Cannot Access Glassfish4 Admin console via nginx location and proxy pass

Question

Folks,

We have a java application running under Glassfish4. I wanted to disable direct access to the Glassfish admin server by closing 4848 at the firewall level and accessing it via a location directive in nginx (also offloading the SSL to nginx).

with asadmin enable-secure-admin turned on I can get into the admin server via https://foo.domain.com:4848 and administer it normally.

However when I disable secure admin via asadmin disable-secure-admin and access with the following location block

    # Reverse proxy to access Glassfish Admin server
    location /Glassfish {
    proxy_set_header               Host $host;
      proxy_set_header               X-Real-IP $remote_addr;
      proxy_set_header               X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header               X-Forwarded-Proto $scheme;
      proxy_max_temp_file_size      0;
      client_max_body_size           10m;
      client_body_buffer_size        128k;
      proxy_send_timeout             90;
      proxy_read_timeout             90;
      proxy_buffering                off;
      proxy_buffer_size              4k;
      proxy_buffers                  4 32k;
      proxy_busy_buffers_size        64k;
      proxy_temp_file_write_size     64k;
      proxy_pass                            http://127.0.0.1:4848;
    }

ala https://foo.domain.com/Glassfish I get a blank screen, and the only reference I can find in the nginx error logs is

2015/10/05 09:13:57 [error] 29429#0: *157 open() "/usr/share/nginx/html/resource/community-theme/images/login-product_name_open.png" failed (2: No such file or directory), client: 104.17.0.4, server: foo.domain.com, request: "GET /resource/community-theme/images/login-product_name_open.png HTTP/1.1", host: "foo.domain.com", referrer: "https://foo.domain.com/Glassfish"

Reading docs and on the net I do see that:

Secure Admin must be enabled to access the DAS remotely

Is what I'm trying to do simply impossible?

Edit: As requested below is the full nginx configuration.

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log  main;

    #sendfile            off;
    tcp_nopush          on;
    tcp_nodelay         off;
    #keepalive_timeout   65;
    types_hash_max_size 2048;

    # Default HTTP server on 80 port
    server {
        listen       192.168.1.10:80 default_server;
        #listen       [::]:80 default_server;
        server_name  foo-dev.domain.com;
        return 301 https://$host$request_uri;
    }

    # Default HTTPS server on 443 port
    server {
      listen 443;
      server_name foo-dev.domain.com;
      ssl_certificate           /etc/ssl/certs/foo-dev.domain.com.crt;
      ssl_certificate_key       /etc/ssl/certs/foo-dev.domain.com.key;

      ssl on;
      ssl_session_cache  builtin:1000  shared:SSL:10m;
      ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
      ssl_prefer_server_ciphers on;

      access_log            /var/log/nginx/foo-dev.domain.com.access.ssl.log;
        # Reverse proxy access to foo hospitality service implementation at BC back-end
        location /AppEndPoint {
          proxy_set_header               Host $host;
          proxy_set_header               X-Real-IP $remote_addr;
          proxy_set_header               X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header               X-Forwarded-Proto $scheme;
          proxy_max_temp_file_size      0;
          client_max_body_size           10m;
          client_body_buffer_size        128k;
          proxy_send_timeout             90;
          proxy_read_timeout             90;
          proxy_buffering                off;
          proxy_buffer_size              4k;
          proxy_buffers                  4 32k;
          proxy_busy_buffers_size        64k;
          proxy_temp_file_write_size     64k;
          proxy_pass                            http://foo-dev.domain.com:8080;
        }

        # Reverse proxy to access Glassfish Admin server
         location /Glassfish {
        proxy_set_header               Host $host;
      proxy_set_header               X-Real-IP $remote_addr;
      proxy_set_header               X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header               X-Forwarded-Proto $scheme;
      proxy_max_temp_file_size      0;
      client_max_body_size           10m;
      client_body_buffer_size        128k;
      proxy_send_timeout             90;
      proxy_read_timeout             90;
      proxy_buffering                off;
      proxy_buffer_size              4k;
      proxy_buffers                  4 32k;
      proxy_busy_buffers_size        64k;
      proxy_temp_file_write_size     64k;
      proxy_pass                            http://127.0.0.1:4848;
    }

        # Reverse proxy access to all processed servers by both client and server component
        location /messages {
          alias /integration/archive/app-messages/;
          autoindex on;
          #auth_basic "Integration Team Login";
          #auth_basic_user_file /integration/archive/app-messages/requests/.htpasswd;

        }
   }
}

The /AppEndPoint location block is the Glassfish application server which works properly, it's only the /Glassfish location block that's giving me trouble.

You probably have a configuration issue with http and https as the mode changes on port 4848 when enabling/disabling secure admin. You need to post your nginx listen config for further investigation — Dainesch, Oct 08 '15 at 10:33

score 0 · Answer 1 · edited Apr 13 '17 at 12:13

0

Ok thx, for your edit.

try with:

listen: 443 ssl;

btw a good config help is offered by Mozilla: SSL Generator

and if you forward request to location /Glassfish you will have to trim the request url to remove /Glassfish. Credits to Rewrite.

Btw does the rest of your config work on SSL?

edited Apr 13 '17 at 12:13

Community

1
1

answered Oct 08 '15 at 20:33

Dainesch

1,320
13
19

SSL works fine with the rest of the config. Adding `ssl` to the listen directive didn't help. I shouldn't have to do a request url re-write (based upon proxy_pass experience with other products in nginx) however if I do so ala `rewrite ^/Glassfish(.*)$ /$1 last;` it rightfully redirects to the root html directory an gives me the nginx "welcome to blah blah" page. If I replace that with `rewrite ^/Glassfish(.*)$ /$1 break;` I get the same error originally posted. Nor did updating the proxypass ala `http://127.0.0.1:4848/` as outlined [here](http://serverfault.com/a/725433/182600) – Jchieppa Oct 14 '15 at 20:36
@Jchieppa hi! I have exactly the same issue. What was your solution? – seinecle May 10 '17 at 10:14
Same problem with payara. Any hints how to solve that? – codyLine Sep 22 '20 at 14:19

score 0 · Answer 2 · answered Mar 10 '21 at 17:47

Only change in proxy_pass the http for https

location / {
proxy_pass https://localhost:4848;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection 'upgrade';
#proxy_set_header Host $host;
#proxy_cache_bypass $http_upgrade;
}

score 0 · Answer 3 · answered Jul 08 '22 at 12:42

As you ask, I suppose you are having problems accessing to the Glassfish Admin Console using nginx. However I share an example of entire nginx.conf file for Glassfish server. Note that the 'proxy_pass' directive for location '/admin' should be https because is mandatory for glassfish access to Admin Console using https.

One reason that can cause you can't see the Admin Console is because when you access to the page, the resources aren't properly loaded. You can verify the different loaded resources using developer options of your preferred browser to see the generated URLs; what can show you a part of the solution.

With this configuration you should be able to access both parts of glassfish, main and admin console pages. If you don't have DNS server, you can access using server IP. The SSL certificates used where made as Self-signed only for test purposes, consider using a valid SSL certificate like Let's Encrypt or generated by a valid CA.

Ex:

The https redirection should work and finally you will be redirected at:

glassfish-ngix.conf

upstream glassfish {
    server 127.0.0.1:8080;
}

upstream glassfishadmin {
    server 127.0.0.1:4848;
}

server {
    listen 80;
    return 301 https://$host$request_uri;
}
    
server {
    listen 443 ssl http2;

    set $glassfish_server glassfish;
    set $glassfish_admin glassfishadmin;
    server_name mydomain.com;

    # sample site certificates
    ssl_certificate  /etc/nginx/server.crt;
    ssl_certificate_key  /etc/nginx/server.key;
    ssl_trusted_certificate /etc/nginx/server.crt;

    location /glassfish {
        charset utf-8;

        # limits
        client_max_body_size 100m;
        proxy_read_timeout 600s;

        # buffers
        proxy_buffers 16 64k;
        proxy_buffer_size 128k;

        # gzip
        gzip on;
        gzip_min_length 1100;
        gzip_buffers 4 32k;
        gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
        gzip_vary on;

        proxy_redirect off;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://$glassfish_server/;
    }

    location ~* .(png|ico|gif|jpg|jpeg|css|js)$ {
        proxy_pass https://$glassfish_admin/$request_uri;
    }

    location /admin {

        proxy_connect_timeout       300;
        proxy_send_timeout          300;
        proxy_read_timeout          300;
        send_timeout                300;
        proxy_pass_request_headers on;
        proxy_no_cache $cookie_nocache  $arg_nocache$arg_comment;
        proxy_no_cache $http_pragma     $http_authorization;
        proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment;
        proxy_cache_bypass $http_pragma $http_authorization;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host:$server_port; #Very nb to add :$server_port here
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header Access-Control-Allow-Origin *;
        proxy_set_header Access-Control-Allow-Origin *;

        proxy_pass https://$glassfish_admin/;
    }
}

Cannot Access Glassfish4 Admin console via nginx location and proxy pass

3 Answers3