Server & System >Nuxeo >

Nuxeo Installation & Debug & Apache Reverse Proxy Setup wi th Client
Certificate Authentication
Install Nuxeo as Virtual Machine
Has virtualbox and vmware version. Tried virtualbox version, install is as easy as download and click.
Install Nuxeo on Ubuntu Server 12.04
Refer to http://www.nuxeo.com/en/downloads/download-debian:
add nuxeo repository, i.e. add file "/etc/apt/sources.list.d/nuexo.list" with one line "deb http://apt.nuxeo.org/ lucid releases" 1.
add nuxeo key, first save the text to a file "nuexo.key", then run "apt-key add nuexo.key" (URL: http://apt.nuxeo.org
/nuxeo.key)
2.
"sudo apt-get update" 3.
"sudo apt-get install nuxeo"... a long long download, then a simple configuration screen. 4.
To install a mail server for sending only, refer to Postfix documentation:
sudo apt-get install postfix 1.
test it: sendmail bing.ren@eastip.com 2.
if not received: mailq (check queue) 3.
configure nuxeo to use local mail server with Administrator account and web interface (Admin Center ->System Information
->Setup)
4.
follow a document and try to receive change notification 5.
sudo dpkg-reconfigure postfix (most important: DO NOT OPENRELAY) 6.
further secure postfix to listen only on local IP: http://www.cyberciti.biz/faq/postfix-receive-mail-on-specific-network-interfaces/ 7.
Reverse Proxy wi th Apache + Authentication wi th User Certi ficate (Possi bly
Self-si gned)
References:
http://doc.nuxeo.com/display/ADMINDOC/HTTP+and+HTTPS+reverse-proxy+configuration
http://answers.nuxeo.com/questions/4609/nuxeo-live-edit-throws-a-java-npe
http://doc.nuxeo.com/pages/viewpage.action?pageId=6030082
Tested Environment:
Below configuration has been tested and was found to work on:
Server: Ubuntu Server 12.04 LTS +Nuxeo Platform 5.6
Ubuntu Client: Ubuntu Desktop 12.04 LTS +Firefox +Nuxeo LiveEdit Protocol Handler 0.5.2
Windows Client: both Windows 7 and Windows XP +Nuxeo LiveEdit plugin for IE
Steps:
(1) After installing Apache server, enable site ssl and necessary modules
a2ensite default-ssl
a2enmod ssl proxy proxy_http headers rewrite
service apache2 restart
(2) Edit site configuration file ("/etc/apache2/sites-enabled/default-ssl" )
Configurations below enables reverse proxy through https, and also enables authentication by client certificate.
It's not sufficient to just drop this configure file and expect things to work. Read carefully comments below the configuration file for
further details - note that other files and actions are involved to make this configuration work!
<I f Modul e mod_ssl . c>
<Vi r t ual Host *: 443>
Ser ver Name nut est . t est . com
Ser ver Al i as nut est . t est . com
Pr oxyPass / ht t p: / / 127. 0. 0. 1: 8080/
Pr oxyPassRever se / ht t p: / / 127. 0. 0. 1: 8080/
Request Header append nuxeo- vi r t ual - host "ht t ps: / / nut est . t est . com/ "
Ser ver Admi n webmast er @l ocal host
<Pr oxyMat ch ^ht t p\ : / / 127\ . 0\ . 0\ . 1\ : 8080( ( / nuxeo/ nxst ar t up. f aces) | ( / nuxeo/ l ogi n. j sp) ) >
SSLRequi r eSSL
I ncl ude / et c/ apache2/ access_cont r ol
SSLCACer t i f i cat ePat h / et c/ ssl / t est _cer t s/
SSLVer i f yCl i ent opt i onal
SSLVer i f yDept h 3
Rewr i t eEngi ne on
Rewr i t eCond %{SSL: SSL_CLI ENT_VERI FY} ! =SUCCESS
Rewr i t eRul e . ? - [ F]
Er r or Document 403 "ACCESS DENI ED: You need a cl i ent si de cer t i f i cat e i ssued by
EAST I P t o access t hi s si t e"
</ Pr oxyMat ch>
Er r or Log ${APACHE_LOG_DI R}/ er r or . l og
LogLevel war n
Cust omLog ${APACHE_LOG_DI R}/ ssl _access. l og combi ned
SSLEngi ne on
SSLCer t i f i cat eFi l e / et c/ ssl / cer t s/ nut est . pem
SSLCer t i f i cat eKeyFi l e / et c/ ssl / pr i vat e/ nut est . key
Br owser Mat ch "MSI E [ 2- 6] " \
nokeepal i ve ssl - uncl ean- shut down \
downgr ade- 1. 0 f or ce- r esponse- 1. 0
Br owser Mat ch "MSI E [ 17- 9] " ssl - uncl ean- shut down
</ Vi r t ual Host >
</ I f Modul e>
Comments and Explanations (IMPORTANT, READ CAREFULLY):
ServerName and ServerAlias must be set for LiveEdit to work on certain J ava versions. See http://answers.nuxeo.com
/questions/4609/nuxeo-live-edit-throws-a-java-npe
ProxyPass, ProxyPassReverse and RequestHeader directives are standard setup from Nuxeo documentation, to enable
reverse proxy. See http://doc.nuxeo.com/display/ADMINDOC/HTTP+and+HTTPS+reverse-proxy+configuration
<ProxyMatch...>block enables client certificate authentication. The regular expression in this directive matches PROXYED
resource, which include two resources that client will encounter when log into server. More paths can be included into the
expression to make the server more secure. However, note:
Must exclude two resources: /nuxeo/restAPI/ and /nuxeo/nxliveedit.face. The reason for exclusion of the two resources
is that the LiveEdit plugin will not provide client certificate for server to verify. Therefore, to walk around this problem,
server do not request client certificate for resources accessed by LiveEdit plugin. Use expression like "<ProxyMatch
^http\://127\.0\.0\.1\:8080(?!((/nuxeo/restAPI/)|(/nuxeo/nxliveedit.face)))>"
Client certificate authentication limits upload size, see below "Known Potential Problem & Solution" for details. Exclude
resource that might be requested with POST request with file upload.
Within <ProxyMatch>block, SSLRequireSSL requires SSL connection
Within <ProxyMatch>block, "Include /etc/apache2/access_control" includes files in the configured dir into this
configuration. Included files check up the client certificates. Create the configured dir and put control directives into any file in
that dir, for example:
SSLRequire %{SSL_CLIENT_S_DN_Email}in {"email_address_of_allowed_user@allowed.com"}
SSLRequire %{SSL_CLIENT_S_DN_O}in {"Allowed Organization"}
Within <ProxyMatch>block, SSLCACertificatePath specifies a dir to place the trusted CA certificates. Only client certificates
issued by the trusted CAs can be accepted. After placing the CA certificates into that dir, cd to the dir and execute "c_rehash
." to create the required symbolic links; Alternatively, if we use just a few certificates, we can use SSLCACertificateFile
directive instead of SSLCACertificatePath.
Within <ProxyMatch>block, SSLVerifyDepth specifies the depth of trust link. Increase the number if the trust link is long.
Within <ProxyMatch>block, SSLVerifyClient is set to "optional" to allow the RewriteEngine to work, and, with the rest of
directives, provide a better error message when client certificate is rejected.
SSLCertificateFile and SSLCertificateKeyFile provide the server certificate and private key
The rest of the configuration is from the standard configuration template
(3) Client-side setup
First, import the client certificate into web browser and try to access and login Nuxeo. If it does not work, check the reverse proxy
and client certificate authentication settings, as well as the log files on server (/var/log/apache2/ssl_access.log).
Next, if client uses LiveEdit, and the issuer of the client certificate is not trusted by the J ava Runtime Environment (J RE) on client
end in which the LiveEdit plugin runs, import the issuer's certificate into the J RE's cacerts keyring with the J RE's keytool:
keyt ool - i mpor t cer t - t r ust cacer t s - al i as al i as_f or _your _ca - f i l e your _ca_cer t . pem- keyst or e
/ opt / j dk1. 7. 0_09/ j r e/ l i b/ secur i t y/ cacer t s
(4) Debug LiveEdit Problems
If in any case LiveEdit does not work and throw a J ava exception, do the follows to diagnose the problem:
First, find the log file for the plugin
For Firefox, look at "Tools ->Add-ons ->Nuxeo LiveEdit Protocol Handler ->Preferences" and find the working dir. For windows,
search under the user dir for the log file. The log file may exist only AFTER the J ava exception is thrown and named "nuxeo-liveedit-
openoffice-extension.log"
Then, inspect the log file and search for solution
The log file may contain the complete stack dump and other information to help to diagnose the problem.
Server-end Debugging
When something went wrong it's worth to check:
If something does not work via Apache front, does it work with Nuxeo directly? (so is that an Apache issue?)
/var/log/apache2 - repeat the failure and check the log here, anything unusual? (not 200, 3XX? especially, 4XX?)
/var/log/nuxeo - nuxeo log
Known Potenti al Probl em & Solution
1. Lack of ServerAlias / ServerName directives causing failure of Live Edit
See http://answers.nuxeo.com/questions/4609/nuxeo-live-edit-throws-a-java-npe
Symptom: "javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name" found in Live Edit log
Solution: add "ServerAlias" "ServerName" directive in Apache configuration
2. Server Certificate not trusted by Client J ava Environment where Live Edit plugin is running
Solution: import the issuer (CA) certificate, see above
3. Client J ava Environment does not provide client certificate to server, while server request certificate authentication
Walk around: do not request authentication for resources that Live Edit would request, see above
4. When uploading document exceeding certain size, upload will fail
Symptom: in ssl_access.log found 413 code in POST requests indicating request over-size; in error.log found "could not buffer
message body to allow SSL renegotiation to proceed";
Reason: when SSLVerifyClient directive is used or otherwise requires buffer request in memory, large POST request (file upload)
could fail. See Apache document for directive SSLRenegBufferSize.
Walk around: not a good solution to just increase buffer size, because it allows denial-of-service attack and hardly memory buffer
could be large enough for upload. J ust do not request client verify for upload resources.