I have Apache in front and then tomcat. Problem is am getting assets url(url of JavaScript and CSS files) as https://_xxx.com:3100/ when I check in the browser console.
I want to avoid the port number, I want those assets to be served on port 443 so that the urls would be: https://_xxx.com/
I have tried setting portal.instance.https.port=false but that didn't remove the port number.
How can I configure things in Liferay so that those assets are served over port 443?
This is rather a configuration issue, and normally, in these kind of scenarios you do not want Liferay's port to be visible at all. Please check your port properties:
web.server.https.port=443
web.server.http.port=80
web.server.protocol=https
Additionally, your proxy needs to be set up in a way that tells Liferay that it is running behind a proxy for a more complete set up:
web.server.forwarded.host.enabled=true
web.server.forwarded.host.header=X-Forwarded-Host
web.server.forwarded.port.enabled=true
web.server.forwarded.port.header=X-Forwarded-Port
web.server.forwarded.protocol.enabled=true
web.server.forwarded.protocol.header=X-Forwarded-Proto
To get an example of configuration for your apache proxy instance, you can use this link: liferay-behind-a-reverse-proxy
Related
I have two sites in my IIS 8 server. Site MyProjectA and MyProjectB, for each project I have a domain name, lets say myprojecta.com and myprojectb.com. I have set in my DNS provider that both domains points to the server IP. I have configured so MyProjectA runs on 443 and MyprojectB runs on 8181, both SSL.
So if I browse to:
https://myprojecta.com I see MyProjectA and its working fine
If I browse to:
https://myprojectb.com:8181 I see MyProjectB and that is working
fine.
But now I wonder, how can I configure so I can omit the :8181 part, and in turn reach MyProjectB site by browsing to https://myprojectb.com only (and with correct certificate). As far as I understood this should be possible with a reverse proxy configuration in IIS but I cannot get it to work. Anyone can help how to achieve that?
Since you are using IIS 8, the simplest approach is to set up multiple HTTPS sites at port 443 using SNI support. Then there is no need of reverse proxy.
Reference
I am injecting some script tags in a website, with source such as http:localhost:3000/css/my-page-css.css . While its working on almost all sites, there's this particular website that is somehow sending all my http requests as https. How do I handle such a case?
I have configured an https server also on my nodejs app which listens to port 8443 and http listens to 3000. But, when I inject my script tags, they have src URLS which point to port 3000. So even if I have an https configured on my nodejs app, it won't work since it would be listening to a different port.
You are using HTTP Strict Transport Security (HSTS)
Using the securityheader.com website on your URL, or Chrome Developer tools we see the following HTTP Header is sent back by your site:
Strict-Transport-Security max-age=7889238
This HTTP Header will be configured in your webserver and is a way of your webserver telling the browser "For the next 7889238 seconds only use HTTPS on this domain. If someone tries to use HTTP (either by typing or by clicking on a link) then automatically switch HTTP to HTTPS before you send it on to the server."
This is a security feature as currently the default (if a scheme is not explicitly given) is HTTP. This allows website owners to switch the default and, even strong that that, prevents it being able to be switched back.
HSTS is set at a domain level and it is not possible to have it on for one port (e.g. 443) but not for another (e.g. 3000) - it's either on for that domain or off.
If you really want to use HTTP then you need to remove this header and remove the remembered value of this header from your browser. While chrome allows you to do this by typing chrome://net-internals/#hsts in the URL and using the delete option, the easiest way to do this is to change the max age from 7889238 to 0, and then load the website again. And then remove the header completely.
This can be especially annoying for sites like localhost where you proxy requests and inadvertently set it for that dummy host name. You should see if your node proxy server allows you to strip off that HTTP header. Some might say it would be better if browser makers ignored HSTS for localhost, however I think it would be better if developers just stopped fighting HTTPS and used that even for development environments using a self-signed certificate that is added to your local trust store. This was you can avoid problems like mixed content, and also use features that are HTTPS only (including Brotli, HTTP/2, Geo Location...etc.) while developing (though some browsers like Chrome still allow these on http://localhost).
Alternatively set up a local DNS alias for each of your dev sites and use that with or without HTTPS as appropriate for the site in question.
We have a site hosted on IIS using http (port 80)
and we have a new site hosted on Node using https (port 443)
For reasons I won't go into too much, we can't use IISNode to run all websites on IIS.
This setup works unless someone uses https to reach one of the IIS hosted websites.
to reproduce:
http://nameprintgraphics.com -> IIS website
https://npgcloud.com -> Node website
if you type in https://nameprintgraphics.com however, you go to the node website. I want to prevent this behaviour. Since node is listening to port 443, is there a way to validate the hostname and if it's incorrect, redirect the user to http.
I know this is a bit of a convoluted way to fix things, but please work with me to find an interim solution to this problem. IISNode is preventing a legacy silverlight app from working in IIS for reasons I have yet to determine.
Why not check req.headers.host in your node app and if it matches, then simply send a redirect response immediately? For example:
// You may/may not want to append the `req.url` to the destination as well
res.writeHead(302, { Location: 'http://nameprintgraphics.com' });
res.end();
Confluence IIS Reverse Proxy Setup
I have set up a reverse proxy on IIS 7.5 for Atlassian Confluence according to instructions found in the internet.
I wanted to redirect all traffic to "docs.unimaze.com" to "localhost:8090" on the same server.
This is how I did it:
Installed URL Rewrite 2.0
Installed Application Request Routing 3.0
Set up a reverse proxy rule:
Match URL: Matches the pattern (.*) using regular expressions (ignore case)
Conditions: (none)
Server variables: (none)
Action: Rewrite with http://localhost:8090/{R:1} (append to query string and stop processing of subsequent rules.
The only other thing I had to in order to make everything work (from https://serverfault.com/questions/76013/iis6-vs-iis7-and-iis7-5-handling-urls-with-plus-sign-in-base-not-querystr) was to run this command on the server so that URL's with "plus signs" in the URL's would be allowed.
%windir%\system32\inetsrv\appcmd set config "WebSiteName"
-section:system.webServer/security/requestFiltering -allowDoubleEscaping:true
Problem with external redirects
Confluence itself, seems to work perfectly BUT when attempting to edit a module from an external application (LucidChart Diagrams it fails), because a redirection to the external application also is rewritten, e.g. an attempt is made to redirect to this URL:
http://docs.unimaze.com/documents/edit/4b157fd9-8e28-4d70-8587-0fdd0839fbca?callback=...
when the redirect should actually be to the external application, so it should remain untouched by the rewriting rule:
https://www.lucidchart.com/documents/edit/4b157fd9-8e28-4d70-8587-0fdd0839fbca?callback=...
Is there an easy way to solve this?
This here helped: appcmd.exe set config -section:system.webServer/proxy /reverseRewriteHostInResponseHeaders:"False" -commit:apphost
In UI, the setting corresponding to this action on the Application Request Routing in IIS on the server node (select „Server Proxy Settings“) should be unchecked.
However, this had the effect that the page can not be loaded in Internet Explorer 11 L
The page is shown, but with empty space where the diagram is and it tries loading something forever.
In Firefox and Chrome it works fine.
I have no idea why it "freezes" in IE 11. Will check from other machines to see if this is always happening or not.
The easiest way to handle this is to take advantage of IIS host headers and make the proxied site believe it is responding as www.example.com:80 rather than localhost:8080. It turns out the AAR reverse proxy has an equivalent of Apache's ProxyPerserveHost setting it just isn't very well documented nor exposed in the UI.
To enable this setting you will need to open an elevated shell and run:
%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true
Then configure the target site to listen at 127.0.0.1:80 with the appropriate host header and then configure the proxy to proxy back to localhost with the request and it should line up.
We have a domain name with DNS management facility. We also have a web application developed in a GlassFish server hosted in a virtual server with a path is
http://198.98.103.233:8080/pemis/
I want to direct to the home page of that application when some one type the domain name. After navigating through the pages, we must be able to see
http://www.pemis.lk/faces/public.xhtml
in the browser rather than
http://198.98.103.233:8080/pemis/faces/public.xhtml
How can we configure that.
Thanks in advance.
You need to install your application as the root application in Glassfish, as explained here. But it's not hard:
asadmin deploy --contextroot "/" your-webapp.war
or set the context-root property in the sun-web.xml or glassfish-web.xml depending on the version of Glassfish you use.
To change the port Glassfish listens on you need to modify the HTTP Listener configuration. On default installations you'll want to change http-listener-1's port. You can do so using the console. But you can also directly edit the domain's domain.xml:
<network-listeners>
<network-listener port="80" protocol="http-listener-1" transport="tcp" name="http-listener-1" thread-pool="http-thread-pool"></network-listener>
...
</network-listeners>
Last, to make www.pemis.lk point to that server you need a DNS entry that points to the address the server is attached to. The details of how to do that depend on the comapny that sold you the domain, quite often they have online tools that allow you to enter or modify the name-address mapping. In case of doubt it's best to contact them by phone or mail.
I'm on the same path and, as you don't posted the solution that you found (if you found it), I'll add here some future reference for anyone facing this problem.
I'll break the question in two parts: Eliminating host:port and changing how the URL behave.
I don't have a complete response to the first, however if you chose to listen at port 80, by HTML standard, you will supress the port on the URL, getting half the solution you want.
The second part, changing the URL behavior and/or shortening it can be achieved by either using mod_rewrite in apache or Tuckey's URL Rewrite Filter (http://www.tuckey.org/urlrewrite/). A google search using URL Rewrite can achieve you a more in depth explanation and there's a guide on the website.
You should, however, update your question with an answer, if you found one.