Nginx as Reverse Proxy for Tomcat + SSL

Server NGINX
1

Hey guys,

I am totally new to Nginx, I need some advice with my reverse proxy
setup.

This is what i am trying to set up. Client<========>| Nginx
(reverse proxy)|<========>Tomcat It has to be secure i.e SSL , a
must.

My questions are

  1. Can I have the SSL connection between the client and Nginx ( ssl
    terminating at nginx) and then unencrypted from Nginx to Tomcat.
  2. Can I have SSL communication between the Client and Tomcat, throught
    Nginx ( using the certificate in Tomcat, none in Nginx )
  3. Can I have an SSL from Client to Nginx and another between Nginx and
    Tomcat .

Thank You,
Himesh…

Posted at Nginx Forum:

2

Hello!

On Thu, Nov 19, 2009 at 06:02:20AM -0500, himesh wrote:

Hey guys,

I am totally new to Nginx, I need some advice with my reverse proxy setup.

This is what i am trying to set up. Client<========>| Nginx (reverse proxy)|<========>Tomcat It has to be secure i.e SSL , a must.

My questions are

  1. Can I have the SSL connection between the client and Nginx ( ssl terminating at nginx) and then unencrypted from Nginx to Tomcat.

Yes.

  1. Can I have SSL communication between the Client and Tomcat, throught Nginx ( using the certificate in Tomcat, none in Nginx )

No.

  1. Can I have an SSL from Client to Nginx and another between Nginx and Tomcat .

Yes.

Maxim D.

3

Thanks Maxim,

So i tried the setup, SSL connection between the client and Nginx ( ssl
terminating at nginx) and then unencrypted from Nginx to Tomcat.

This is what my nginx.conf file looks like…

user www-data;
worker_processes 1;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

access_log  /var/log/nginx/access.log;

sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;
tcp_nodelay        on;

gzip  on;

include /etc/nginx/sites-enabled/*;

server {

  server_name himesh.com;
  listen 192.168.1.118:443;
  ssl on;
  ssl_certificate /etc/pound/himesh_com.crt;
  ssl_certificate_key /etc/pound/himesh.key;

  access_log /etc/pound/access.log;

  location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass   http://10.10.1.113:8080/;
        proxy_redirect off;
        }

}

}

Now form the client when i try https://himesh.com i get the the tomcat
default page, that is all good.

But https://himesh.com/abc ( abc is an application deployed in tomcat),
the browser returns http://himesh.com/abc but now i don’t have nginx
listening on 80, so there is no answer . This only happens with https.
It works fine when iam using just http…

Please advice…

Thank you,
himesh.

Posted at Nginx Forum:

4

Hello!

On Thu, Nov 19, 2009 at 06:50:02AM -0500, himesh wrote:

pid /var/run/nginx.pid;

  access_log /etc/pound/access.log;

}

Now form the client when i try https://himesh.com i get the the tomcat default page, that is all good.

But https://himesh.com/abc ( abc is an application deployed in tomcat), the browser returns http://himesh.com/abc but now i don’t have nginx listening on 80, so there is no answer . This only happens with https. It works fine when iam using just http…

Please advice…

Depending on backend software you may need various quirks to make
this working. Usually correctly configured proxy_redirect is
enough.

See

http://wiki.nginx.org/NginxHttpProxyModule#proxy_redirect

for details.

Maxim D.

5

Hi Dounin,

  1. Can I have an SSL from Client to Nginx and another between Nginx and Tomcat .

Yes.

How do we do this. I am trying to find a way to do this, either with
Haproxy or Nginx

Kind Regards
Sajan

6

Hi Sajan,

Which of the two subproblems is that you are having issues with?

Kind Regards,
Jens

-----Ursprungligt meddelande-----
Frn: [email protected] [mailto:[email protected]] Fr sajan
tharayil
Skickat: den 21 augusti 2013 13:05
Till: [email protected]
mne: Re: Nginx as Reverse Proxy for Tomcat + SSL

Hi Dounin,

  1. Can I have an SSL from Client to Nginx and another between Nginx and Tomcat .

Yes.

How do we do this. I am trying to find a way to do this, either with
Haproxy or Nginx

Kind Regards
Sajan


Posted via http://www.ruby-forum.com/.

nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

7

Hi Jens,

I will explain you my need. I need an end to en encryption for my client
server communication.

Client ->nginx/haproxy - https
nginx/haprody -> tomcat - https

So one way to do this is a layer 4 load balancing at nginx/haproxy
layer.

But What I am trying to do is to do a layer 7 load balancing itself. So
the
first ssl offloading will happen at the nginx/haproxy level. Then it
will be again encrypted and send to the underlaying tomcat(Which are in
another server and subnet). Then tomcat
will offload ssl again.

The reason for this is, I am creating my stack in AWS(amazon web
service) and we do not
want any kind of plan communication happening in amazon network.

So I am not really sure about the configuration which I can do on nginx
which will do the following:

  1. Off load the ssl for the requests coming from client (users) - This
    configuration is simple enough
  2. encrypt the communication again and send to underlaying tomcats

so it will be like:

Can I have an SSL from Client to Nginx and another between Nginx and
Tomcat?

Kind Regards
Sajan

8

Hi Sajan,

I see. nginx supports serving https content. Documentation is here:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html

nginx also supports proxying to upstream servers that are using
SSL/https:

What you’d like to do is possible.

Good luck,
Jens

-----Ursprungligt meddelande-----
Frn: [email protected] [mailto:[email protected]] Fr sajan
tharayil
Skickat: den 21 augusti 2013 20:02
Till: [email protected]
mne: Re: Nginx as Reverse Proxy for Tomcat + SSL

Hi Jens,

I will explain you my need. I need an end to en encryption for my client
server communication.

Client ->nginx/haproxy - https
nginx/haprody → tomcat - https

So one way to do this is a layer 4 load balancing at nginx/haproxy
layer.

But What I am trying to do is to do a layer 7 encryption itself. So the
first ssl offloading will happen at the nginx/haproxy level. Then it
will be again encrypted and send to the underlaying tomcat. Then tomcat
will offload ssl again.

The reason for this is, I am creating my stack in amazon and we do not
want any kind of plane communication happening in amazon network.

So I am not really sure about the configuration which I can do on nginx
which will do the following:

  1. Off load the ssl for the requests coming from client (users) - This
    configuration is simple enough
  2. encrypt the communication again and send to underlaying tomcats

Can I have an SSL from Client to Nginx and another between Nginx and
Tomcat?

so it will be like
Kind Regards
Sajan


Posted via http://www.ruby-forum.com/.

nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

9

Hi Jens,

Thanks much for your explanation. I was sure about the first part and
was thinking more complexly on the second part I mean https upstream.

But your simple solution to this is awesome.

Kind Regards
Sajan

10

Assuming that this happens all on one machine, Tomcat can be set to
listen
only on localhost e.g. 127.0.0.1:8080
in which case SSL from nginx reverse proxy becomes redundant.

Posted at Nginx Forum:

11

Ssl proxy with nginx, copy over the ssl keys from the end site to nginx.
Now if u want ssl from nginx, simply https the connection and sign a
cert…

What am i missing here? Are you looking for an actual config sample?


Payam C.
Network Engineer / Security Specialist