nginx managed SSL with Tomcat 7
Changes I made so that Tomcat/Spring would set the proper Secure cookie flags:
Make sure Tomcat had SSL (443) redirect port running in server.xml
:
<Service name="Catalina"> ... <Connector executor="tomcatThreadPool" port="9090" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> ...</Service>
Ensure your RemoteIpValve
is setup inside your host in server.xml
:
<Service name="Catalina"> ... <Engine name="Catalina" defaultHost="localhost"> ... <Host name="localhost" appBase="webapps" unpackWARs="true" deployOnStartup="true" autoDeploy="true"> ... <!-- Mark HTTP as HTTPS forward from SSL termination at nginx proxy --> <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" /> </Host> </Engine></Service>
Ensure that the protocol is being forwarded from it's termination point in nginx.conf
:
# Tomcat we're forwarding toupstream tomcat_server { server 127.0.0.1:9090 fail_timeout=0;}# Main server proxyserver { listen 443 ssl; server_name sample.com; # HTTPS setup ssl on; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; #ssl cyphers ... #ssl certs ... location / { # Forward SSL so that Tomcat knows what to do proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://tomcat_server; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; proxy_connect_timeout 240; proxy_send_timeout 240; proxy_read_timeout 240; # Show error pages from S3 when down proxy_next_upstream error timeout http_502 http_503 http_504; error_page 502 503 504 https://s3.amazonaws.com/sample.com/maint;}
Most of my proxy/SSL nginx conf is included above for completeness. Hope that helps someone.
Need to handle the x-forwarded-by and x-forwarded-proto headers in Tomcat. Add the following to your server.xml:
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />