What is the proper configuration in server.xml to have nginx manage SSL? My current configuration results in a "redirect loop" unless I mark the tomcat standard connection "secure" which is not what I want. My app requires https for all requests and redirects to https if http is used. If I set secure="true" it no longer redirects but the "redirect loop" is gone. What am I doing wrong?
My current tomcat server.xml:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" proxyPort="443"/>
Nginx conf:
server {
listen 80 default_server;
server_name localhost, mydomain.com;
location / {
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://localhost:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_send_timeout 6000;
}
}
server {
server_name localhost, mydomain.com;
listen 443;
ssl on;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
#make sure you already have this certificate pair!
ssl_certificate /etc/nginx/cert/server.crt;
ssl_certificate_key /etc/nginx/cert/server.key;
ssl_session_cache shared:SSL:10m;
error_page 497 https://$host:$server_port$request_uri;
# Our endpoint for tomcat reverse-proxy, assuming your endpoint java-servlet knows
# how to handle http://localhost/gadgets requests
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
# note, there is not SSL here! plain HTTP is used
proxy_pass http://localhost:8080/;
}
}
Need to handle the x-forwarded-by and x-forwarded-proto headers in Tomcat. Add the following to your server.xml:
Changes I made so that Tomcat/Spring would set the proper Secure cookie flags:
Make sure Tomcat had SSL (443) redirect port running in
server.xml
:Ensure your
RemoteIpValve
is setup inside your host inserver.xml
:Ensure that the protocol is being forwarded from it's termination point in
nginx.conf
:Most of my proxy/SSL nginx conf is included above for completeness. Hope that helps someone.