Enabling HTTPS with Spring Security : This webpage has a redirect loop

Your HTTPS connection is handled by NGINX. The connection to your application is a HTTP connection. So basically secure on the outside, insecure on the inside.

Spring Security uses the isSecure() method from the ServletRequest to determine if it is a secure, by default this checks the protocol to be https.

As you are using tomcat you can configure an additional valve, the RemoteIpValue3 to influence the behavior of the isSecure(), getRemoteAddr() methods (and some others).

     <Valve       className="org.apache.catalina.valves.RemoteIpValve"       internalProxies="192\.168\.0\.10|192\.168\.0\.11"       remoteIpHeader="x-forwarded-for"       proxiesHeader="x-forwarded-by"       protocolHeader="x-forwarded-proto"       />

Add the above to the <Host > element (ofcourse you might need to remove/modify the internal proxies parameter).

In your Nginx configuration add the X-Forwarded-proto header.

location / {    proxy_pass      http://localhost:8080;    proxy_set_header X-Real-IP $remote_addr;    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    proxy_set_header        X-Forwarded-Proto $scheme;    add_header              Front-End-Https   on;    proxy_set_header Host $http_host;}

Or simply remove the checks for a secure channel and assume everything is ok...

Links

1. ServletRequest.isSecure javadoc
2. RemoteIpValve javadoc
3. NGinx SSL Proxy