Proxy Pass is causing to many redirects when web.xml is upshifting to SSL via security-constraint. It seems like tomcat doesn't like receiving proxy_pass with http://localhost:8080 and tries to convert to SSL again. What gives? Configs follow... Nginx 1.2.6 Config: server { listen www.mydomain.com:80; listen www.mydomain.com:443 ssl; ssl_certificate my.crt; ssl_certificate_key my.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; location / { proxy_pass http://localhost:8080; } location /images { root /var/www; } } ---------------------------------------------------------------------------- Web.xml <security-constraint> <web-resource-collection> <web-resource-name>Billing</web-resource-name> <url-pattern>/billing/*</url-pattern> </web-resource-collection> <web-resource-collection> <web-resource-name>Shipping</web-resource-name> <url-pattern>/shipping/*</url-pattern> </web-resource-collection> <web-resource-collection> <web-resource-name>Register</web-resource-name> <url-pattern>/subscription/*</url-pattern> </web-resource-collection> <web-resource-collection> <web-resource-name>Contact</web-resource-name> <url-pattern>/contactus.url</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ------------------------------------------------------------------------------------------ Tomcat Server.xml <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="443" <!-- This tell tomcat what port to use when security-constraint is provided in web.xml --> proxyName="www.mydomain.com" proxyPort="80"/> Please help. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,235822,235822#msg-235822
on 2013-02-01 16:39
on 2013-02-01 21:50
On Fri, Feb 01, 2013 at 10:38:37AM -0500, billmanhillman wrote: > Proxy Pass is causing to many redirects when web.xml is upshifting to SSL > via security-constraint. It seems like tomcat doesn't like receiving > proxy_pass with http://localhost:8080 and tries to convert to SSL again. > What gives? Configs follow... Your nginx accepts requests over http and https, and sends them both identically to your tomcat over http. If your tomcat cares about whether the request from the client came over http or over https, then you'll need (a) nginx to indicate the difference; and (b) tomcat to accept the difference. nginx could be configured to send a http header indicating whether the incoming request to it was over https or not. Or nginx could be configured to send from-http requests to one ip:port, and from-https requests to another ip:port. When you can configure your tomcat to respond to one of those differences, you can configure nginx appropriately. f -- Francis Daly francis@daoine.org
on 2013-02-02 01:27
I created another HTTP/1.1 connector in tomcat listening on another port 8443. I then separated the server settings in nginx for both http and https. I had the http server def proxy_pass to http://localhost:8080 I had the https server def proxy_pass to http://localhost:8443 I also put headers notifying tomcat the request was coming from http or https. Still no dice. Redirect loops can't seem to be fixed. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,235822,235846#msg-235846
on 2013-02-02 10:30
On Fri, Feb 01, 2013 at 07:27:31PM -0500, billmanhillman wrote: Hi there, > I created another HTTP/1.1 connector in tomcat listening on another port > 8443. I then separated the server settings in nginx for both http and > https. > > I had the http server def proxy_pass to http://localhost:8080 > I had the https server def proxy_pass to http://localhost:8443 > > I also put headers notifying tomcat the request was coming from http or > https. You changed the nginx config so that tomcat could be able to tell whether the original request was https or not. Did you change the tomcat config so that it would recognise this signal, and would accept that "originally https" was enough to consider it as secure? > Still no dice. Redirect loops can't seem to be fixed. It looks to me like the redirect loops are coming from tomcat, not nginx. If you can't configure tomcat the way you want to, perhaps configuring nginx to proxy_pass to a https:// url when appropriate would be an adequate workaround, at least for testing purposes? f -- Francis Daly francis@daoine.org
on 2013-02-02 16:35
Francis Daly Wrote: ------------------------------------------------------- > > I had the http server def proxy_pass to http://localhost:8080 > > I had the https server def proxy_pass to http://localhost:8443 > > > > I also put headers notifying tomcat the request was coming from http > or > > https. > > You changed the nginx config so that tomcat could be able to tell > whether > the original request was https or not. Agreed. > > Did you change the tomcat config so that it would recognise this > signal, > and would accept that "originally https" was enough to consider it > as secure? The connection is secured on the Nginx side. Tomcat should be able to handle this since I'm just swapping out overblown apache for Nginx and it worked fine on apache before switching to Nginx. I've tried X-Proxy-For and X-Real-IP headers. Am I missing any other headers? The Java Application to "tells" the container the request has entered a secured area. I don't want to go down the road of creating Rewrites for https since the config for the application will reside in the Nginx config (bad practice). > > > Still no dice. Redirect loops can't seem to be fixed. > > It looks to me like the redirect loops are coming from tomcat, not > nginx. > > If you can't configure tomcat the way you want to, perhaps configuring > nginx to proxy_pass to a https:// url when appropriate would be an > adequate workaround, at least for testing purposes? I tried proxy_pass with https:// before but I always get a Bad Gateway. This is frustrating because I'm doing a write up for Nginx integration along with other servers to help others like myself to have a step by step guide for configuring reverse proxies and any flavor of application server (Tomcat, Jetty, Geronimo, WebSphere, JBoss, etc...) for PCI compliance. You'll simply download the .deb(debian only) and it will compile, install, secure, configure, and add a new node if it's in a clustered environment. I'm simply trying to get this right. Thanks for your help and suggestions. > > f > -- > Francis Daly francis@daoine.org > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: http://forum.nginx.org/read.php?2,235822,235853#msg-235853
on 2013-02-02 19:59
On 2 February 2013 15:34, billmanhillman <nginx-forum@nginx.us> wrote: >> > https. >> the original request was https or not. > this since I'm just swapping out overblown apache for Nginx and it worked > fine on apache before switching to Nginx. I've tried X-Proxy-For and > X-Real-IP headers. Am I missing any other headers? You haven't mentioned X-Forwarded-For (IP address) or X-Forwarded-Proto ("http" or "https"), both of which I routinely set up, but why don't you just swap out tomcat for a simple netcat listener in a non-prod environment. Then you can just see what Apache passes through to it, and don't have to try and understand the Apache setup - just replicate it precisely in nginx. Then you can start to understand the setup and modify its behaviour ... Jonathan -- Jonathan Matthews // Oxford, London, UK http://www.jpluscplusm.com/contact.html
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.