Submitted by anne on 10 Oct 2011
OFBiz can quite happily service all http and https requests on its own, and many people run it this way.
However there are many possible reasons why you might want to put OFBiz behind a traditional http server, such as Apache. Perhaps you want to more efficiently serve static resources, or manage virtual domains, or restrict access in complicated ways, or also serve php or cgi pages.
Typically OFBiz is placed behind Apache using a connector such as mod_proxy_ajp, as documented at How To Httpd .
Another option is to use nginx instead of Apache. This is the option we normally choose.
Nginx does not have the extensive feature set of Apache, so for some situations Apache is definitely the better choice. But we think nginx is a much better option if you don’t need those infrequently-used features. Some of the reasons why we choose nginx are:
- efficient serving of static content
- small memory footprint (we often use VPS systems with less than 1GB of RAM, so this is important)
- easy to serve “traditional” web sites and pages alongside OFBiz
- simpler and smaller attack surface
- easier to configure IP and similar access restrictions (than via OFBiz)
- easier to apply traffic limits
- easier to configure SSL certificates
For us, the first two reasons are the important ones, the others are bonuses.
So, how do we put OFBiz (or in our case, Bonsai ERP) behind nginx?
We will have OFBiz listening to its usual ports 8443 and 8080, but only at the localhost interface (127.0.0.1). It will no longer respond on those ports to outside requests.
Nginx will listen to the standard web ports 80 and 443, at the public interface, so it will respond to requests from outside.
Any request received by nginx will be immediately forwarded to OFBiz. The response generated by OFBiz will be sent by OFBiz to nginx, which will then forward it to the original requester.
We will also tell OFBiz that it should not generate links using its default settings. If it did, then it would generate links similar to https://localhost:8443/, which will not work. Instead we will force it to generated links of the form https://www.example.com/, which can be handled by nginx.
First step is to ensure OFBiz is listening only to localhost (127.0.0.1). To do this, edit framework/base/config/ofbiz-containers.xml and change every
<property name=“address” value=“0.0.0.0”/>
to
<property name=“address” value=“127.0.0.1”/>
Now we ensure OFBiz uses the correct URLs.
Edit framework/webapp/config/url.properties and ensure the following settings:
port.https=443
force.https.host=www.example.com
port.http=80
force.http.host=www.example.com
Replace www.example.com with the domain name you will be using to access OFBiz.
Next we configure nginx (I assume you’ve already installed it – see also http://wiki.nginx.org/). I won’t cover basic nginx settings, the nginx web site covers those. Here I will discuss only those settings relevant to getting nginx and OFBiz talking to each other.
We use one server section for the SSL server, and another for the non-SSL. As far as the Bonsai ERP relevant settings are concerned, the two setups are almost identical. So let’s look at the non-SSL setup first, and then I’ll explain what is different for the SSL setup.
In the non-SSL server section, ensure you have a location section like this:
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded_For $proxy_add_x_forwarded_for;
}
This tells nginx to forward all requests directly to the server listening on port 8080 of localhost, which in our case is OFBiz. We also set some specific headers so OFBiz has the possibility to know where the request is really coming from.
The SSL server section should have an almost identical location section. The only difference is that the 8080 should instead be 8443.
It’s probably a good idea to check your firewall is blocking outside connections to ports 8080 and 8443.
And that’s it! You should now be able to access OFBiz via nginx, which is listening to ports 80 and 443.
Of course, this setup is very basic, and does not really take advantage of the presence of nginx. For example, even images are being served by the heavyweight OFBiz. It would be much better if they could be served directly by nginx.
In future articles we will see how to extend this configuration to take advantage of nginx’s presence.9
In recent versions (I use 16.11.05), edit
framework/base/ofbiz-component.xml
instead.