Forum: NGINX Nginx as Reverse Proxy for Tomcat + SSL

2974d09ac2541e892966b762aad84943?d=identicon&s=25 himesh (Guest)
on 2009-11-19 12:07
(Received via mailing list)
Hey guys,

I am totally new to Nginx, I need some advice with my reverse proxy
setup.

  This is what i am trying to set up.      Client<========>| Nginx
(reverse proxy)|<========>Tomcat         It has to be secure i.e SSL , a
must.

My questions are
1) Can I have the SSL connection between the client and Nginx ( ssl
terminating at nginx) and then unencrypted from Nginx to Tomcat.
2) Can I have SSL communication between the Client and Tomcat, throught
Nginx ( using the certificate in Tomcat, none in Nginx )
3) Can I have an SSL from Client to Nginx and another between Nginx and
Tomcat .

Thank You,
 Himesh...

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,24126,24126#msg-24126
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2009-11-19 12:32
(Received via mailing list)
Hello!

On Thu, Nov 19, 2009 at 06:02:20AM -0500, himesh wrote:

> Hey guys,
>
> I am totally new to Nginx, I need some advice with my reverse proxy setup.
>
>   This is what i am trying to set up.      Client<========>| Nginx (reverse 
proxy)|<========>Tomcat         It has to be secure i.e SSL , a must.
>
> My questions are
> 1) Can I have the SSL connection between the client and Nginx ( ssl terminating at 
nginx) and then unencrypted from Nginx to Tomcat.

Yes.

> 2) Can I have SSL communication between the Client and Tomcat, throught Nginx ( using 
the certificate in Tomcat, none in Nginx )

No.

> 3) Can I have an SSL from Client to Nginx and another between Nginx and Tomcat .

Yes.

Maxim Dounin
2974d09ac2541e892966b762aad84943?d=identicon&s=25 himesh (Guest)
on 2009-11-19 12:54
(Received via mailing list)
Thanks Maxim,

So i tried the setup, SSL connection between the client and Nginx ( ssl
terminating at nginx) and then unencrypted from Nginx to Tomcat.

This is what my nginx.conf file looks like....

user www-data;
worker_processes  1;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    access_log  /var/log/nginx/access.log;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    tcp_nodelay        on;

    gzip  on;

    include /etc/nginx/sites-enabled/*;



server {

      server_name himesh.com;
      listen 192.168.1.118:443;
      ssl on;
      ssl_certificate /etc/pound/himesh_com.crt;
      ssl_certificate_key /etc/pound/himesh.key;

      access_log /etc/pound/access.log;

      location / {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass   http://10.10.1.113:8080/;
            proxy_redirect off;
            }
}

}


Now form the client when i try https://himesh.com i get the the tomcat
default page, that is all good.

But https://himesh.com/abc ( abc is an application deployed in tomcat),
the browser returns http://himesh.com/abc but now i don't have nginx
listening on 80, so there is no answer . This only happens with https.
It works fine when iam using just http..

Please advice..

Thank you,
himesh.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,24126,24138#msg-24138
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2009-11-19 13:05
(Received via mailing list)
Hello!

On Thu, Nov 19, 2009 at 06:50:02AM -0500, himesh wrote:

> pid        /var/run/nginx.pid;
>
>
>       access_log /etc/pound/access.log;
> }
>
>
> Now form the client when i try https://himesh.com i get the the tomcat default page, 
that is all good.
>
> But https://himesh.com/abc ( abc is an application deployed in tomcat), the browser 
returns http://himesh.com/abc but now i don't have nginx listening on 80, so there is no 
answer . This only happens with https. It works fine when iam using just http..
>
> Please advice..

Depending on backend software you may need various quirks to make
this working.  Usually correctly configured proxy_redirect is
enough.

See

http://wiki.nginx.org/NginxHttpProxyModule#proxy_redirect

for details.

Maxim Dounin
2d404f5f0cb48b02c2356dcef656ffc1?d=identicon&s=25 sajan tharayil (sajangnn)
on 2013-08-21 13:05
Hi Dounin,


> 3) Can I have an SSL from Client to Nginx and another between Nginx and Tomcat .

Yes.

How do we do this. I am trying to find a way to do this, either with
Haproxy or Nginx


Kind Regards
Sajan
2321fd7ae1506663bb08f243ee0466c4?d=identicon&s=25 Jens Rantil (Guest)
on 2013-08-21 13:50
(Received via mailing list)
Hi Sajan,

Which of the two subproblems is that you are having issues with?

Kind Regards,
Jens

-----Ursprungligt meddelande-----
Frn: nginx-bounces@nginx.org [mailto:nginx-bounces@nginx.org] Fr sajan
tharayil
Skickat: den 21 augusti 2013 13:05
Till: nginx@nginx.org
mne: Re: Nginx as Reverse Proxy for Tomcat + SSL

Hi Dounin,


> 3) Can I have an SSL from Client to Nginx and another between Nginx and Tomcat .

Yes.

How do we do this. I am trying to find a way to do this, either with
Haproxy or Nginx


Kind Regards
Sajan

--
Posted via http://www.ruby-forum.com/.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
2d404f5f0cb48b02c2356dcef656ffc1?d=identicon&s=25 sajan tharayil (sajangnn)
on 2013-08-21 20:01
Hi Jens,

I will explain you my need. I need an end to en encryption for my client
server communication.

Client ->nginx/haproxy    - https
nginx/haprody -> tomcat - https

So one way to do this is a layer 4 load balancing at nginx/haproxy
layer.

But What I am trying to do is to do a layer 7 load balancing itself. So
the
first ssl offloading will happen at the nginx/haproxy level. Then it
will be again encrypted and send to the underlaying tomcat(Which are in
another server and subnet). Then tomcat
will offload ssl again.

The reason for this is, I am creating my stack in AWS(amazon web
service) and we do not
want any kind of plan communication happening in amazon network.


So I am not really sure about the configuration which I can do on nginx
which will do the following:

1. Off load the ssl for the requests coming from client (users) - This
configuration is simple enough
2. encrypt the communication again and send to underlaying tomcats

so it will be like:

Can I have an SSL from Client to Nginx and another between Nginx and
Tomcat?


Kind Regards
Sajan
2321fd7ae1506663bb08f243ee0466c4?d=identicon&s=25 Jens Rantil (Guest)
on 2013-08-22 13:53
(Received via mailing list)
Hi Sajan,

I see. nginx supports serving https content. Documentation is here:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html

nginx also supports proxying to upstream servers that are using
SSL/https:
http://stackoverflow.com/questions/15394904/nginx-...

What you'd like to do is possible.

Good luck,
Jens

-----Ursprungligt meddelande-----
Frn: nginx-bounces@nginx.org [mailto:nginx-bounces@nginx.org] Fr sajan
tharayil
Skickat: den 21 augusti 2013 20:02
Till: nginx@nginx.org
mne: Re: Nginx as Reverse Proxy for Tomcat + SSL

Hi Jens,

I will explain you my need. I need an end to en encryption for my client
server communication.

Client ->nginx/haproxy    - https
nginx/haprody -> tomcat - https

So one way to do this is a layer 4 load balancing at nginx/haproxy
layer.

But What I am trying to do is to do a layer 7 encryption itself. So the
first ssl offloading will happen at the nginx/haproxy level. Then it
will be again encrypted and send to the underlaying tomcat. Then tomcat
will offload ssl again.

The reason for this is, I am creating my stack in amazon and we do not
want any kind of plane communication happening in amazon network.


So I am not really sure about the configuration which I can do on nginx
which will do the following:

1. Off load the ssl for the requests coming from client (users) - This
configuration is simple enough
2. encrypt the communication again and send to underlaying tomcats


Can I have an SSL from Client to Nginx and another between Nginx and
Tomcat?

so it will be like
Kind Regards
Sajan

--
Posted via http://www.ruby-forum.com/.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
2d404f5f0cb48b02c2356dcef656ffc1?d=identicon&s=25 sajan tharayil (sajangnn)
on 2013-08-23 06:03
Hi Jens,

Thanks much for your explanation. I was sure about the first part and
was thinking more complexly on the second part I mean https upstream.

But your simple solution to this is awesome.

Kind Regards
Sajan
2974d09ac2541e892966b762aad84943?d=identicon&s=25 dt0x (Guest)
on 2013-08-27 07:11
(Received via mailing list)
Assuming that this happens all on one machine, Tomcat can be set to
listen
only on localhost e.g. 127.0.0.1:8080
in which case SSL from nginx reverse proxy becomes redundant.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,24126,242227#msg-242227
D0a98f6304ff122ac9b487ff8275d8bb?d=identicon&s=25 Payam Chychi (Guest)
on 2013-08-27 07:22
(Received via mailing list)
Ssl proxy with nginx, copy over the ssl keys from the end site to nginx.
Now if u want ssl from nginx, simply https the connection and sign a
cert...

What am i missing here? Are you looking for an actual config sample?

--
Payam Chychi
Network Engineer / Security Specialist
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.