search cancel

Using nginx reverse proxy with SSL to access OneClick non-ssl

book

Article ID: 257791

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

How to configure OneClick and OneClick WebApp non-ssl to be accessed through a reverse proxy (nginx) with SSL, 

 

Environment

Release : 21.2 - 22.2

Cause

This document assume nginx is installed and configured as a reverse proxy and with SSL

https://docs.nginx.com/nginx/admin-guide/

For this example,

The nginx server FQDN is reverseproxy.mydomain.com

The OneClick server hostname is ocserver

Please replace the above with the correct values on the configuration file.

 

Resolution

Before starting, please confirm:

A) The OneClick can be accessed using http://ocserver/spectrum locally or from the internal network.

B) Launching OneClick WebApp from OneClick home page works locally or from the internal network.


To access OneClick and OneClick WebApp (non-SSL) using nginx (with SSL) two steps are required.

1. Configure two ports in nginx configuration file. One for accessing OneClick, and the second one to access the OneClick WebApp

Next is an nginx configuration file that works:

server {
       #Configured SSL port 443
        listen 443 ssl;

       #Certificates path
        ssl_certificate /etc/ssl/private/reverseproxy.crt;
        ssl_certificate_key /etc/ssl/private/reverseproxy.key;

        server_name reverseproxy.mydomain.com;

        location / {
          proxy_pass http://ocserver:80;
          proxy_read_timeout 1d;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection 'upgrade';
          proxy_set_header Host $host;
          proxy_cache_bypass $http_upgrade;
}

}

server {
       #OneClick WebApp port. This port must match the connector port on $SPECROOT/webtomcat/conf/server.xml
       listen 9443 ssl;
       
       #Certificate paths
       ssl_certificate /etc/ssl/private/reverseproxy.crt;
       ssl_certificate_key /etc/ssl/private/reverseproxy.key;

       server_name reverseproxy.mydomain.com;
       location / {
         proxy_buffering off;
         add_header X-Upstream $upstream_addr;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection upgrade;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-Proto https;
         proxy_set_header X-Forwarded-Host prototype.webswing.org;
         proxy_pass http://ocserver:9443/;
    }
}

2. Modify the Spectrum Tomcat configuration and the WebTomcat configuration to allow the access through the reverse proxy

Two files need to be modified to make this works, webswing.config and index.jsp

- Backup on a different location, and edit $SPECROOT/webtomcat/webswing/webswing.config file
  Search next line

      "launcherConfig" : {
        "args" : "-compress 9 ${customArgs}",
        "mainClass" : "com.aprisma.spectrum.app.console.client.ConsoleApp"
      },

and  modify it as follow

      "launcherConfig" : {
        "args" : "-host localhost -compress 9 ${customArgs}",
        "mainClass" : "com.aprisma.spectrum.app.console.client.ConsoleApp"
      },

Save the file.

- Backup on a different location, and edit $SPECROOT/tomcat/webapps/spectrum/webapp/index.jsp file
 
  Search the word ${protocol}

<link rel="stylesheet" href="${protocol}://${server}:${webapp_port}/spectrum/oneclickwebapp/css/style.css"/>
...
connectionUrl:'${protocol}://${server}:${webapp_port}/spectrum/oneclickwebapp',
...
var baseUrl = '${protocol}://${server}:${webapp_port}/spectrum/oneclickwebapp';

and replace it by https

<link rel="stylesheet" href="https://${server}:${webapp_port}/spectrum/oneclickwebapp/css/style.css"/>
...
connectionUrl:'https://${server}:${webapp_port}/spectrum/oneclickwebapp',
...
var baseUrl = 'https://${server}:${webapp_port}/spectrum/oneclickwebapp';

Save the file.

After modifying the files:

- Delete the content from $SPECROOT/tomcat/work/ directory, and try to access OneClick through the nginx.

IMPORTANT!!!

1.  After modifying the above files, OneClick can still be accessed without going through the nginx, however OneClick WebApp will not load, unless it is accessed through the nginx.
2.  The Java Console will not work, unless
   2.1 the port 80 is added to the nginx configuration

server {
       listen 80;
       #Configured SSL port 443
        listen 443 ssl;
...

  2.2 or alternatively, backup and then edit the $SPECROOT/tomcat/webapps/spectrum/oneclick.jnlp to change the first lines 

From

<?xml version="1.0" encoding="utf-8"?>
<!-- JNLP File for Session Client -->
<jnlp spec="1.0+" codebase="$$codebase"
href="$$href">


To

<?xml version="1.0" encoding="utf-8"?>
<!-- JNLP File for Session Client -->
<jnlp spec="1.0+" codebase="https://reverseproxy.mydomain.com/spectrum"
href="$$href">

After saving the changes, Start the Console to reflect those changes on the client oneclick.jnlp.


3. Be aware that the modified files will be overwritten during an upgrade. They need to be backed up before an upgrade, or redo the modifications after the upgrade.

Attachments