Problem with Java Admin Client and https

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Problem with Java Admin Client and https

Markus Schnöpf
Dear List,

we are running several eXist-db instances (mostly version 3.2.0) behind nginx as a proxy. We are aware of the regarding chapters in Adam Retter's book and the online documentation.

One of nginx' duties is to redirect requests per http to https. As the responses of /webstart/exist.jnlp contain references to http-resources, the Java Admin Client doesn't work as any subsequent requests violate the same-origin-policy.

From the proxy's point of view a 301-response to a request of an http resource is never followed by a request via https as e.g. any browser does.
The client raises a FailedDownloadException and an IllegalURLRedirect. Changing the codebase in the returned jnlp-file to https doesn't have any effect.

Is there a way we can tell exist to use the https within the codebase?
Does it respect the X-Forwarded-Proto or Forwarded header?
Would it be possible to download or somehow else obtain the full Admin Client bytecode and invoke it locally to connect to any eXist-db instance?



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem with Java Admin Client and https

Stéphane Sire
Dear Markus,

Can't you make an SSH tunnel to your eXist-DB instance (by-passing nginx forward proxy) and using the Java admin client of a local version of eXist-DB installed on your development machine through the tunnel to access your production server(s). That's what I usually do and it works well. You can even configure NGINX so that it does not relay requests to all the eXist-DB administration services for security.

For instance if your production server is running eXist-DB on port 8080 (the upstream port used by NGINX) you can directly open the SSH tunnel issuing this command on a terminal on your development machine :

ssh -L 3000:localhost:8080 {username}@{production server IP address}

Then you can connect with your local eXist-DB instance launching the Java admin client with ./bin/client.sh (in your local EXIST-HOME installation directory) and enter the following URL (assuming you used local port 3000 as the other tunnel end-point) :

xmldb:exist://localhost:3000/exist/xmlrpc

Does this help ?

Stéphane S.
---




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem with Java Admin Client and https

Markus Schnöpf
Dear Stéphane, dear list,

we found a trick to get the java admin client working. I have now locally on my desktop computer exist installed, where I can start the java admin client. Then I can enter the adress of our deployment exist-server, check Use SSL connection and then I can use the admin client for the administration of our exist instances. You gave us the right hint.

Thanks, Markus

> Am 21.07.2017 um 15:09 schrieb Stéphane Sire <[hidden email]>:
>
> Dear Markus,
>
> Can't you make an SSH tunnel to your eXist-DB instance (by-passing nginx
> forward proxy) and using the Java admin client of a local version of
> eXist-DB installed on your development machine through the tunnel to access
> your production server(s). That's what I usually do and it works well. You
> can even configure NGINX so that it does not relay requests to all the
> eXist-DB administration services for security.
>
> For instance if your production server is running eXist-DB on port 8080 (the
> upstream port used by NGINX) you can directly open the SSH tunnel issuing
> this command on a terminal on your development machine :
>
> ssh -L 3000:localhost:8080 {username}@{production server IP address}
>
> Then you can connect with your local eXist-DB instance launching the Java
> admin client with ./bin/client.sh (in your local EXIST-HOME installation
> directory) and enter the following URL (assuming you used local port 3000 as
> the other tunnel end-point) :
>
> xmldb:exist://localhost:3000/exist/xmlrpc
>
> Does this help ?
>
> Stéphane S.
> ---
>
>
>
>
>
>
>
>
> --
> View this message in context: http://exist.2174344.n4.nabble.com/Problem-with-Java-Admin-Client-and-https-tp4672408p4672409.html
> Sent from the exist-open mailing list archive at Nabble.com.
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Exist-open mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/exist-open

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open

signature.asc (817 bytes) Download Attachment
Loading...