Spring Boot + Nginx + Tomcat + SSL configuration notes

Spring Boot + Nginx + Tomcat + SSL configuration notes

If your tomcat application requires ssl to enhance security, one way is to configure tomcat to support ssl, And the other way is to use nginx reverse proxy tomcat, then, configure nginx as https access, and configure the common http protocol between nginx and tomcat. The following describes the latter method and assumes that we develop applications based on spring-boot.

1. Configure nginx:

Server {

Listen 80;

Listen 443 ssl;

Server_name localhost;

Ssl_certificate server. crt;

Ssl_certificate_key server. key;

Location /{

Proxy_pass http: // localhost: 8080;

Proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;

Proxy_set_header X-Forwarded-Proto $ scheme;

Proxy_set_header X-Forwarded-Port $ server_port;

}

}

There are three points to note:

1. nginx allows a server to support both http and https protocols. The http: 80 and https: 443 protocols and port numbers are defined respectively. If you do not need http: 80, you can delete the line.

2. nginx will forward the request to tomcat over http. Because nginx and tomcat are on the same server, the https protocol is not required between nginx and tomcat.

3. Because tomcat receives a common http request, the application in tomcat will switch to http instead of https when the request is redirected, therefore, we need to tell tomcat that it has been proxy by https by adding two HTTP headers, X-Forwared-Proto and X-Forwarded-Port.

2. Configure tomcat. During spring-boot-based development, you only need to configure in application. properties:

Server. tomcat. remote_ip_header = x-forwarded-

Server. tomcat. protocol_header = x-forwarded-proto

Server. tomcat. port-header = X-Forwarded-Port

Server. use-forward-headers = true

This configuration instructs tomcat to obtain protocol information from the HTTP header (instead of from HttpServletRequest). At the same time, if your application still uses spring-security, no configuration is required.

In addition, because spring-boot is automated enough, you can change the above four rows to two rows:

Server. tomcat. protocol_header = x-forwarded-proto

Server. use-forward-headers = true

This can also be written as follows:

Server. tomcat. remote_ip_header = x-forwarded-

Server. use-forward-headers = true

However, you cannot write only one row:

Server. use-forward-headers = true

For more information, see:

Server. tomcat. remote_ip_header = x-forwarded-
Server. tomcat. protocol_header = x-forwarded-proto
The presence of either of those properties will switch on the valve

In addition, although our tomcat is reverse proxy by nginx, it can still access port 8080. Therefore, you can add a line in application. properties:

Server. address = 127.0.0.1

In this way, port 8080 can only be accessed by the local machine, but cannot be accessed by other machines.

Spring Boot details: click here
Spring Boot: click here

This article permanently updates the link address: