Discussion:
[Exist-open] Problem with Java Admin Client and https
Markus Schnöpf
2017-07-20 14:32:55 UTC
Permalink
Dear List,

we are running several eXist-db instances (mostly version 3.2.0) behind nginx as a proxy. We are aware of the regarding chapters in Adam Retter's book and the online documentation.

One of nginx' duties is to redirect requests per http to https. As the responses of /webstart/exist.jnlp contain references to http-resources, the Java Admin Client doesn't work as any subsequent requests violate the same-origin-policy.

From the proxy's point of view a 301-response to a request of an http resource is never followed by a request via https as e.g. any browser does.
The client raises a FailedDownloadException and an IllegalURLRedirect. Changing the codebase in the returned jnlp-file to https doesn't have any effect.

Is there a way we can tell exist to use the https within the codebase?
Does it respect the X-Forwarded-Proto or Forwarded header?
Would it be possible to download or somehow else obtain the full Admin Client bytecode and invoke it locally to connect to any eXist-db instance?
Stéphane Sire
2017-07-21 13:09:28 UTC
Permalink
Dear Markus,

Can't you make an SSH tunnel to your eXist-DB instance (by-passing nginx
forward proxy) and using the Java admin client of a local version of
eXist-DB installed on your development machine through the tunnel to access
your production server(s). That's what I usually do and it works well. You
can even configure NGINX so that it does not relay requests to all the
eXist-DB administration services for security.

For instance if your production server is running eXist-DB on port 8080 (the
upstream port used by NGINX) you can directly open the SSH tunnel issuing
this command on a terminal on your development machine :

ssh -L 3000:localhost:8080 {username}@{production server IP address}

Then you can connect with your local eXist-DB instance launching the Java
admin client with ./bin/client.sh (in your local EXIST-HOME installation
directory) and enter the following URL (assuming you used local port 3000 as
the other tunnel end-point) :

xmldb:exist://localhost:3000/exist/xmlrpc

Does this help ?

Stéphane S.
---








--
View this message in context: http://exist.2174344.n4.nabble.com/Problem-with-Java-Admin-Client-and-https-tp4672408p4672409.html
Sent from the exist-open mailing list archive at Nabble.com.

Loading...