Starting Alfresco Governance Services Community Edition

Overview

I attempted to install Alfresco Governance Services Community Edition, referring to the following manual, so here are my notes.

https://support.hyland.com/r/Alfresco/Alfresco-Governance-Services-Community-Edition/23.4/Alfresco-Governance-Services-Community-Edition

References

As a similar effort, the following is available. Please refer to it as well.

https://irisawadojo.blogspot.com/2020/11/72alfresco2.html

Virtual Machine

The following machine was created as an Azure virtual machine.

Image: Ubuntu Server 24.04 LTS - Gen2
VM Architecture: x64
Size: Standard D2ads v6 (2 vcpus, 8 GiB memory)

Open port 8080 for use.

Installing Docker

Install Docker.

sudo apt-get update
sudo apt-get install -y ca-certificates curl gnupg

# Add Docker's official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo tee /etc/apt/keyrings/docker.asc > /dev/null
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add Docker repository
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

# Install Docker
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

# Run Docker without sudo
sudo usermod -aG docker $USER
newgrp docker

# Verify Docker installation
docker run hello-world

Installation

Use “Install using Docker Compose” as described below.

https://support.hyland.com/r/Alfresco/Alfresco-Governance-Services-Community-Edition/23.4/Alfresco-Governance-Services-Community-Edition/Install/Install-using-Docker-Compose

Start with the following.

git clone https://github.com/Alfresco/acs-deployment
cd acs-deployment/docker-compose

Edit the community-compose.yaml file found here. Change the following two lines. The manual says quay.io/alfresco/alfresco-governance-repository-community:23.x.x, but specify docker.io.

    # image: docker.io/alfresco/alfresco-content-repository-community:23.4.0
    image: docker.io/alfresco/alfresco-governance-repository-community:23.4.0

    # image: docker.io/alfresco/alfresco-share:23.4.0
    image: docker.io/alfresco/alfresco-governance-share-community:23.4.0

Then, start the containers with the following.

docker compose -f community-compose.yaml up

For example, it can be accessed at http://locahost:8080/share.

Custom Domain Configuration

Try assigning a custom domain using Amazon Route 53 or similar. Here, the following is used as an example.

alfresco-demo.aws.ldas.jp

At this point, accessing http://alfresco-demo.aws.ldas.jp:8080/share/ displayed the following after login.

To address this, make the following changes.

  share:
    # image: docker.io/alfresco/alfresco-share:23.4.0
    image: docker.io/alfresco/alfresco-governance-share-community:23.4.0
    mem_limit: 1g
    environment:
      # CSRF_FILTER_ORIGIN: http://localhost:8080
      CSRF_FILTER_ORIGIN: http://alfresco-demo.aws.ldas.jp:8080
      # CSRF_FILTER_REFERER: http://localhost:8080/share/.*
      CSRF_FILTER_REFERER: http://alfresco-demo.aws.ldas.jp:8080/share/.*

As a result, the error was avoided even when accessing with the custom domain.

Accessing on Port 80

Next, let’s make it accessible on port 80. Mainly by changing the traefik configuration, it became possible to access using a URL like http://alfresco-demo.aws.ldas.jp/share/.

There are 4 places to change.

...
      # CSRF_FILTER_ORIGIN: http://localhost:8080
      # CSRF_FILTER_ORIGIN: http://alfresco-demo.aws.ldas.jp:8080
      CSRF_FILTER_ORIGIN: http://alfresco-demo.aws.ldas.jp
      # CSRF_FILTER_REFERER: http://localhost:8080/share/.*
      # CSRF_FILTER_REFERER: http://alfresco-demo.aws.ldas.jp:8080/share/.*
      CSRF_FILTER_REFERER: http://alfresco-demo.aws.ldas.jp/share/.*
...
      # - "--entrypoints.web.address=:8080"
      - "--entrypoints.web.address=:80"
...
    ports:
      # - "8080:8080"
      - "80:80"

Accessing via HTTPS

Finally, modify it to allow access via HTTPS.

First, run the following.

mkdir -p ./letsencrypt
touch ./letsencrypt/acme.json
chmod 600 ./letsencrypt/acme.json

Then, make the following changes. Note the comments marked with HTTPS support.

...
    labels:
      - "traefik.enable=true"
      # - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)"
      - "traefik.http.routers.alfresco.rule=Host(`alfresco-demo.aws.ldas.jp`) && PathPrefix(`/`)" # HTTPS support
      - "traefik.http.services.alfresco.loadbalancer.server.port=8080"
      - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)"
      - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:"
      - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker"
      - "traefik.http.routers.alfresco.entrypoints=websecure" # HTTPS support
      - "traefik.http.routers.alfresco.tls.certresolver=myresolver" # HTTPS support
...
    environment:
      # CSRF_FILTER_ORIGIN: http://localhost:8080
      # CSRF_FILTER_ORIGIN: http://alfresco-demo.aws.ldas.jp:8080
      # CSRF_FILTER_ORIGIN: http://alfresco-demo.aws.ldas.jp
      CSRF_FILTER_ORIGIN: https://alfresco-demo.aws.ldas.jp
      # CSRF_FILTER_REFERER: http://localhost:8080/share/.*
      # CSRF_FILTER_REFERER: http://alfresco-demo.aws.ldas.jp:8080/share/.*
      # CSRF_FILTER_REFERER: http://alfresco-demo.aws.ldas.jp/share/.*
      CSRF_FILTER_REFERER: https://alfresco-demo.aws.ldas.jp/share/.*
...
    labels:
      - "traefik.enable=true"
      # - "traefik.http.routers.share.rule=PathPrefix(`/share`)"
      - "traefik.http.routers.share.rule=Host(`alfresco-demo.aws.ldas.jp`) && PathPrefix(`/share`)" # HTTPS support
      - "traefik.http.services.share.loadbalancer.server.port=8080"
      - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)"
      - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:"
      - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker"
      - "traefik.http.routers.share.entrypoints=websecure" # HTTPS support
      - "traefik.http.routers.share.tls.certresolver=myresolver" # HTTPS support
...
    labels:
      - "traefik.enable=true"
      # - "traefik.http.routers.aca.rule=PathPrefix(`/content-app`)"
      - "traefik.http.routers.aca.rule=Host(`alfresco-demo.aws.ldas.jp`) && PathPrefix(`/content-app`)" # HTTPS support
      - "traefik.http.middlewares.acaroot.stripprefix.prefixes=/content-app"
      - "traefik.http.middlewares.acaforceslash.redirectregex.regex=^(.*/content-app)$$"
      - "traefik.http.middlewares.acaforceslash.redirectregex.replacement=$${1}/"
      - "traefik.http.middlewares.acachain.chain.middlewares=acaforceslash,acaroot"
      - "traefik.http.routers.aca.middlewares=acachain@docker"
      - "traefik.http.routers.aca.entrypoints=websecure" # HTTPS support
      - "traefik.http.routers.aca.certresolver=myresolver" # HTTPS support
...
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.acc.rule=PathPrefix(`/control-center`) || PathPrefix(`/admin`)"
      - "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin,/control-center"
      - "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/(admin|control-center))$$"
      - "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/"
      - "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot"
      - "traefik.http.routers.acc.middlewares=accchain@docker"
      - "traefik.http.routers.acc.entrypoints=websecure" # HTTPS support
      - "traefik.http.routers.acc.tls.certresolver=myresolver" # HTTPS support
...
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      # - "--entrypoints.web.address=:8080"
      - "--entrypoints.web.address=:80"
      - "--entryPoints.traefik.address=:8888"
      - "--accesslog=true"
      - "--providers.docker.exposedByDefault=false"
      - "--ping.entrypoint=web"
      - "--ping=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"  # HTTPS support
      - "--certificatesresolvers.myresolver.acme.email=[xxx@example.org]" # Needs modification  # HTTPS support
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"  # HTTPS support
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"  # HTTPS support
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"  # HTTPS support
      - "--entrypoints.websecure.address=:443"  # HTTPS support
    ports:
      # - "8080:8080"
      - "80:80"
      - "443:443"  # HTTPS support
      - "8888:8888"
    healthcheck:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      interval: 20s
      timeout: 10s
      retries: 3
      start_period: 10s
    security_opt:
      - label=disable # Required for accessing the Docker socket on Selinux enabled systems
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt  # HTTPS support

This made it accessible at the following address.

https://alfresco-demo.aws.ldas.jp/share/

Summary

Initially, I tried a bulk find-and-replace of localhost and port 8080, but it did not work well, so I verified the behavior step by step as described above.

There are still many areas that have not been fully verified, and there may be some errors, but I hope this serves as a useful reference.

Overview#

References#

Virtual Machine#

Installing Docker#

Installation#

Custom Domain Configuration#

Accessing on Port 80#

Accessing via HTTPS#

Summary#