Too Many Redirects

billmanhillman · February 1, 2013, 4:39pm

Proxy Pass is causing to many redirects when web.xml is upshifting to
SSL
via security-constraint. It seems like tomcat doesn’t like receiving
proxy_pass with http://localhost:8080 and tries to convert to SSL again.
What gives? Configs follow…

Nginx 1.2.6 Config:

server {
listen www.mydomain.com:80;
listen www.mydomain.com:443 ssl;

    ssl_certificate my.crt;
    ssl_certificate_key my.key;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    location / {
            proxy_pass http://localhost:8080;
    }

    location /images {
            root /var/www;
    }

}

Web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Billing</web-resource-name>
        <url-pattern>/billing/*</url-pattern>
    </web-resource-collection>
    <web-resource-collection>
        <web-resource-name>Shipping</web-resource-name>
        <url-pattern>/shipping/*</url-pattern>
    </web-resource-collection>
    <web-resource-collection>
        <web-resource-name>Register</web-resource-name>
        <url-pattern>/subscription/*</url-pattern>
    </web-resource-collection>
    <web-resource-collection>
        <web-resource-name>Contact</web-resource-name>
        <url-pattern>/contactus.url</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Tomcat Server.xml

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
            redirectPort="443" <!-- This tell tomcat what port to

use
when security-constraint is provided in web.xml →
proxyName=“www.mydomain.com”
proxyPort=“80”/>

Please help.

Posted at Nginx Forum:

billmanhillman · February 2, 2013, 1:27am

I created another HTTP/1.1 connector in tomcat listening on another port
8443. I then separated the server settings in nginx for both http and
https.

I had the http server def proxy_pass to http://localhost:8080
I had the https server def proxy_pass to http://localhost:8443

I also put headers notifying tomcat the request was coming from http or
https.

Still no dice. Redirect loops can’t seem to be fixed.

Posted at Nginx Forum:

billmanhillman · February 1, 2013, 9:50pm

On Fri, Feb 01, 2013 at 10:38:37AM -0500, billmanhillman wrote:

Proxy Pass is causing to many redirects when web.xml is upshifting to SSL
via security-constraint. It seems like tomcat doesn’t like receiving
proxy_pass with http://localhost:8080 and tries to convert to SSL again.
What gives? Configs follow…

Your nginx accepts requests over http and https, and sends them both
identically to your tomcat over http.

If your tomcat cares about whether the request from the client came over
http or over https, then you’ll need (a) nginx to indicate the
difference;
and (b) tomcat to accept the difference.

nginx could be configured to send a http header indicating whether the
incoming request to it was over https or not.

Or nginx could be configured to send from-http requests to one ip:port,
and from-https requests to another ip:port.

When you can configure your tomcat to respond to one of those
differences,
you can configure nginx appropriately.

f

Francis D. [email protected]

billmanhillman · February 2, 2013, 10:30am

On Fri, Feb 01, 2013 at 07:27:31PM -0500, billmanhillman wrote:

Hi there,

I created another HTTP/1.1 connector in tomcat listening on another port
8443. I then separated the server settings in nginx for both http and
https.

I had the http server def proxy_pass to http://localhost:8080
I had the https server def proxy_pass to http://localhost:8443

I also put headers notifying tomcat the request was coming from http or
https.

You changed the nginx config so that tomcat could be able to tell
whether
the original request was https or not.

Did you change the tomcat config so that it would recognise this signal,
and would accept that “originally https” was enough to consider it
as secure?

Still no dice. Redirect loops can’t seem to be fixed.

It looks to me like the redirect loops are coming from tomcat, not
nginx.

If you can’t configure tomcat the way you want to, perhaps configuring
nginx to proxy_pass to a https:// url when appropriate would be an
adequate workaround, at least for testing purposes?

f

Francis D. [email protected]

billmanhillman · February 2, 2013, 4:35pm

Francis D. Wrote:

I had the http server def proxy_pass to http://localhost:8080
I had the https server def proxy_pass to http://localhost:8443

I also put headers notifying tomcat the request was coming from http
or
https.

You changed the nginx config so that tomcat could be able to tell
whether
the original request was https or not.

Agreed.

Did you change the tomcat config so that it would recognise this
signal,
and would accept that “originally https” was enough to consider it
as secure?

The connection is secured on the Nginx side. Tomcat should be able to
handle
this since I’m just swapping out overblown apache for Nginx and it
worked
fine on apache before switching to Nginx. I’ve tried X-Proxy-For and
X-Real-IP headers. Am I missing any other headers?

The Java Application to “tells” the container the request has entered a
secured area. I don’t want to go down the road of creating Rewrites for
https since the config for the application will reside in the Nginx
config
(bad practice).

Still no dice. Redirect loops can’t seem to be fixed.

It looks to me like the redirect loops are coming from tomcat, not
nginx.

If you can’t configure tomcat the way you want to, perhaps configuring
nginx to proxy_pass to a https:// url when appropriate would be an
adequate workaround, at least for testing purposes?

I tried proxy_pass with https:// before but I always get a Bad Gateway.

This is frustrating because I’m doing a write up for Nginx integration
along
with other servers to help others like myself to have a step by step
guide
for configuring reverse proxies and any flavor of application server
(Tomcat, Jetty, Geronimo, WebSphere, JBoss, etc…) for PCI compliance.
You’ll simply download the .deb(debian only) and it will compile,
install,
secure, configure, and add a new node if it’s in a clustered
environment.

I’m simply trying to get this right. Thanks for your help and
suggestions.

f

Francis D. [email protected]

nginx mailing list
[email protected]
nginx Info Page

Posted at Nginx Forum:

billmanhillman · February 2, 2013, 7:59pm

On 2 February 2013 15:34, billmanhillman [email protected] wrote:

https.
the original request was https or not.
this since I’m just swapping out overblown apache for Nginx and it worked
fine on apache before switching to Nginx. I’ve tried X-Proxy-For and
X-Real-IP headers. Am I missing any other headers?

You haven’t mentioned X-Forwarded-For (IP address) or
X-Forwarded-Proto (“http” or “https”), both of which I routinely set
up, but why don’t you just swap out tomcat for a simple netcat
listener in a non-prod environment. Then you can just see what Apache
passes through to it, and don’t have to try and understand the Apache
setup - just replicate it precisely in nginx.

Then you can start to understand the setup and modify its behaviour …

Jonathan

Jonathan M. // Oxford, London, UK
http://www.jpluscplusm.com/contact.html