspot.com

any port pairings can be used.

security.server.port=80
security.server.securePort=443
...

Start everything up, and you should be good to go, with full encryption
using a reverse proxy as the encryption point, instead of Tomcat.

Hope it may be useful to others, and improvement welcome.

Regards,
Jason

Hi Jason,

This is a good guide and helped me getting further. Took me a bit to
figure out how to unpack, change and repackage the jar file

While the proxying now works a login gives me an access denied. The URL
looks weird:

https://odk.lmbutler-ssa.net/DisclosureRAP/https://odk.lmbutler-ssa.net/DisclosureRAP/Aggregate.html

When I cut the URL to
https://odk.lmbutler-ssa.net/DisclosureRAP/Aggregate.html and reload I am
logged in.

Any thoughts why this could happen and what I need to change?

My nginx settings:

server {
listen 443;
ssl on;
server_name odk.lmbutler-ssa.net;

    ssl_certificate /etc/ssl/server.crt;
    ssl_certificate_key /etc/ssl/server.key;
    ssl_protocols              SSLv2 SSLv3 TLSv1;
    ssl_ciphers                HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;


    location / {
            proxy_set_header X_Forwarded_Proto https;
            proxy_set_header  X-Forwarded-For

$proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://localhost:8080/;
}
}

server {
listen 80;
server_name odk.lmbutler-ssa.net;
rewrite ^ https://odk.lmbutler-ssa.net$request_uri? permanent;
}

thanks for any thoughts.

Armin

Hi Armin,
It took me a few attempts to get something working. As for editing the JAR
file, the simplest way (which I neglected to mention) is to use the
Midnight Commander (mc) on Linux. Of course, you can unpack/edit/repack the
jar, but it is pretty simple to do it with mc.

Anyway, I am not really sure what might be going on with your setup. It
seems to be identical to mine, and we have had no issues.

1. Did you try on an incognito/private browser session or clearing your
   browser cache? I had some cached stuff in my browser, which caused
   confusion.
2. Did you edit your Tomcat server files? Did not see if you mentioned
   this in your mail.

Regards,
Jason

On Fri, May 24, 2013 at 5:45 AM, mackrauss@gmail.com wrote:

On Wednesday, May 15, 2013 1:52:11 PM UTC-4, jason.p....@gmail.com wrote:

Hi there. I am totally new to ODK Aggregate, but have followed the
project over the years, and am finally glad to have a chance to work with
it. My first task however was to setup an ODK Aggregate server using an
SSL-enabled reverse proxy. The current documentation descries a situation
where there is not a reverse proxy (such as Nginx or Apache) in front of
the Tomcat server for ODK Aggregate. The documented approach uses ipchains
to forward the traffic to the correct ports on Tomcat, but getting SSL
enabled in Tomcat can be a bit of a hassle, especially if you already have
a webserver with SSL enabled. I thought I would share my experience with
the group for future benefit, as I could not find this documentation
readily available anywhere.

This a real bare-bones install, and any comments would be most welcome.

This will describe an installation using Tomcat and Nginx as the
SSL-enabled reverse proxy. There will be no encryption between the reverse
proxy and Tomcat. All values in {} should be replaced with your actual
values

First, install Tomcat as per normal, but you need to alter the
server.xml file as follows.

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           scheme="https"
           proxyName=" {odk.foo.com}"
            proxyPort="443"
     />

Next, setup Nginx with the following server block, adjusting to suit
your needs.

server {
listen 443;
ssl on;
server_name {odk.foo.com};

ssl_certificate {/etc/ssl/my.crt};
ssl_certificate_key {/etc/ssl/my.key};
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {
proxy_set_header X_Forwarded_Proto https;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://localhost:8080/;

}
}

I also added a redirect to only allow secure access

server {
listen 80;
server_name {odk.foo.com};
rewrite ^ https://{odk.foo.com}$request_uri? permanent;
}

Next, I did a standard install of ODK using the jar installer, but then
hacked the ODKAggregate-settings.jar to to look like this
...

should be REQUIRES_SECURE_CHANNEL but can't unless SSL is available.

security.server.secureChannelType=ANY_CHANNEL
#security.server.secureChannelType=REQUIRES_SECURE_CHANNEL

either REQUIRES_INSECURE_CHANNEL to secure nothing

or REQUIRES_SECURE_CHANNEL to secure everything

security.server.channelType=ANY_CHANNEL
#security.server.channelType=REQUIRES_SECURE_CHANNEL

When running under Tomcat, you need to set the hostname and port for

the server so that the background tasks can generate

properly-constructed

links in their documents and in their publications to the

external services.

This is configured during install. If blank, discovers an IP address

security.server.hostname={odk.foo.com}
#security.server.hostname=192.168.15.200
#security.server.hostname=opendatakit.appspot.com

any port pairings can be used.

security.server.port=80
security.server.securePort=443
...

Start everything up, and you should be good to go, with full encryption
using a reverse proxy as the encryption point, instead of Tomcat.

Hope it may be useful to others, and improvement welcome.

Regards,
Jason

Hi Jason,

This is a good guide and helped me getting further. Took me a bit to
figure out how to unpack, change and repackage the jar file

While the proxying now works a login gives me an access denied. The URL
looks weird:

https://odk.lmbutler-ssa.net/DisclosureRAP/https://odk.lmbutler-ssa.net/DisclosureRAP/Aggregate.html

When I cut the URL to
https://odk.lmbutler-ssa.net/DisclosureRAP/Aggregate.html and reload I
am logged in.

Any thoughts why this could happen and what I need to change?

My nginx settings:

server {
listen 443;
ssl on;
server_name odk.lmbutler-ssa.net;

    ssl_certificate /etc/ssl/server.crt;
    ssl_certificate_key /etc/ssl/server.key;
    ssl_protocols              SSLv2 SSLv3 TLSv1;
    ssl_ciphers                HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;


    location / {
            proxy_set_header X_Forwarded_Proto https;
            proxy_set_header  X-Forwarded-For

$proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://localhost:8080/;
}
}

server {
listen 80;
server_name odk.lmbutler-ssa.net;
rewrite ^ https://odk.lmbutler-ssa.net$request_uri? permanent;
}

thanks for any thoughts.

Armin