Setting up NGINX SSL reverse proxy for Tomcat

November 25th, 2011 by bananos

Setting up Tomcat in some cases can be pain in the ass, especially when your application is pretty complex, in terms of large number of upstream servers which you all want to proxy via SSL.

In my case, I was playing around with Shindig — an OpenSocial container, which itself is a Java servlet delivered via Apache Tomcat server.

 

 

The goal was to reverse proxy Shindig through SSL, i.e. it should be able to access it via

https://localhost/gadgets/

with localhost being served by Nginx.

Initial schema

nginx tomcat reverse proxy schemaInitial nginx config

daemon off; worker_processes 2; error_log /var/log/nginx_error.log info; user bananos staff; events { worker_connections 1024; } http { include /opt/nginx/conf/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $bytes_sent "$http_referer" "$http_user_agent" "$gzip_ratio"'; ignore_invalid_headers on; index index.html; client_header_timeout 240; client_body_timeout 240; send_timeout 240; client_max_body_size 100m; proxy_buffer_size 128k; proxy_buffers 8 128k; upstream tomcat_server { # Tomcat is listening on default 8080 port server 127.0.0.1:8080 fail_timeout=0; } server { server_name localhost; listen 443; ssl on; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; #make sure you already have this certificate pair! ssl_certificate /var/certs/server.crt; ssl_certificate_key /var/certs/server.key; ssl_session_cache shared:SSL:10m; # www-root, we're serving static files from here, accessible via https://localhost/ location / { root /var/www; index index.html index.htm; } # Our endpoint for tomcat reverse-proxy, assuming your endpoint java-servlet knows # how to handle http://localhost/gadgets requests location /gadgets { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; proxy_connect_timeout 240; proxy_send_timeout 240; proxy_read_timeout 240; # note, there is not SSL here! plain HTTP is used proxy_pass http://tomcat_server; } } }

Tomcat config

And here the magic begins, the main point to not miss here is

Tomcat needs to be explicitly told that it’s being proxied through 443(SSL) port!

Here is a sample Tomcat config which is usually found at

{$CATALINA_HOME}/conf/server.xml

Page 1 of 3 | Next page

Posted in sysadmin | 9 comments

Previous post:
Next post: