nginx proxy to Tomcat with SSL

Question

I posted this on stackoverflow by mistake (https://stackoverflow.com/questions/65942820/nginx-proxy-to-tomcat) and I'm putting it here as well in hope of finding some solution.

I went through dozens of tutorials and I can't figure out following (althougt it should be pretty basic):

I have my compiled vue application in /var/www/mydomain.com and I want it to be shared as static content.

My backend running on 8080 by tomcat with public APIs on /api/something... URLs. The URLs are hardcoded including the "api" part.

I'd like to configure nginx to proxy mydomain.com/api/something... requests to tomcat and rest be served statically from /var/www/mydomain.com. Everything served through SSL.

I litterally don't need anything else.

Can you help me configure the nginx and tomcat to achieve that? Thank you!

nginx config /etc/nginx/sites-available/mydomain.com

upstream tomcat {
    server 127.0.0.1:8080 fail_timeout=0;
}

server {
        listen 443 ssl default_server;
        #listen [::]:443 ssl default_server;

        root /var/www/mydomain.com;
        index index.html index.htm index.nginx-debian.html;

       server_name _ mydomain.com www.mydomain.com;

        location /api/ {
                include proxy_params;
                proxy_set_header Host $server_name;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_pass http://tomcat;
        }

        location / {
                try_files $uri $uri/ /index.html;
        }

        ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot
}
server {
    if ($host = www.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


       listen 80 default_server;
        listen [::]:80 default_server;

       server_name _ mydomain.com www.mydomain.com;
   return 404; # managed by Certbot
}

(1) Alternative location block I'm experimenting with

        location /api/ {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Proto https;
                proxy_pass http://localhost:8080/api/;
        }

(2) Alternative block suggested by Praveen Premaratne.

This way I get "GET /api/docs HTTP/1.0" 302 - and static files work as well. Going to /api/docs makes redirect to domain:8443/api/docs where I get ERR_CONNECTION_REFUSED.

        location /api/ {
                include proxy_params;
                proxy_pass http://tomcat;
        }

        location / {
                try_files $uri $uri/ /index.html;
        }

(3) Alternative using subdomain.

I was able to create subdomain api.mydomain.com and configure nginx to go to index page from there (adding following block). No idea how to do the proxing afterwards.

server {
        listen 443 ssl;

        root /var/www/www.mydomain.com; <- redundand I guess?
        index index.html index.htm index.nginx-debian.html; <- redundand I guess?

        server_name api.mydomain.com

        ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot
}

Tomcat config server.xml

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               address="127.0.0.1"
               redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
   ...
   <Host name="localhost"  appBase="webapps"
         unpackWARs="true" autoDeploy="true">
      
      <Valve className="org.apache.catalina.valves.AccessLogValve" 
         directory="logs"
         prefix="localhost_access_log" suffix=".txt"
         requestAttributesEnabled="true"
         pattern="%h %l %u %t &quot;%r&quot; %s %b" />
        
      <Valve className="org.apache.catalina.valves.RemoteIpValve"
         protocolHeader="X-Forwarded-Proto" /> 
   ...

Current situation is that when I go to mydomain.com/api/docs where swagger should be running, I get redirected back to mydomain.com or get 500 or 502 error.

Try switching the order of the `location` block? so the `/api/` comes first. I'd personally recommend run the API on a subdomain like api.mydomain.com so you don't have this problem altogether. — Praveen Premaratne, Jan 29 '21 at 12:53
I will try that and let you know. Also trying switching it for block I've just put in description. I'm completely new in deployment to production so I have no idea how would I create sudomain and what are pros and cons of it. It sounds a bit more complicated for the simple case I need. — Tomáš Leitl, Jan 29 '21 at 13:01
ok, I've added the result to the main body as (2) Alternative block — Tomáš Leitl, Jan 29 '21 at 13:30
So Nginx now does what you want but now it's hitting the Tomcat config file and that redirects the request to `8443`. Does tomcat serve on `8443`? and if you were to access Tomcat directly over `8080` does it redirect to `8443` as well? — Praveen Premaratne, Jan 29 '21 at 14:17
If I access 8080 or 8443 directly, I get ```ERR_CONNECTION_REFUSED``` and no new record in tomcat logs. — Tomáš Leitl, Jan 29 '21 at 14:26
The fact that you are redirected to `example.com:8443` is a crucial information (it was missing in your question on SO). Tomcat does not know that the user is connecting in a secure way. Follow [this answer](https://serverfault.com/a/1050974/530633) to stop this redirect. — Piotr P. Karwasz, Jan 29 '21 at 14:30
You'd still need the proxy headers from the _(1) Alternative location block I'm experimenting with_. If that doesn't work you can try [proxy_redirect off;](https://stackoverflow.com/questions/24520540/nginx-does-redirect-not-proxy#answer-50017692) as well. — Praveen Premaratne, Jan 29 '21 at 14:31
By the way, with that subdomain - I managed to create app.mydomain. I'll write it into the desc. If you have any ideas considering that, I'll be happy to hear about it.. — Tomáš Leitl, Jan 29 '21 at 14:33
@PiotrP.Karwasz That is pretty cool, now when I go to ```/api/docs``` I got to /api/docs without redirecting to port and I get 400 from tomcat and record ```"GET /api/docs HTTP/1.0```, so... that's good. I'm pretty sure the server is running though, so I don't know why the 400. I've updated the code in desc so it matches the current state. — Tomáš Leitl, Jan 29 '21 at 15:05
@TomášLeitl: the full stack trace of the `400` error is in the log. I believe it has something to do with your `server_name` directive. Try `server_name example.com www.example.com;` without the underscore. — Piotr P. Karwasz, Jan 29 '21 at 19:07

Tomáš Leitl · Accepted Answer · 2021-02-01T21:54:59.410

Ok, so with help of @Praveen Premaratne and @Piotr P. Karwasz and this article I came up with following configuration:

don't put in lines with "# managed by Certbot", those are created by certbot, check https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04

etc/nginx/sites-available/mydomain.com

server {
    server_name    mydomain.com www.mydomain.com;

    root /var/www/mydomain.com;
    index index.html;

    access_log /var/log/nginx/mydomain-access.log;
    error_log /var/log/nginx/mydomain-error.log;

    location / {
        try_files $uri $uri/ /index.html;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = www.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name    mydomain.com www.mydomain.com;
    listen 80;
    return 404; # managed by Certbot
}

/etc/nginx/sites-available/api.mydomain.com

server {
    server_name    api.mydomain.com;

    access_log /var/log/nginx/api-mydomain-access.log;
    error_log /var/log/nginx/api-mydomain-error.log;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://127.0.0.1:8080;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = api.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name    api.mydomain.com;
    listen 80;
    return 404; # managed by Certbot
}

Tomcat server.xml

<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    address="127.0.0.1"
    proxyName="api.mydomain.com"
    proxyPort="80"/>

<Engine name="Catalina" defaultHost="localhost">

    <Realm className="org.apache.catalina.realm.LockOutRealm">
    ...
    </Realm>

    <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
            remoteIpHeader="x-forwarded-for"
            proxiesHeader="x-forwarded-by"
            protocolHeader="x-forwarded-proto" />

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
            prefix="localhost_access_log" suffix=".txt"
            pattern="%h %l %u %t %r %s %b" />

  </Host>
</Engine>

I would advise against using a _catch-all_ regexp for `internalProxies`: it basically mean that an attacker can make Tomcat believe a connection is coming from any IP address it chooses. Tomcat is bound to `127.0.0.1`, so it is not a problem now, but it could become in the future. — Piotr P. Karwasz, Jan 31 '21 at 19:45
Either that or just remove the attribute and keep the [default value](https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html), which seems reasonable. — Piotr P. Karwasz, Feb 01 '21 at 15:36

score 0 · Answer 2 · answered Jan 29 '21 at 13:01

0

Try this:

location / {
        try_files $uri @backend;
}
location @backend {
        include proxy_params;
        proxy_pass http://tomcat;
}

answered Jan 29 '21 at 13:01

fuero

9,413
1
35
40

Thank you. With this when I go to /api/docs, I get redirected to https://mydomain:8443/api/docs and there I get ERR_CONNECTION_REFUSED. Shouldn't the redirection be done somehow internally, without exposing 8443? – Tomáš Leitl Jan 29 '21 at 13:10
But a possive thing is I get record in tomcat access log this way: ```GET /api/docs HTTP/1.0" 302 -``` – Tomáš Leitl Jan 29 '21 at 13:14
Aaaand negative thing is this way my static files stop working... Everything gets redirected to 8443, not just /api urls. – Tomáš Leitl Jan 29 '21 at 13:20

Praveen Premaratne · Answer 3 · 2021-01-29T21:22:00.123

If I were to do this using the subdomains approach here's how I would do it.

Create an Nginx configuration file for the backend API
Create an Nginx configuration file for the static web content

Static HTML Nginx file mydomain.com.nginx

server {
    server_name    mydomain.com;

    root /var/www/mydomain.com;
    index index.html;

    access_log /var/log/nginx/mydomain-access.log;
    error_log /var/log/nginx/mydomain-error.log;

    location / {
        try_files $uri $uri/ /index.html;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen         80;
    server_name    mydomain.com;
    return 404; # managed by Certbot


}

API Nginx config file api.mydomain.com.nginx

server {
    server_name    api.mydomain.com;

    access_log /var/log/nginx/api-mydomain-access.log;
    error_log /var/log/nginx/api-mydomain-error.log;

    location / {
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8080;
        proxy_redirect off;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/api.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/api.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = api.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen         80;
    server_name    app.mydomain.com;
    return 404; # managed by Certbot


}

You can add these to the /etc/nginx/site-available/ directory and enable them.

Ps: I would remove the SSL stuff and run Certbot to update them since you've to issue a new certificate for the app.mydomain.com, so it would just update the files itself

I did exactly as you wrote (just using api instead of app prefix). When I go to http://api.mydomain.com/api/docs, it redirects me to https://127.0.0.1:8443/api/docs with ERR_CONNECTION_REFUSED — Tomáš Leitl, Jan 29 '21 at 17:13
Hmmm, that a copy of one on my Nginx file and I don't have this issue. Can you try using `http://127.0.0.1:8443`? — Praveen Premaratne, Jan 29 '21 at 17:18
@TomášLeitl I've updated to include the proxy redirect off settings, can you give that a shot? — Praveen Premaratne, Jan 29 '21 at 21:23
Redirected to https://127.0.0.1:8443/api/docs after that. ERR_CONNECTION_REFUSED. This is nightmare. — Tomáš Leitl, Jan 29 '21 at 22:08
Looks like there's no way Nginx would be able to stop the redirection, and I wouldn't expect it either because it's done on the Tomcat. You might have to remove the redirect in Tomcat server the backend on `8080` unfortunately. If the backend isn't directly accessible without going through the Nginx, removing SSL on Tomcat would be the best option. — Praveen Premaratne, Jan 30 '21 at 15:40
I've just got it figured out using this: https://dev.joget.org/community/display/DX7/NGINX+as+Proxy+to+Tomcat I'll post the solution after I test it more. — Tomáš Leitl, Jan 30 '21 at 16:28

nginx proxy to Tomcat with SSL

3 Answers3