On Thu, Jan 7, 2010 at 5:35 AM, Gaëtan GUYODO <gaetan.guy...@lrb.aphp.fr> wrote:
> I tried to force xwiki.url.protocol=https in xwiki.cfg, without results. > I tried to create another wiki, same problem. > I tried to add the full URL as alias, doesn't work ! > > => I don't have any trouble accessing by > http://localhost:8080/xwiki/wiki/xwiki > but I can't acces the same wiki using external SSL URL > https://mydomain/xwiki/wiki/xwiki You can't run SSL on a random port, and HTTPS, bound to 443, is privileged and requires a privileged process (that's why a high-number port like 8080 is used by default, it's a random, nonprivileged port). Since you don't want to run java as a privileged process, but people trust apache to run this way, you use a connector ( http://tomcat.apache.org/connectors-doc/reference/apache.html ) to bridge between java and a secure SSL front-end. Although tomcat can do SSL, it's better and more secure to front tomcat with Apache Httpd: use mod_proxy<http://httpd.apache.org/docs/2.0/mod/mod_proxy.html>and mod_proxy_ajp <http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html> to talk to tomcat, and mod_ssl <http://www.modssl.org/> to handle SSL (helpful security hint that is de rigueur for hospital and patient data: use mod_auth_mysql <http://modauthmysql.sourceforge.net/> and client-side certificates <http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6> to prevent any access from those without client certs... see "fake basic auth" concept in http://www.modssl.org/docs/2.8/ssl_reference.html#SSLOptions ... if you don't have a client-certificate access, you get redirected to the "public" part of the web like in http://ipssources.net ) Quickndirty configuration hints: LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ProxyPass /xwiki/ ajp://127.0.0.1:8009/xwiki/ <IfModule mod_proxy.c> ProxyRequests Off ## NPM: see http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Performances#HModProxyAJPConfiguration ProxyPreserveHost On </IfModule> Niels http://nielsmayer.com _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users