HTTP and HTTPS reverse-proxy configuration

The Nuxeo webapp can be virtual hosted behind a HTTP/HTTPS reverse proxy, like Apache.

Motivations for virtual hosting

Virtual hosting provides several advantages:

• Support for HTTPS
  HTTPS support in Apache is easy and flexible to setup. Apache can also be used to handle certificate authentication.

• URL filtering
  You can use Apache filtering tools to limit the URLs that can be accessed via the reverse proxy.

• Handle HTTP cache for static resources
  Nuxeo EP generates standard HTTP cache headers for all static resources (images, JavaScript...). These resources are by default cached on the client side (in the browser cache). For performance reasons, it can be useful to host these resources in the reverse proxy cache.

Virtual hosting configuration for Apache 2.x

Reverse proxy with mod_proxy

For this configuration, you will need to load and enable the mod_proxy and mod_proxy_http modules.

You can also use rewrite rules to achieve the same result:

This configuration will allow you to access the Nuxeo EP webapp via http://ApacheServer/nuxeo/.

The Nuxeo webapp will generate the URLs after reading the http header x-forwarded-host.

Unfortunately, this header does not specify the protocol used, so if your Apache is responding to HTTPS, you will need to send Nuxeo EP a specific header to indicate the base URL that the webapp must use when generating links.

This will require you to load and activate the mod_headers module.

And if you have "client denied by server configuration" error, you must check the access control directives of mod_proxy:

Reverse proxy a Webengine site to a myexample.com/mysite url

You need the same configuration from the first section. It is advised to first get it to work before proxying exclusively a Webengine site.

A site request queries both from its own url (/nuxeo/site/mysite) but also gets static resources from the root (/nuxeo/nxthemes ...).
A rewrite configuration for mysite would look like:

Webengine also needs to know the base of the site, in this case, an empty string instead of /nuxeo/site. This information is passed using the mod_headers:

You can also fetch the static resources from a different path. To do so add a properties to the nuxeo.properties file

Reverse proxy with mod_jk

mod_jk allows you to communicate between Apache and Tomcat via the ajp1.3 protocol.

The workers.properties file will contain the list of Nuxeo EP Tomcat servers. The AJP13 tomcat listener should be enabled by default on port 8009.

Once again, if you use HTTPS, you will need to set the Nuxeo-specific header to tell the webapp how to generate URLs:

This will require you to load and activate the mod_header module.

Configuring http cache

The Simple cache filter is deprecated, we recommend using the filterConfig extension point of RequestControllerService.

RequestControllerService's filter extension point

This XP lets you contribute customized filter for a given pattern URL.

This contribution will ensure that every pattern matching url will go through NuxeoRequestControllerFilter. The header of the corresponding request will be modified according to the XP configuration. Here is a list of the possible options:

• filterConfig
  • name: name of the Filter.
  • transactional: use transaction.
  • synchonize: is synchronized
  • cached: if true, add cache-control to header
  • cacheTime: cache duration.
  • private: if true, cache is private, public if false.
• pattern: url pattern to match

Using Simple Cache Filter

The Nuxeo webapp includes a Servlet Filter that will automatically add header cache to some resources returned by the server.

By using the deployment-fragement.xml you can also put some specific resources behind this filter:

When Nuxeo EP is virtual hosted with apache you can use mod_cache to use the reverse-proxy as cache server.

You can also use Squid or any other caching system that is compliant with the standard HTTP caching policy.