Installation and Administration

Firewall Consideration

Updated: October 16, 2020

Firewalls don't like inactive connections that stay open. Most of them will drop the connection silently, which will generate errors on connections pools like database, AJP or LDAP. Here are some advices to prevent this.

Firewall Between Apache and the Nuxeo Platform in AJP Mode

If you are using mod_proxy_ajp, you can activate a TCP keep alive to prevent persistent connections to be dropped. This requires the usage of mod_proxy options keepalive=on and flushpackets=on. You also need to configure the TCP keep alive delay using sysctl (net.ipv4.TCP_keepalive_time).

Refer to mod_proxy documentation for more information.

Firewall Between the Nuxeo Platform and the Database

Database pool can try to reconnect on invalid connection (NXP-7528) but it is better to enable the keep alive on your database. For instance using PostgreSQL, this can be achieved with the following options:

OptionValueDescription
tcp_keepalives_count
5Maximum number of TCP keepalive retransmits.
tcp_keepalives_idle
60Time between issuing TCP keepalives.
tcp_keepalives_interval
60Time between TCP keepalive retransmits.

Firewall Between the Nuxeo Platform and LDAP

Here, there are no keep alive alternative. You can simply disable the LDAP connection pool in the directory configuration.