This documentation refers to the unreleased development version of the Nuxeo Platform. For the current production version, refer to the 5.6 documentation.
Skip to end of metadata
Comment: Added related pages
Go to start of metadata

The Nuxeo webapp can be virtual hosted behind a HTTP/HTTPS reverse proxy, like Apache.

Motivations for virtual hosting

Virtual hosting provides several advantages:

  • Support for HTTPS
    HTTPS support in Apache is easy and flexible to setup. Apache can also be used to handle certificate authentication.
  • URL filtering
    You can use Apache filtering tools to limit the URLs that can be accessed via the reverse proxy.
  • Handle HTTP cache for static resources
    Nuxeo EP generates standard HTTP cache headers for all static resources (images, JavaScript...). These resources are by default cached on the client side (in the browser cache). For performance reasons, it can be useful to host these resources in the reverse proxy cache.

Virtual hosting configuration for Apache 2.x

Reverse proxy with mod_proxy

For this configuration, you will need to load and enable the mod_proxy and mod_proxy_http modules.

You can also use rewrite rules to achieve the same result:

This configuration will allow you to access the Nuxeo EP webapp via http://ApacheServer/nuxeo/.

The Nuxeo webapp will generate the URLs after reading the http header x-forwarded-host.

Unfortunately, this header does not specify the protocol used, so if your Apache is responding to HTTPS, you will need to send Nuxeo EP a specific header to indicate the base URL that the webapp must use when generating links.

This will require you to load and activate the mod_headers module.

And if you have "client denied by server configuration" error, you must check the access control directives of mod_proxy:

Reverse proxy a Webengine site to a myexample.com/mysite url

You need the same configuration from the first section. It is advised to first get it to work before proxying exclusively a Webengine site.

A site request queries both from its own url (/nuxeo/site/mysite) but also gets static resources from the root (/nuxeo/nxthemes ...).
A rewrite configuration for mysite would look like:

Webengine also needs to know the base of the site, in this case, an empty string instead of /nuxeo/site. This information is passed using the mod_headers:

You can also fetch the static resources from a different path. To do so add a properties to the nuxeo.properties file

Reverse proxy with mod_jk

The AJP connector may lock threads if you're not using the APR implementation. Please read the native tomcat documentation for activating the APR implementation on your system. On linux
you just have to install the package libtcnative-1.

mod_jk allows you to communicate between Apache and Tomcat via the ajp1.3 protocol.

The workers.properties file will contain the list of Nuxeo EP Tomcat servers. The AJP13 tomcat listener should be enabled by default on port 8009.

Once again, if you use HTTPS, you will need to set the Nuxeo-specific header to tell the webapp how to generate URLs:

This will require you to load and activate the mod_header module.

Configuring http cache

The Simple cache filter is deprecated, we recommend using the filterConfig extension point of RequestControllerService.

RequestControllerService's filter extension point

This XP lets you contribute customized filter for a given pattern URL.

Example of a filterConfig Registration

This contribution will ensure that every pattern matching url will go through NuxeoRequestControllerFilter. The header of the corresponding request will be modified according to the XP configuration. Here is a list of the possible options:

  • filterConfig
    • name: name of the Filter.
    • transactional: use transaction.
    • synchonize: is synchronized
    • cached: if true, add cache-control to header
    • cacheTime: cache duration.
    • private: if true, cache is private, public if false.
  • pattern: url pattern to match

Using Simple Cache Filter

The Nuxeo webapp includes a Servlet Filter that will automatically add header cache to some resources returned by the server.

By using the deployment-fragement.xml you can also put some specific resources behind this filter:

When Nuxeo EP is virtual hosted with apache you can use mod_cache to use the reverse-proxy as cache server.

You can also use Squid or any other caching system that is compliant with the standard HTTP caching policy.

Related pages
Page: HTTP and HTTPS reverse-proxy configuration (Nuxeo Installation and Administration)
Page: Configuring a reverse proxy to work with Live Edit and client certificate authentication (Nuxeo Installation and Administration)
Page: Simple REST (Nuxeo Enterprise Platform (EP))

4 Comments

Hide/Show Comments

  1. May 20, 2011

    Damien Metzler

    With Tomcat, it seems that the authentication cookie (JSESSIONID) is set on the /nuxeo path. Therefore, the authentication only works for servlets after the /nuxeo segment.  In order to be able to login on proxyfied webengine applications, you'll have to add this configuration in Apache :

    Header edit Set-Cookie "^(.*; Path=/)(.*)" $1

  2. Jun 01, 2011

    Damien Metzler

    Another way of doing this without having to edit headers is to change the tomcat config. You have to change the following section in server.xml

    This file is in the templates directory under $(nuxeo.home)/templates/default/conf/ so you can change it there or use your own template.

    1. Jun 22, 2011

      Julien Carsique

      Thanks' Damien. There's a new parameter for setting that since 5.4.3: "nuxeo.server.emptySessionPath".

      Also, since 5.4.3 (https://jira.nuxeo.com/browse/NXP-6782) there is a HTTPS template for those not using an HTTP server in front of Tomcat (even if not recommended).

      1. May 21, 2012

        Damien Metzler

        The parameter seems to be tomcat.emptySessionPath=true now