Configuring nginx for use with Tomcat and SSL

ssl nginx tomcat
20,148

Solution 1

We have a similar configuration at my work; nginx terminates SSL and passes raw HTTP back to tomcat. Our application uses multiple domain names.

We've found that it is sufficient to add the lines to server.xml:

    scheme="https"
    proxyPort="443"

proxyName was not required, nor were any other changes, neither to tomcat nor to nginx.

Solution 2

It's been more than six months but i'll give it a shot. I think you are missing X-Forwarded-Proto header. Relevant virtual host configuration on nginx:

        server jira.site.com;
        ...
        location /jira {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://127.0.0.1:8080/jira;
        }

In some cases, like JIRA above for example, you need to tell Tomcat that it's behind proxy:

   <Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443"
           scheme="https"
           proxyName="jira.site.com"
           proxyPort="443"/>

That way you may end up with several ports for every application but it works just fine.

As for troyengel's, why would I bother with "Nginx + Tomcat"? Well, nginx is way faster and take next to nothing both memory and cpu-wise. That way there are more resources to waste, on Tomcat for example. :/

Finally, I wouldn't call Apache-AJP13-Tomcat a proper integration, not anymore. Once you enable Tomcat APR Listener:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

and sendfile (with tcnative library), the whole thing just flies. Then you just serve out static content directly from nginx and you still have enough power to run everyone's favorite php sites by proxying to php-fpm.

Well, that's just from my experience, ymmv though.

Share:
20,148

Related videos on Youtube

Janine Ohmer
Author by

Janine Ohmer

Updated on September 17, 2022

Comments

  • Janine Ohmer
    Janine Ohmer almost 2 years

    I have Googled and looked at various sample SSL configurations and it seems like I've got things set up right, but there are two problems:

    1. When I load https://mysite.com, the lock that should appear in the upper right corner of the browser window does not appear.
    2. The Java application behind the scenes uses httpUtil.GetRequestURL() to get the current request and it is http://mysite.com.

    I have tried setting the Host header to $host instead of $http_host, and I've tried setting proxy_redirect to set the URL to https, but neither had any effect.

    My SSL config is below. Can someone please tell me what I've done wrong?

    server {
    listen       443;
    server_name  dev.mysite.com;

    access_log  /var/log/nginx/dev_mysite_access.log;
    error_log  /var/log/nginx/dev_mysite_error.log;

    ssl on;
    ssl_certificate /export/nginx/certs/mysite.com.crt;
    ssl_certificate_key /export/nginx/certs/mysite.com.key;

    location / {
        # give site more time to respond
        proxy_read_timeout 120;

        # needed to forward user's IP address
        proxy_set_header  X-Real-IP  $remote_addr;

        # needed for HTTPS
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_max_temp_file_size 0;

        proxy_pass http://localhost:8081;
    }
}
    • Janine Ohmer
      Janine Ohmer almost 14 years
      An additional detail - if I set Host to https: //dev.mysite.com, I get the lock in the browser and the back end gets the right value. But the proxy_pass redirect to http: //localhost:8081 doesn't happen, so I get blank pages. I have no idea why that would be, but that is what seems to be happening. Maybe a clue for someone who knows more about how nginx works than I do!
    • Admin
      Admin almost 14 years
      Let me go out on a limb here, but if you're using a 800lb Java based gorilla why are you using nginx? I would switch to Apache and use mod_jk which can be tuned and uses the AJP13 binary protocol for proper Tomcat integration. Apache + Tomcat = win, Nginx + Tomcat = why bother?
    • John
      John over 13 years
      Hi, did you ever solve this problem? I am having exactly the same issue.
  • jfneis
    jfneis over 5 years
    It was all that was needed for our case too. Tks!
  • Freeze
    Freeze over 3 years
    In my case the proxyName was required. Other than that this solution works. Thanks

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Rails 4 + nginx + unicorn + ssl = 502 Bad Gateway
Can't Access SOAP Web Service Over HTTPS
nginx critical error with SSL handshaking
need help Debugging SSL handshake in tomcat
How do I setup ssl on a rails 4 app? (nginx + passenger)
Nginx NET::ERR_CERT_COMMON_NAME_INVALID
How to automatically install self signed certificate in IE Trusted Root Certification Authorities store
Nginx config to proxy pass to external ip and port (https -> http)
Redirect HTTP to HTTPS from Nginx is not working
Error: Alias name [null] does not identify a key entry during implementing SSL in Tomcat