Configuring nginx for use with Tomcat and SSL

Question

I have Googled and looked at various sample SSL configurations and it seems like I've got things set up right, but there are two problems:

When I load https://mysite.com, the lock that should appear in the upper right corner of the browser window does not appear.
The Java application behind the scenes uses httpUtil.GetRequestURL() to get the current request and it is http://mysite.com.

I have tried setting the Host header to $host instead of $http_host, and I've tried setting proxy_redirect to set the URL to https, but neither had any effect.

My SSL config is below. Can someone please tell me what I've done wrong?

server {
    listen       443;
    server_name  dev.mysite.com;

    access_log  /var/log/nginx/dev_mysite_access.log;
    error_log  /var/log/nginx/dev_mysite_error.log;

    ssl on;
    ssl_certificate /export/nginx/certs/mysite.com.crt;
    ssl_certificate_key /export/nginx/certs/mysite.com.key;

    location / {
        # give site more time to respond
        proxy_read_timeout 120;

        # needed to forward user's IP address
        proxy_set_header  X-Real-IP  $remote_addr;

        # needed for HTTPS
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_max_temp_file_size 0;

        proxy_pass http://localhost:8081;
    }
}

An additional detail - if I set Host to https: //dev.mysite.com, I get the lock in the browser and the back end gets the right value. But the proxy_pass redirect to http: //localhost:8081 doesn't happen, so I get blank pages. I have no idea why that would be, but that is what seems to be happening. Maybe a clue for someone who knows more about how nginx works than I do! — Janine Ohmer, Aug 19 '10 at 23:10
Let me go out on a limb here, but if you're using a 800lb Java based gorilla why are you using nginx? I would switch to Apache and use mod_jk which can be tuned and uses the AJP13 binary protocol for proper Tomcat integration. Apache + Tomcat = win, Nginx + Tomcat = why bother? — , Aug 20 '10 at 01:12
Hi, did you ever solve this problem? I am having exactly the same issue. — z0mbix, Dec 01 '10 at 15:15

score 7 · Answer 1 · answered Jul 18 '13 at 20:49

7

We have a similar configuration at my work; nginx terminates SSL and passes raw HTTP back to tomcat. Our application uses multiple domain names.

We've found that it is sufficient to add the lines to server.xml:

    scheme="https"
    proxyPort="443"

proxyName was not required, nor were any other changes, neither to tomcat nor to nginx.

answered Jul 18 '13 at 20:49

erik258

766
5
9

It was all that was needed for our case too. Tks! – jfneis Oct 15 '18 at 18:34
1

In my case the proxyName was required. Other than that this solution works. Thanks – Freeze Dec 18 '20 at 15:22

score 6 · Answer 2 · answered Feb 18 '11 at 20:43

It's been more than six months but i'll give it a shot. I think you are missing X-Forwarded-Proto header. Relevant virtual host configuration on nginx:

        server jira.site.com;
        ...
        location /jira {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://127.0.0.1:8080/jira;
        }

In some cases, like JIRA above for example, you need to tell Tomcat that it's behind proxy:

   <Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443"
           scheme="https"
           proxyName="jira.site.com"
           proxyPort="443"/>

That way you may end up with several ports for every application but it works just fine.

As for troyengel's, why would I bother with "Nginx + Tomcat"? Well, nginx is way faster and take next to nothing both memory and cpu-wise. That way there are more resources to waste, on Tomcat for example. :/

Finally, I wouldn't call Apache-AJP13-Tomcat a proper integration, not anymore. Once you enable Tomcat APR Listener:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

and sendfile (with tcnative library), the whole thing just flies. Then you just serve out static content directly from nginx and you still have enough power to run everyone's favorite php sites by proxying to php-fpm.

Well, that's just from my experience, ymmv though.

Configuring nginx for use with Tomcat and SSL

2 Answers2

Linked