Silverpeas Project Web Site – Configuring Silverpeas behind an Apache or an Nginx reverse-proxy

Introduction

A reverse-proxy is usually used to give a single one-point access to different services or applications. It is also used to handle TLS connections and then the required certificates.

The configuration of Silverpeas behind an Apache or an Nginx reverse-proxy is quite straightforward.
In this example we want to configure a reverse-proxy that is handling TLS and proxyfying a Silverpeas running in a Wildfly server on port 8000.

Apache Configuration

Defines the configuration of your site as following. The [...] means your own specific configuration for your site and that isn't covered by this document.

    <VirtualHost site.domaine.tld:443>
          ServerName site.domaine.tld:443

          [...]
        SSLEngine On
        SSLProxyEngine On
        SSLCertificateFile PATH_OF_YOUR_CRT
        SSLCertificateKeyFile PATH_OF_YOUR_CERTIFICATE_KEY
        SSLCertificateChainFile  PATH_OF_YOUR_CERTIFICATE_CHAIN_PEM
        SSLVerifyClient None
        SSLCipherSuite !ADH:!DSS:!RC4:HIGH:+3DES
        SSLCompression Off
        SSLHonorCipherOrder On
        SSLProtocol all -SSLv2 -SSLv3

        ProxyTimeout 300
        ProxyVia Off
        ProxyRequests Off
        ProxyPreserveHost On

        # Silverpeas
        ProxyPass /weblib http://127.0.0.1:8000/weblib
        ProxyPassReverse /weblib http://127.0.0.1:8000/weblib
        ProxyPass /silverpeas http://127.0.0.1:8000/silverpeas
        ProxyPassReverse /silverpeas http://127.0.0.1:8000/silverpeas
        ProxyPass /website http://127.0.0.1:8000/website
        ProxyPassReverse /website http://127.0.0.1:8000/website
        ProxyPass /help_fr http://127.0.0.1:8000/help_fr
        ProxyPassReverse /help_fr http://127.0.0.1:8000/help_fr

        RewriteEngine On
        RewriteRule ^/$ /silverpeas [R,L]

        Header set Access-Control-Max-Age "1000"
        Header set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, X-STKN"
        # This parameter is important for Wildfly
        Header set X-Forwarded-Proto "https"

        [...]
    </VirtualHost>

Configuring Nginx

Defines the configuration of your site as following. The [...] means your own specific configuration for your site and that isn't covered by this document.

    [...]

    server {
        listen 443;
        server_name site.domaine.tld;

        [...]

        ssl on;
        ssl_certificate_key PATH_OF_YOUR_CERTIFICATE_KEY;
        ssl_certificate     PATH_OF_YOUR_CERTIFICATE_CHAIN_PEM;
        ssl_stapling on;
        ssl_stapling_verify on;

        ssl_session_timeout 5m;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
        ssl_prefer_server_ciphers on;
        client_max_body_size 2048M;

        location / {
            proxy_pass http://127.0.0.1:8000/;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
        rewrite ^/$ /silverpeas break;

        [...]
     }

Configuring Wildfly

In a non TLS mode

Now, you just have to update one attribute of the HTTP listener of the Undertow Web server embedded in Wildfly. For doing, go to the JBOSS_HOME/bin directory and, run Wildfly in administration mode only, enable the proxy forwarding and then stop Wildfly:

        $ ./standalone.sh -c standalone-full.xml --admin-only &
        [...]
        $ ./jboss-cli.sh --connect -c "/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)"
        {"outcome" => "success"}
        $ ./jboss-cli.sh --connect -c "/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket)"
        {"outcome" => "success"}
        $ ./jboss-cli.sh --connect -c "shutdown"

In TLS mode

Now, you just have to create a configuration for a socket binding to handle TLS connections (here proxy-https) and then update the HTTP listener of the Undertow Web server embedded in Wildfly. For doing, go to the JBOSS_HOME/bin directory and, run Wildfly in administration mode only, create and use a socket binding for TLS connections, and enable the proxy forwarding, and then stop Wildfly:

          $ ./standalone.sh -c standalone-full.xml --admin-only &
          [...]
          $ ./jboss-cli.sh --connect -c "/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)"
          {"outcome" => "success"}
          $ ./jboss-cli.sh --connect -c "/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)"
          {"outcome" => "success"}
          $ ./jboss-cli.sh --connect -c "/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)"
          {"outcome" => "success"}
          $ ./jboss-cli.sh --connect -c "shutdown"