I am running Tomcat behind NGINX SSL - Which setting to use?

Question

I am running Tomcat behind NGINX SSL, Can anyone tell me what is the best setting for tomcat server.xml ?

Should I add the properties :

          < secure="true"
           proxyName="localhost"
           proxyPort="443"
           scheme="https" >

to my connector in Tomcat OR

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
               internalProxies="127.0.[0-1].1"
               remoteIpHeader="x-forwarded-for"
               requestAttributesEnabled="true"
               protocolHeader="x-forwarded-proto"
               protocolHeaderHttpsValue="https" />

to my <engine>

Which setting is better ?

Answer 1

If a webapp in Tomcat should simply be told that it is not accessible by the clients via the values used by the proxy server to establish a connection to the Tomcat, e. g. LOCALHOST:8080, but via HOSTNAME:443, then the first example (with the correct SSL hostname) is sufficient [1].

In this case the Tomcat does not know which client is actually requesting, the access log will only contain the "client" IP of the proxy server. If this is not sufficient for troubleshooting or authorization with RemoteAddrValve [2], this is a reason to also use the second configuration.

Please note that the headers must also be forwarded accordingly by the reverse proxy [3].

So each of the settings aims at something different.

• [1] https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Proxy_Support
• [2] https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Remote_Address_Valve
• [3] https://vkuzel.com/configuration-of-a-nginx-reverse-proxy-in-front-of-a-spring-boot-2-1-application-protected-by-oauth-2-0