Hi Armin,
It took me a few attempts to get something working. As for editing the JAR
file, the simplest way (which I neglected to mention) is to use the
Midnight Commander (mc) on Linux. Of course, you can unpack/edit/repack the
jar, but it is pretty simple to do it with mc.
Anyway, I am not really sure what might be going on with your setup. It
seems to be identical to mine, and we have had no issues.
- Did you try on an incognito/private browser session or clearing your
browser cache? I had some cached stuff in my browser, which caused
confusion. - Did you edit your Tomcat server files? Did not see if you mentioned this
in your mail.
Regards,
Jason
···
On Fri, May 24, 2013 at 5:45 AM, wrote:On Wednesday, May 15, 2013 1:52:11 PM UTC-4, jason.p....@gmail.com wrote:
Hi there. I am totally new to ODK Aggregate, but have followed the
project over the years, and am finally glad to have a chance to work with
it. My first task however was to setup an ODK Aggregate server using an
SSL-enabled reverse proxy. The current documentation descries a situation
where there is not a reverse proxy (such as Nginx or Apache) in front of
the Tomcat server for ODK Aggregate. The documented approach uses ipchains
to forward the traffic to the correct ports on Tomcat, but getting SSL
enabled in Tomcat can be a bit of a hassle, especially if you already have
a webserver with SSL enabled. I thought I would share my experience with
the group for future benefit, as I could not find this documentation
readily available anywhere.This a real bare-bones install, and any comments would be most welcome.
This will describe an installation using Tomcat and Nginx as the
SSL-enabled reverse proxy. There will be no encryption between the reverse
proxy and Tomcat. All values in {} should be replaced with your actual
valuesFirst, install Tomcat as per normal, but you need to alter the
server.xml file as follows.<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" scheme="https" proxyName=" {odk.foo.com}" proxyPort="443" />
Next, setup Nginx with the following server block, adjusting to suit
your needs.server {
listen 443;
ssl on;
server_name {odk.foo.com};ssl_certificate {/etc/ssl/my.crt};
ssl_certificate_key {/etc/ssl/my.key};
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;location / {
proxy_set_header X_Forwarded_Proto https;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://localhost:8080/;}
}I also added a redirect to only allow secure access
server {
listen 80;
server_name {odk.foo.com};
rewrite ^ https://{odk.foo.com}$request_uri? permanent;
}Next, I did a standard install of ODK using the jar installer, but then
hacked the ODKAggregate-settings.jar to to look like this
...should be REQUIRES_SECURE_CHANNEL but can't unless SSL is available.
security.server.secureChannelType=ANY_CHANNEL
#security.server.secureChannelType=REQUIRES_SECURE_CHANNELeither REQUIRES_INSECURE_CHANNEL to secure nothing
or REQUIRES_SECURE_CHANNEL to secure everything
security.server.channelType=ANY_CHANNEL
#security.server.channelType=REQUIRES_SECURE_CHANNELWhen running under Tomcat, you need to set the hostname and port for
the server so that the background tasks can generate
properly-constructed
links in their documents and in their publications to the
external services.
This is configured during install. If blank, discovers an IP address
security.server.hostname={odk.foo.com}
#security.server.hostname=192.168.15.200
#security.server.hostname=opendatakit.appspot.comany port pairings can be used.
security.server.port=80
security.server.securePort=443
...Start everything up, and you should be good to go, with full encryption
using a reverse proxy as the encryption point, instead of Tomcat.Hope it may be useful to others, and improvement welcome.
Regards,
JasonHi Jason,
This is a good guide and helped me getting further. Took me a bit to
figure out how to unpack, change and repackage the jar fileWhile the proxying now works a login gives me an access denied. The URL
looks weird:https://odk.lmbutler-ssa.net/DisclosureRAP/https://odk.lmbutler-ssa.net/DisclosureRAP/Aggregate.html
When I cut the URL to
https://odk.lmbutler-ssa.net/DisclosureRAP/Aggregate.html and reload I am
logged in.Any thoughts why this could happen and what I need to change?
My nginx settings:
server {
listen 443;
ssl on;
server_name odk.lmbutler-ssa.net;ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_set_header X_Forwarded_Proto https; proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://localhost:8080/;
}
}server {
listen 80;
server_name odk.lmbutler-ssa.net;
rewrite ^ https://odk.lmbutler-ssa.net$request_uri? permanent;
}thanks for any thoughts.
Armin