Configuring Nginx HTTP Reverse-Proxy

Exposing OpenKM directly from Tomcat can be dangerous if you need the application to be accessed from the Internet (for example https://issues.jboss.org/browse/JBAS-3861). As result it can be infected by PerlBot. Also this 8080 may be blocked by a firewall. For these reasons, is a good idea to expose your OpenKM installation through the standard web port 80. In the following steps we explain how to configure Apache to handle these requests and forward them to Tomcat application server using the AJP13 protocol.

From the Apache documentation: The AJP13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles.

Internal IP vs external IP

Your OpenKM can be accessed from two different zones: Internet and LAN. This means that to access this server you need to use two IPs: external IP (Internet) and internal IP (LAN).

The internal IP address (also known as "local IP address") is the address that is assigned by your local network router that often begins with 192.168.x.x. These IP addresses can only be seen by other computers in your local network (LAN) and not by any computers connected in an external network such the Internet.

To reach the Internet or a computer in another network your computer is often assigned an external IP address, which can then be used to refer to the computer in your local network.

In the above picture, there are three computers in the local network that have each been assigned their own internal IP address by the router. The ISP is connected to the router and gives the router an external IP address that allows it to communicate with the Internet. On the Internet everyone sees your external IP address, but any information coming from the router is "converted" from the external IP address to the internal IP address.

So if you want your OpenKM installation accessible from both LAN and Internet, the trick here is configure the client computers to resolve your internal IP (192.168.0.50) if they are inside the LAN or the external IP if they are on the Internet. To resolve the Internet IP (67.166.214.148) your computer uses the public DNS. So, you need to configure a sort of DNS server inside the LAN or modify every client host file to resolve to the internal IP.

Debian and Ubuntu

The first thing in to install the required Apache software. From Debian / Ubuntu you can install Apache with a single command:

$ sudo apt-get install nginx

Now create the configuration file /etc/nginx/sites-available/openkm with this content:

$ vim /etc/nginx/sites-available/openkm

server {
listen 80; server_name openkm.your-domain.com;
# Avoid checking files size #
client_max_body_size 0;
rewrite ^/$ /OpenKM permanent;
location /OpenKM/frontend/webSocket {
proxy_pass http://localhost:8080/OpenKM/frontend/webSocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
location /OpenKM { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:8080/OpenKM; } }

Change openkm.your-domain.com with your server ip or your domain value.

Enable this site configuration:  

$ ln -s /etc/nginx/sites-available/openkm /etc/nginx/sites-enabled/

Check the configuration

Restart Nginx:

$ sudo /etc/init.d/nginx restart

Check the access your OpenKM installation from http://openkm.your-domain.com/.  

Another advantage of using Nginx is that you can log OpenKM access and generate web statistics.

Red Hat and CentOS

Use the yum application manager to install Nginx:

$ sudo yum install nginx

Enable it at boot:

$ sudo chkconfig nginx --level 2345 on

Depending on your CentOS version this Nginx version may be too old so it's better to install it from their repositories. To do this, create a file called /etc/yum.repos.d/nginx.repo and include one on these configurations:

CentOS

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

RedHat

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/rhel/$releasever/$basearch/
gpgcheck=0
enabled=1

Now create the configuration file /etc/nginx/conf.d/openkm.conf with this content:

$ vim /etc/nginx/conf.d/openkm.conf

server {
    listen 80;
    server_name openkm.your-domain.com;
# Avoid checking files size #
client_max_body_size 0;
rewrite ^/$ /OpenKM/ permanent; location /OpenKM/frontend/webSocket { proxy_pass http://localhost:8080/OpenKM/frontend/webSocket; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; } location /OpenKM { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:8080/OpenKM; } }

Change openkm.your-domain.com with your server IP or your domain value.

Check the configuration

Restart Nginx:

$ sudo /etc/init.d/nginx restart

Check the access your OpenKM installation from http://openkm.your-domain.com/.

If you can't access server port from other machines, please take a look at your firewall configuration. For more info read How To Set Up a Basic Iptables Firewall on Centos 6.

Another advantage of using Nginx is that you can log OpenKM access and generate web statistics.

In case you see this kind of errors in the Nginx log:

connect() to 127.0.0.1:8080 failed (13: Permission denied)

Execute this command and try again:

$ setsebool -P httpd_can_network_connect on

These are several useful command related to SELinux:

Get all related HTTP configuration

$ getsebool -a | grep httpd

More information at SELinux Booleans.