I have configured nginx to act as a reverse SSL proxy for a backend of Tomcat instances serving an in-house Flex application. The aim is to get an active/back pair. The configuration looks like:
|----- serverb:8080 (10.0.0.1:8080) (http)
servera:443 (ssl) ------|
|----- serverc:8080 (10.0.0.2:8080) (http) (backup)
This configuation seems to work well for static html (I can see a "check.txt" textfile on the webroot of serverb, and when I kill that tomcat instances, I can refresh and see the "check.txt" on serverc. So nginx is failing over to the backup server. All good.
My problems begin when I try to log into the Flex application. The AMF channels fail and I can see the following in my tomcat logs:
SEVERE: Servlet.service() for servlet MessageBrokerServlet threw exception
flex.messaging.security.SecurityException: Secure endpoint '/messagebroker/amfsecure' must be contacted via a secure protocol.
On my ngnix logs I see:
10.0.0.99 - - [17/Oct/2011:11:38:02 +0000] "POST /test/BalanceServlet HTTP/1.1" 200 71 "https://servera/test/MainApp.swf" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.0.0.99 - - [17/Oct/2011:11:38:02 +0000] "POST /test/messagebroker/amfsecure HTTP/1.1" 404 1054 "https://servera/test/MainApp.swf" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.0.0.99 - - [17/Oct/2011:11:38:02 +0000] "POST /test/messagebroker/amfsecure2 HTTP/1.1" 404 1057 "https://servera/test/MainApp.swf" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.0.0.99 - - [17/Oct/2011:11:38:02 +0000] "POST /test/messagebroker/amfsecure3 HTTP/1.1" 404 1057 "https://servera/test/MainApp.swf" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
The devs had suggested that the code downloaded to the browser based whatever it saw in the url bar to decide how it brings up the AMF channels. So the browser to the ngnix was using SSL, but ngnix to the tomcat instances is using http.
Looking at remote-config.xml, I have the following default channels:
<default-channels>
<channel ref="my-amf"/>
<channel ref="my-amf2"/>
<channel ref="my-amf3"/>
<channel ref="ack-amf"/>
<channel ref="my-secure-amf"/>
<channel ref="my-secure-amf2"/>
<channel ref="my-secure-amf3"/>
<channel ref="sack-amf"/>
</default-channels>
Is this configuration were the problem lies?