Hi Sean,

If you use Nginx in front of OFBiz, you don't have to touch ofbizssl.jks, as 
the ssl connection only between client and Nginx, Nginx to OFBiz is by http. So 
let Nginx use your public key and private key files directly, i.e.:
        ssl_certificate      cert.pem;
        ssl_certificate_key  cert.key;

On the 52.165.18.243, I'd suggest to use the internal IPs of Azure, and the 
nginx config may look like:
        upstream ofbiz { 
            server 10.1.99.100:8080 srun_id=jvm1;
            server 10.1.99.101:8080 srun_id=jvm2;
        
            jvm_route $cookie_JSESSIONID reverse;
        }
        ...
        location / {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_redirect off;
            proxy_connect_timeout      240;
            proxy_send_timeout         240;
            proxy_read_timeout         240;
            # note, there is not SSL here! plain HTTP is used
                proxy_pass http://ofbiz/;
        }

On the framework/catalina/ofbiz-component.xml (set jvm-route to jvm1 or jvm2):
        <property name="default-server" value="engine">
            <property name="default-host" value="0.0.0.0"/>
            <property name="jvm-route" value="jvm2"/>
        ...
        <property name="http-connector" value="connector">
            <property name="allowTrace" value="false"/>
            <property name="emptySessionPath" value="false"/>
            <property name="enableLookups" value="false"/>
            <property name="maxPostSize" value="2097152"/>
            <property name="protocol" value="HTTP/1.1"/>
            <property name="proxyName" value="10.1.99.101"/>
            <property name="proxyPort" value="443"/>
            <property name="redirectPort" value="8443"/>
            <property name="scheme" value="https"/>
            <property name="secure" value="false"/>
            <property name="URIEncoding" value="UTF-8"/>
            <property name="useBodyEncodingForURI" value="false"/>
            <property name="xpoweredBy" value="true"/>
            <!-- HTTP connector attributes -->
            <property name="acceptCount" value="10"/>
            <property name="address" value="10.1.99.101"/>
            <property name="bufferSize" value="2048"/>
            <property name="compression" value="on"/>
            <property name="compressableMimeType" 
value="text/html,text/xml,text/plain,text/javascript,text/css"/>
            <property name="noCompressionUserAgents" value=""/>
            <property name="connectionLinger" value="-1"/>
            <property name="connectionTimeout" value="60000"/>
            <property name="disableUploadTimeout" value="false"/>
            <property name="maxHttpHeaderSize" value="4096"/>
            <property name="maxKeepAliveRequests" value="100"/>
            <property name="maxSpareThreads" value="50"/>
            <property name="maxThreads" value="100"/>
            <property name="minSpareThreads" value="4"/>
            <property name="port" value="8080"/>
            <property name="restrictedUserAgents" value=""/>
            <property name="server" value=""/>
            <property name="socketBuffer" value="9000"/>
            <property name="strategy" value="lf"/>
            <property name="tcpNoDelay" value="true"/>
            <property name="threadPriority" 
value="java.lang.Thread#NORM_PRIORITY"/>
        </property>

I think it's OK now for the Nginx OFBiz integration, but you cannot get remote 
client IP in OFBiz as X-Real-IP is not accepted by tomcat, if the remote IP is 
necessary, you have to add several lines in tomcat source code to achieve it.

Kind Regards,

Shi Jinghai

PS: I like your blockfreight very much, it's the first time I understood block 
chain when I visited your website. Thanks!


-----邮件原件-----
发件人: Sean Turner [mailto:sean.tur...@blockfreight.com] 
发送时间: 2018年3月7日 11:12
收件人: user@ofbiz.apache.org
主题: Deploying Ofbiz on Cloud with Nginx

Hi All,

I'm trying to deploy Ofbiz on an ubuntu 16.04 VM on Azure.

I've got nginx, java version 1.8.0_161, and ofbiz 16.11 downloaded on the VM. I 
can run nginx on the VM and see the welcome to Nginx page on my browser, but I 
notice an error when running ./gradlew ofbiz (please see my reply for the 
error) which I believe prevents me from reaching my ofbiz instance with the 
browser.

Does anyone have any advice for me, or perhaps relevant reading material on 
configuring ofbiz to go through nginx (also open to apache http server)?
Everything I've seen on user@ofbiz is either out of date, or leads to a webpage 
that has been removed.

I ran the following lines to generate my ssl keys:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 
openssl x509 -outform der -in cert.pem -out cert.der keytool -genkey -keyalg 
RSA -alias ssl -keystore ofbizssl.jks keytool -import -alias ssl -trustcacerts 
-file cert.der -keystore ofbizssl.jks

I modified the following files:

>> framework/catalina/ofbiz-component.xml
under container catalina-container, I changed the default-host to my VM's 
public IP (52.165.18.243) from 0.0.0.0 under container http-connector, I 
changed the address to my VM's public IP (
52.165.18.243) from 0.0.0.0, left port at 8080 under container https-connector, 
I changed the address to my VM's public IP
 (52.165.18.243) from 0.0.0.0, left port at 8443

>> framework/webapp/config/url.properties
port.https=443
port.http=80

>> etc/nginx/conf.d/ofbiz-ssl.conf
upstream ofbiz {
  server 52.165.18.243:8080;
  server 52.165.18.243:8080;
}

>> etc/nginx/conf.d/ofbiz-ssl.conf
upstream ofbiz-ssl {
  server 52.165.18.243:8443;
  server 52.165.18.243:8443;
}

>> etc/nginx/sites-available/ofbiz
server {
  server_name your.domain.name;
  listen 80;
#   if you have IPv6 support
  listen [::]:80;

#   ... // your custom settings can go here
#   include proxy_params;
#   proxy_set_header X-Forwarded-Proto $scheme;

  root /home/sean/ofbiz.16.11;

      location / {
        try_files $uri $uri/ @ofbiz;
    }

   location @ofbiz {
        proxy_pass http://ofbiz;

        proxy_read_timeout 180s;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded_For $proxy_add_x_forwarded_for;
    }
}

server {
    # given a domain name, change 52.165.18.243 to my domain name
    # server_name your.domain.name;
  server_name 52.165.18.243;
  listen 443 ssl;
#   if you have IPv6 support
  listen [::]:443 ssl;

# your custom settings go here

#   include proxy_params;
#   proxy_set_header X-Forwarded-Proto $scheme;

    ssl_certificate /home/sean/cert.der;
    ssl_certificate_key /home/sean/key.pem;

  root /home/sean/ofbiz.16.11;

      location / {
        try_files $uri $uri/ @ofbiz;
    }

   location @ofbiz {
        proxy_pass https://ofbiz-ssl;

        proxy_read_timeout 180s;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded_For $proxy_add_x_forwarded_for;
    }
}

Reply via email to