1

I have nginx serving as reverse proxy for a glassfish server with ssl, serving three glassfish context's, one demo site, one jenkins and one glassfish admin server. Root is redirected to the demo site. Http is redirected to https, nginx doing the ssl offloading. All is working perfectly exept two issues:

  1. When browsing the first time to the demo site (or after deleting browser history) i get the glassfish root without being redirected to https. Doing a refresh i get redirected correctly to the https demo site.
  2. When browsing to the glassfish admin i get a blank page, the index of the admin page is loaded correctly, but all resources aren't loaded (404). The nginx error log shows me the following errors: 2015/11/19 08:27:13 [error] 12656#0: *2 open() "/usr/share/nginx/html/resource/community-theme/images/login-product_name_open.png" failed (2: No such file or directory), client: <ip-address>, server: demo.domain.nl, request: "GET /resource/community-theme/images/login-product_name_open.png HTTP/1.1", host: "demo.domain.nl", referrer: "https://demo.domain.nl/admin/"

Any help greatly appreciated! Below you can find my nginx conf:

    server {
      listen        80;
      listen        [::]:80;
      server_name       demo.domain.nl;
      return        301 https://$server_name$request_uri;
    }

    server {
      listen        443 default ssl;
      server_name       demo.domain.nl;

      client_max_body_size  5M;

      ssl           on;
      ssl_certificate   conf.d/ssl/demo.domain.nl.crt;
      ssl_certificate_key   conf.d/ssl/demo.domain.nl.key;

      ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers           RC4:HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers on;
      keepalive_timeout 60;
      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout   10m;

      access_log        /var/log/nginx/demo.https.access_log;
      error_log     /var/log/nginx/demo.https.error_log;
      rewrite_log       on;

      location = / {
        rewrite ^ /demo/ last;
      }

      location /demo/ {
            proxy_pass http://localhost:8080/demo/;
            proxy_next_upstream error timeout invalid_header http_500         http_502 http_503 http_504;
            proxy_set_header        Accept-Encoding   "";
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
            add_header              Front-End-Https   on;
            proxy_redirect     off;
      }

      location /jenkins/ {
            proxy_pass http://localhost:8080/jenkins/;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
            proxy_set_header        Accept-Encoding   "";
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
            add_header              Front-End-Https   on;
            proxy_redirect     off;
     }

      location /admin/ {
            proxy_pass https://localhost:4848/;
            proxy_redirect      https://localhost:4848 https://demo.domain.nl/admin;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
            proxy_set_header        Accept-Encoding   "";
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
            add_header              Front-End-Https   on;
      }
    }
s.ijpma
  • 111
  • 4

1 Answers1

3

I had a lot of trouble making GF4.1 admin console work ok with an Nginx reverse proxy so leaving this here in case anybody comes looking.

The big trouble is not making it work, but that GlassFish's web app uses many XMLHttpRequests which make life hard. See below a working config. I listeneed on 8484 as a sort of "hiding" of the console but you can listen on something else, should work fine. Note you might not need all these settings to just get it working. We had rather strict requirements on ciphers etc. but it will get you an A+ rating on ssllabs

server {

listen 8484;
server_name yourdomain.com;

ssl on;
ssl_certificate /path/to/linked.crt;
ssl_certificate_key /path/to/keyfile.key;

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
client_max_body_size 4G;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers On;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 !DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_dhparam /etc/nginx/ssl/dhparam2048.pem; #NB generate custom dhparam for logjam as follows: openssl dhparam -out dhparams.pem 2048
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
ssl_stapling on;

access_log /var/log/nginx/nginx-access.log;
error_log /var/log/nginx/nginx-error.log;

location / {
    proxy_connect_timeout       300;
    proxy_send_timeout          300;
    proxy_read_timeout          300;
    send_timeout                300;
    proxy_pass_request_headers on;
    proxy_no_cache $cookie_nocache  $arg_nocache$arg_comment;
    proxy_no_cache $http_pragma     $http_authorization;
    proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment;
    proxy_cache_bypass $http_pragma $http_authorization;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host:$server_port; #Very nb to add :$server_port here
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    add_header Access-Control-Allow-Origin *;
    proxy_set_header Access-Control-Allow-Origin *;
    proxy_redirect /web/ https://yourdomain.com:8484/web/; #silly Xmlhttprequests
    proxy_pass https://127.0.0.1:4848;
#       proxy_ssl_verify              off; #include this is using Nginx > 1.8
    }
}
D2TheC
  • 141
  • 3
  • 1
    I have the same problem with payara. Your configuration is not working for me, unfortunately. I'm using payara version 5.2020 and the latest version of nginx 1.18 in Ubuntu 20.04 – codyLine Sep 22 '20 at 14:40