I have configured nginx to act as a reverse SSL proxy for a backend of Tomcat instances serving an in-house Flex application. The aim is to get an active/back pair. The configuration looks like:
|----- serverb:8080 (10.0.0.1:8080) (http) servera:443 (ssl) ------| |----- serverc:8080 (10.0.0.2:8080) (http) (backup)This configuation seems to work well for static html (I can see a “check.txt” textfile on the webroot of serverb, and when I kill that tomcat instances, I can refresh and see the “check.txt” on serverc. So nginx is failing over to the backup server. All good.
My problems begin when I try to log into the Flex application. The AMF channels fail and I can see the following in my tomcat logs:
SEVERE: Servlet.service() for servlet MessageBrokerServlet threw exception flex.messaging.security.SecurityException: Secure endpoint '/messagebroker/amfsecure' must be contacted via a secure protocol.On my ngnix logs I see:
10.0.0.99 - - [17/Oct/2011:11:38:02 +0000] "POST /test/BalanceServlet HTTP/1.1" 200 71 "https://servera/test/MainApp.swf" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.0.0.99 - - [17/Oct/2011:11:38:02 +0000] "POST /test/messagebroker/amfsecure HTTP/1.1" 404 1054 "https://servera/test/MainApp.swf" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.0.0.99 - - [17/Oct/2011:11:38:02 +0000] "POST /test/messagebroker/amfsecure2 HTTP/1.1" 404 1057 "https://servera/test/MainApp.swf" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.0.0.99 - - [17/Oct/2011:11:38:02 +0000] "POST /test/messagebroker/amfsecure3 HTTP/1.1" 404 1057 "https://servera/test/MainApp.swf" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"The devs had suggested that the code downloaded to the browser based whatever it saw in the url bar to decide how it brings up the AMF channels. So the browser to the ngnix was using SSL, but ngnix to the tomcat instances is using http.
Looking at remote-config.xml, I have the following default channels:
<default-channels> <channel ref="my-amf"/> <channel ref="my-amf2"/> <channel ref="my-amf3"/> <channel ref="ack-amf"/> <channel ref="my-secure-amf"/> <channel ref="my-secure-amf2"/> <channel ref="my-secure-amf3"/> <channel ref="sack-amf"/> </default-channels>Is this configuration were the problem lies?
Answer
I experienced something similar but didn’t know Flex so I am not sure if I am using the correct terminology below. If it is the same issue I had, a tool like HTTPFox will show your amf requests going to the website using http (not https) to port 443.
The fix was on the Flex side, where the client configuration had to be set up to utilize secure endpoints or channels (or both). This tells the flash/flex app that amf requests should be set to https instead of the configuration’s default of http.
Attribution
Source : Link , Question Author : The_Viper , Answer Author : mahnsc
