SSL for enonic xp site

Help
1

Enonic version: Enonic XP 6.14
OS: Centos 8

Hi.

I’m using NGINX as reverse proxy. Below is the configurations for mysite.com

virtual.conf:
server {
listen 80;
server_name www.mysite.com mysite.com;
return 301 https://mysite.com$request_uri;
}

ssl.conf:
server {
listen 443 ssl http2;
listen [::]:443 ssl;
server_name www.mysite.com mysite.com;

ssl_certificate /etc/ssl/mysite.com/mysite.com.crt;
ssl_certificate_key /etc/ssl/mysite.com/mysite.com.private.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout  10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {
   proxy_pass http://mysite.com:8080;
   proxy_set_header    Host            $host;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    X-Forwarded-for $remote_addr;		

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 86400;
}

}

com.enonic.xp.web.vhost.cfg:
enabled = true

mapping.mysite.host = mysite.com
mapping.mysite.source = /
mapping.mysite.target = /portal/master/mysite
mapping.mysite.userStore = system

The line
proxy_pass http://mysite.com:8080;
in ssl.conf.
Is that right way to set it up that way? It seems that this config makes the site load slow.

Thanks for any advice.

2

Any reason you are running 6.14? We consider this an old version now. 6.15 is a newer 6 version, but i would recommend to upgrade to XP 7 if possible. I’m don’t know anything about ssl or certificates, so i hope one of my co-workers can help you with that.

3

Hi,

You got it right, that XP needs a proxy in front to serve https traffic. So this question is more about NGINX than XP. I can only direct you to the Nginx docs there. We are most familiar with apache, here is an example how that would work:

Note: Change xp:8080 to your upstream XP server.

<VirtualHost *:80>
  ServerName mysite.com

  ProxyRequests Off
  ProxyPreserveHost On

  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/(.*) https://mysite.com/$1 [L,R=301]
</VirtualHost>

<VirtualHost *:443>
  ServerName mysite.com

  SSLEngine on
  SSLCertificateFile /etc/ssl/mysite.com/mysite.com.crt
  SSLCertificateKeyFile /etc/ssl/mysite.com/mysite.com.private.key;
  SSLCertificateChainFile /etc/ssl/mysite.com/mysite.com.ca

  RequestHeader set X-Forwarded-Proto "https"

  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://xp:8080/
  ProxyPassReverse / http://xp:8080/

  RewriteEngine on

  # Rewrite all variants to use base host name
  RewriteCond %{HTTP_HOST} !^mysite\.com$
  RewriteCond %{HTTP_HOST} !^$
  RewriteRule ^/(.*) https://mysite.com/$1 [L,R]

  # Rewrites
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} / [NC]
  RewriteRule /(.*) ws://xp:8080/$1 [P,L]
</VirtualHost>
2 Likes