NGINX SSL Load Balancing with Liferay

Technical Blogs August 31, 2015 By Kamesh Sampath

Today I was trying to enable SSL with NGINX as Load Balancer for a demo Liferay cluster, I thought to share my experiences on how I did that with this small post. I am skipping the certificate generation where I followed standard openssl ways for a self signed certificates.

This simple setup I had NGINX server handles all SSL traffic from the outside world , post SSL termination it hands over the requests to Liferay which is DMZ listening over HTTP.

To start with I did create a nginx.conf called with the following configurations, though there are many configuration options we can today in real world I tried to set up a very basic configuration.

upstream liferay {

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';

server {
  listen 443;
  access_log  /var/log/nginx/  main;

  ssl on;
  ssl_certificate /etc/nginx/ssl/;
  ssl_certificate_key /etc/nginx/ssl/;
  ssl_session_cache shared:SSL:10m;

  ssl_session_timeout 5m;

  ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
  ssl_prefer_server_ciphers on;

  location / {

     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header Host $http_host;
     proxy_set_header X-Forwarded-Proto https;
     proxy_redirect off;
     proxy_connect_timeout 240;
     proxy_send_timeout 240;
     proxy_read_timeout 240;     

     proxy_pass http://liferay;


Once the NGINX server is up and running, my next step was to configure Liferay to handle the proxy offloading, 

To have Liferay + NGINX SSL quickly up and running I did the following changes to Liferay’s


Then when I booted up the Liferay server, I could see the server available over ( I did a /etc/hosts entry for to my NGINX server IP)

But this will cause inconsistencies when you want to integrate Liferay with external systems, and typically those systems expect Liferay to send and receive over HTTPS e.g SAML SSO integration as the portal-setup-wizard settings are visible only for Liferay Application which can return the property HTTP scheme via web.server.protocol and request server name via and make the request.isSecure() method return true, but when I tried to hook my server to an IdP going by my SAML SSO integration example my integration broke as the other integrated applications likeorg.opensamlwill always get therequest.getScheme()ashttpandrequest.isSecure()asfalse`, the simple reason being those rely on the application server’s, in my case tomcat’s settings.

To overcome this inconsistency we can can skip doing changes to portal-ext and do the following changes at the application server level, in case of Tomcat we need to configure the Tomcat connector(s) $LIFERAY_TOMCAT_HOME/conf/server.xml 

<Connector port=”8080” protocol=”HTTP/1.1connectionTimeout=”20000”

Voila! Now my Liferay will be able to use HTTPS scheme though its content are served over HTTP with NGINX handling the SSL load.


Liferay OSGi and SSH Access

Technical Blogs February 22, 2015 By Kamesh Sampath

Taking forward from where Ray left off with a Telnet to Liferay OSGi, I am taking this step ahead to enable SSH access to Liferay OSGi console, here is my two little reasons on why I want to do it, 

  • I want to secure my OSGi console access, in fact we will go a step ahead and integrate the Liferay Portal JAAS with OSGi ssh console, thereby allow all the Liferay Users to log on to OSGi shell
  • I want to make the SSH'ed user to add ablity to execute Liferay API commands

Though I am complete on the first point above but on the second I feel it will be part of my another blog in this series :) as there are few things that needs to be sorted before I can make the point #2 above work as expected.

A good prequsite for this would be to have the OSGi console set up for Liferay you can either follow the @Ray's blog or if you can clone the Liferay Content targetting repo and fire the ant deploy command from the $CONTENT_TARGETTING_REPO/apps/content-targeting/runtime-dependencies to have the necessary OSGi bundles deployed to your Liferay instance ( this might have some additional Content targetting bundles as well, which is harmless and we can ignore them), for the convinence for this blog and for you to get started quickly I attached the bundles form here which can be dropped on to $LIFERAY_HOME/deploy folder.

Ok lets getting in to action of setting them up,

What SSH bundles I might require ?

  • org.apache.mina.core_2.0.7.v201401071602.jar
  • org.apache.sshd.core_0.7.0.v201303101611.jar
  • org.eclipse.equinox.console.jaas.fragment_1.0.0.v20130327-1442.jar
  • org.eclipse.equinox.console.ssh_1.0.100.v20131208-1728.jar
  • slf4j-api-1.7.5.jar or newer
  • slf4j-simple-1.7.5.jar or newer

You can download the mina and equinox bundles from Equinox Download, I used LunaSR1 at the time of writing this blog.

Once you have added these bundles, you need to add the following properties to your or



# OSGi 


# Telnet


## JAAS enabling


# Security settings, allowing SSH to use sceeenName



## Login
The next step for us would be to create JAAS configuration file "equinox_console_jaas.conf" as shown below at your preferred location, i typically created it at $LIFERAY_HOME/data/osgi,
equinox_console { required debug=true; 

The next step is to tell ssh* bundles, where we have our jaas configuration files, to do that we can edit  the "" in our Liferay Tomcat bundle to  add additional JVM options as shown below,
CATALINA_OPTS="$CATALINA_OPTS -Dfile.encoding=UTF8  -Dorg.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES=false -Duser.timezone=GMT -Xms2048m -Xmx2048m -XX:MaxPermSize=256m"

#JAAS Options



if you prefer to change JAAS conf file path, please do edit the "" JVM option in above to suit accordingly.

There you go our setup is done and we are good to have ssh enabled by restarting the server, a good idea is to clean the existing $LIFERAY_HOME/data/osgi/state to have clean states for all our bundles.

Once the server is restarted and when you try ssh -p2525 test@localhost  you might see the connection is refused, this is because the SSH console plugin is designed to have lazy start you might need to telnet on to the console using telnet localhost 11311 and then find the `Equinox Console SSH plugin` and start the bundle manually ( this is one time activity and the state is mantained until the bundle is refreshed).  Once the bundle is started you can do the ssh -p2525 test@localhost to see you  will be prompted for a 'password' give the same password for the "test" user as you have set in Portal to see you logged on to Liferay OSGi SSH shell.

Thats it! In my next part of the series we shall we how do we execute the Liferay API commands as liferay user with whom we have sshed.


[1] More on Equinox and SSH/Telnet consoles please refer here



Showing 2 results.