Authentication and Configuration with nginx

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentication and Configuration with nginx

Nils
Hi folks, 

hopefully there are some people already use nginx in production environments. We have a nginx as our loadbalancer and unified entry point to share one ip to multiple customer servers. So we don't want to use apache webserver for our hippo instances. That's why we use nginx for hippo.
We deploy the wepapps with their default names "site" and "cms". And we don't want in production to see the "site" in the paths. So we configured nginx as follows:
       location /site {
               auth_basic "HT Login" ;
               auth_basic_user_file ht.htpasswd ;
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://site/site;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }


       location /cms {
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://cms/cms;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }

       location / {
               auth_basic "HT Login" ;
               auth_basic_user_file ht.htpasswd ;
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://site/site/;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }
*site and cms are configured as clustered IP stacks.

Work's fine for the whole site except for any pages that uses authentications.

When I open the restricted page I get to the same URL + "j_security_check" and this content:
"Authentication failed with user, .
Try again." (css is missing)

I click "Try again" -> URI: services/login/form - "services" is a subpath that is added here but must be removed to get to the login mask.
Login mask -> URI: login/form - Enter credentials, hit enter.
"Authentication failed with user, .
Try again." (with correct css) -> URI: login/j_security_check

And I set the value for hst:showcontextpath to false on the hst:virtualhost, jfyi. But except for the URLs there is no change in the behaviour.

Now the very interesting part. When we remove the last block of the nginx configuration, we need the site in the URIs, but the authentication then works. Oo Why?

Please anyone, have some ideas. 

Regards, 
 Nils

--
Satzmedia GmbH

Altonaer Poststraße 9
22767 Hamburg

Tel: +49 (0) 40 - 1 888 969 - 0
Fax: +49 (0) 40 - 1 888 969 - 200
E-Mail: [hidden email]

E-Business-Lösungen: http://www.satzmedia.de

Amtsgericht Hamburg, HRB 71729
Ust-IDNr. DE201979921
Geschäftsführer:
Dipl.-Kfm. Christian Satz
Dipl.-Inform. Markus Meyer-Westphal



_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and Configuration with nginx

Niels Out
Hi Nils Eckelt,

This might take some more investigation time from our side to
support then just answering through the mailing list. The Hippo Support team
is available to help you out with these type of production question you
have, and can be accessed when you have a Hippo Support Subscription. A
Support Subscription also gives you access to Developer Assistance,
Consulting and Training, as well as other benefits. Through the Support
Subscription, we can even give you 24x7 support when needed.

For more information, please see
http://www.onehippo.com/en/support/subscriptions

I hope this gives you some more clarity on how our support model works. If
you want to speak to someone about our commercial offerings, please don't
hesitate to contact [hidden email].

Best Regards, Niels Out

On Tue, Sep 11, 2012 at 1:16 PM, Nils Eckelt <[hidden email]> wrote:
Hi folks, 

hopefully there are some people already use nginx in production environments. We have a nginx as our loadbalancer and unified entry point to share one ip to multiple customer servers. So we don't want to use apache webserver for our hippo instances. That's why we use nginx for hippo.
We deploy the wepapps with their default names "site" and "cms". And we don't want in production to see the "site" in the paths. So we configured nginx as follows:
       location /site {
               auth_basic "HT Login" ;
               auth_basic_user_file ht.htpasswd ;
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://site/site;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }


       location /cms {
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://cms/cms;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }

       location / {
               auth_basic "HT Login" ;
               auth_basic_user_file ht.htpasswd ;
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://site/site/;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }
*site and cms are configured as clustered IP stacks.

Work's fine for the whole site except for any pages that uses authentications.

When I open the restricted page I get to the same URL + "j_security_check" and this content:
"Authentication failed with user, .
Try again." (css is missing)

I click "Try again" -> URI: services/login/form - "services" is a subpath that is added here but must be removed to get to the login mask.
Login mask -> URI: login/form - Enter credentials, hit enter.
"Authentication failed with user, .
Try again." (with correct css) -> URI: login/j_security_check

And I set the value for hst:showcontextpath to false on the hst:virtualhost, jfyi. But except for the URLs there is no change in the behaviour.

Now the very interesting part. When we remove the last block of the nginx configuration, we need the site in the URIs, but the authentication then works. Oo Why?

Please anyone, have some ideas. 

Regards, 
 Nils

--
Satzmedia GmbH

Altonaer Poststraße 9
22767 Hamburg

Tel: <a href="tel:%2B49%20%280%29%2040%20-%201%20888%20969%20-%200" value="+494018889690" target="_blank">+49 (0) 40 - 1 888 969 - 0
Fax: <a href="tel:%2B49%20%280%29%2040%20-%201%20888%20969%20-%20200" value="+49401888969200" target="_blank">+49 (0) 40 - 1 888 969 - 200
E-Mail: [hidden email]

E-Business-Lösungen: http://www.satzmedia.de

Amtsgericht Hamburg, HRB 71729
Ust-IDNr. DE201979921
Geschäftsführer:
Dipl.-Kfm. Christian Satz
Dipl.-Inform. Markus Meyer-Westphal



_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and Configuration with nginx

Jeroen Reijn
Administrator
In reply to this post by Nils
Hi Nils,

I have no experience with such a setup, but have you checked out http://www.onehippo.org/7_7/library/deployment/configuring/configure-apache-httpd-web-server-for-sites.html ? Eventhough it describes a default setup with apache it should have all the information for any other frontend proxy.

Looking at that page it states some additional configurations like ProxyPassReverseCookiePath and ProxyPassReverse. I don't know if there is an equivalent for that in nginx.

Have you perhaps thought about a setup like nginx -> apache -> tomcat ? I guess that would solve it as well.

A blind guess would be that it has something to do additional mod_proxy settings. 
As a side-note I guess the /site configuration needs to be removed right?

Jeroen


On Tue, Sep 11, 2012 at 1:16 PM, Nils Eckelt <[hidden email]> wrote:
Hi folks, 

hopefully there are some people already use nginx in production environments. We have a nginx as our loadbalancer and unified entry point to share one ip to multiple customer servers. So we don't want to use apache webserver for our hippo instances. That's why we use nginx for hippo.
We deploy the wepapps with their default names "site" and "cms". And we don't want in production to see the "site" in the paths. So we configured nginx as follows:
       location /site {
               auth_basic "HT Login" ;
               auth_basic_user_file ht.htpasswd ;
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://site/site;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }


       location /cms {
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://cms/cms;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }

       location / {
               auth_basic "HT Login" ;
               auth_basic_user_file ht.htpasswd ;
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://site/site/;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }
*site and cms are configured as clustered IP stacks.

Work's fine for the whole site except for any pages that uses authentications.

When I open the restricted page I get to the same URL + "j_security_check" and this content:
"Authentication failed with user, .
Try again." (css is missing)

I click "Try again" -> URI: services/login/form - "services" is a subpath that is added here but must be removed to get to the login mask.
Login mask -> URI: login/form - Enter credentials, hit enter.
"Authentication failed with user, .
Try again." (with correct css) -> URI: login/j_security_check

And I set the value for hst:showcontextpath to false on the hst:virtualhost, jfyi. But except for the URLs there is no change in the behaviour.

Now the very interesting part. When we remove the last block of the nginx configuration, we need the site in the URIs, but the authentication then works. Oo Why?

Please anyone, have some ideas. 

Regards, 
 Nils

--
Satzmedia GmbH

Altonaer Poststraße 9
22767 Hamburg

Tel: <a href="tel:%2B49%20%280%29%2040%20-%201%20888%20969%20-%200" value="+494018889690" target="_blank">+49 (0) 40 - 1 888 969 - 0
Fax: <a href="tel:%2B49%20%280%29%2040%20-%201%20888%20969%20-%20200" value="+49401888969200" target="_blank">+49 (0) 40 - 1 888 969 - 200
E-Mail: [hidden email]

E-Business-Lösungen: http://www.satzmedia.de

Amtsgericht Hamburg, HRB 71729
Ust-IDNr. DE201979921
Geschäftsführer:
Dipl.-Kfm. Christian Satz
Dipl.-Inform. Markus Meyer-Westphal



_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Jeroen Reijn
Solution Architect
Hippo

Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

http://about.me/jeroenreijn

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and Configuration with nginx

Nils
Thank you Jeroen,

sure I already checked the wiki page and we use the equivalent settings for nginx. And the /site block should be there to get to the site, I think. I'll discuss that with our administrator.
The setup nginx>apache>tomcat maybe will solve our problem. I'll discuss this with our administrator as well.

 Nils

On 12 September 2012 13:55, Jeroen Reijn <[hidden email]> wrote:
Hi Nils,

I have no experience with such a setup, but have you checked out http://www.onehippo.org/7_7/library/deployment/configuring/configure-apache-httpd-web-server-for-sites.html ? Eventhough it describes a default setup with apache it should have all the information for any other frontend proxy.

Looking at that page it states some additional configurations like ProxyPassReverseCookiePath and ProxyPassReverse. I don't know if there is an equivalent for that in nginx.

Have you perhaps thought about a setup like nginx -> apache -> tomcat ? I guess that would solve it as well.

A blind guess would be that it has something to do additional mod_proxy settings. 
As a side-note I guess the /site configuration needs to be removed right?

Jeroen


On Tue, Sep 11, 2012 at 1:16 PM, Nils Eckelt <[hidden email]> wrote:
Hi folks, 

hopefully there are some people already use nginx in production environments. We have a nginx as our loadbalancer and unified entry point to share one ip to multiple customer servers. So we don't want to use apache webserver for our hippo instances. That's why we use nginx for hippo.
We deploy the wepapps with their default names "site" and "cms". And we don't want in production to see the "site" in the paths. So we configured nginx as follows:
       location /site {
               auth_basic "HT Login" ;
               auth_basic_user_file ht.htpasswd ;
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://site/site;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }


       location /cms {
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://cms/cms;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }

       location / {
               auth_basic "HT Login" ;
               auth_basic_user_file ht.htpasswd ;
               proxy_read_timeout 60;
               proxy_connect_timeout 5;
               proxy_pass              http://site/site/;
               proxy_redirect          default;
               proxy_set_header        X-Real-IP        $remote_addr;
               proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
               proxy_set_header        Host             $http_host;
       }
*site and cms are configured as clustered IP stacks.

Work's fine for the whole site except for any pages that uses authentications.

When I open the restricted page I get to the same URL + "j_security_check" and this content:
"Authentication failed with user, .
Try again." (css is missing)

I click "Try again" -> URI: services/login/form - "services" is a subpath that is added here but must be removed to get to the login mask.
Login mask -> URI: login/form - Enter credentials, hit enter.
"Authentication failed with user, .
Try again." (with correct css) -> URI: login/j_security_check

And I set the value for hst:showcontextpath to false on the hst:virtualhost, jfyi. But except for the URLs there is no change in the behaviour.

Now the very interesting part. When we remove the last block of the nginx configuration, we need the site in the URIs, but the authentication then works. Oo Why?

Please anyone, have some ideas. 

Regards, 
 Nils

--
Satzmedia GmbH

Altonaer Poststraße 9
22767 Hamburg

Tel: <a href="tel:%2B49%20%280%29%2040%20-%201%20888%20969%20-%200" value="+494018889690" target="_blank">+49 (0) 40 - 1 888 969 - 0
Fax: <a href="tel:%2B49%20%280%29%2040%20-%201%20888%20969%20-%20200" value="+49401888969200" target="_blank">+49 (0) 40 - 1 888 969 - 200
E-Mail: [hidden email]

E-Business-Lösungen: http://www.satzmedia.de

Amtsgericht Hamburg, HRB 71729
Ust-IDNr. DE201979921
Geschäftsführer:
Dipl.-Kfm. Christian Satz
Dipl.-Inform. Markus Meyer-Westphal



_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Jeroen Reijn
Solution Architect
Hippo

Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

http://about.me/jeroenreijn

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Satzmedia GmbH

Altonaer Poststraße 9
22767 Hamburg

Tel: +49 (0) 40 - 1 888 969 - 0
Fax: +49 (0) 40 - 1 888 969 - 200
E-Mail: [hidden email]

E-Business-Lösungen: http://www.satzmedia.de

Amtsgericht Hamburg, HRB 71729
Ust-IDNr. DE201979921
Geschäftsführer:
Dipl.-Kfm. Christian Satz
Dipl.-Inform. Markus Meyer-Westphal



_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Hippo and MySql Cluster

Marco Di Sabatino Di Diodoro
Hi all

I need to install Hippo on Mysql Cluster. The Mysql Cluster work with ndbcluster storage engine and I have problems with text/blob columns. 

Suggestion?

Regards
Marco
--

Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PPMC Member





_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Hippo and MySql Cluster

Bartosz Oudekerk
Administrator

Marco,

could you please start a new thread[0] when you have an unrelated
question? This way people that stopped following the original thread
will miss your question.

Kind regards,
Bartosz

[0] Compose a new e-mail instead of replying to an existing but
unrelated one.

On 12/09/12 15:17, Marco Di Sabatino Di Diodoro wrote:

> Hi all
>
> I need to install Hippo on Mysql Cluster. The Mysql Cluster work with ndbcluster storage engine and I have problems with text/blob columns.
>
> Suggestion?
>
> Regards
> Marco
> --
>
> Dott. Marco Di Sabatino Di Diodoro
> Tel. +39 3939065570
>
> Tirasa S.r.l.
> Viale D'Annunzio 267 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net
>
> Apache Syncope PPMC Member
> http://people.apache.org/~mdisabatino
>
>
>
>
>
>
>
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html
>


--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
http://www.onehippo.com/
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html