SPRING-BOOT+NGINX+TOMCAT+SSL Configuration Notes

If your Tomcat application requires SSL for security, one way to do this is to configure Tomcat to support SSL, and the other is to use Nginx to reverse proxy tomcat and then configure Nginx for HTTPS access. and the normal HTTP protocol is configured between Nginx and Tomcat. Here is the latter approach, assuming that we are developing the application based on Spring-boot.

First, the configuration nginx:

server {    listen;    Listen 443 SSL;    server_name localhost;    Ssl_certificate server.crt;    Ssl_certificate_key Server.key;    Location/{        Proxy_pass http://localhost:8080;        Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;        Proxy_set_header X-forwarded-proto $scheme;        Proxy_set_header x-forwarded-port $server _port;    }}

Here are three points to note:

1, Nginx allows one server to support both HTTP and HTTPS two protocols. Here we define the HTTP:80 and https:443 two protocols and port numbers respectively. If you don't need http:80, you can delete that line.

2, Nginx received the request will be forwarded through the HTTP protocol to Tomcat. Since Nginx and Tomcat are in the same machine, there is no need to use the HTTPS protocol between Nginx and Tomcat.

3. Since the normal HTTP request is received for Tomcat, when the application in Tomcat turns to HTTP instead of HTTPS, we need to tell Tomcat that it has been proxied by HTTPS. The method is to increase the X-forwared-proto and X-forwarded-port two HTTP header information.

Second, then configure Tomcat. Based on Spring-boot development, you only need to configure in Application.properties:

Server.tomcat.remote_ip_header=x-forwarded-forserver.tomcat.protocol_header= X-forwarded-protoserver.tomcat.port-header=x-forwarded-portserver.use-forward-headers=true

This configuration instructs Tomcat to get the protocol information from the HTTP header (not from HttpServletRequest), and if your app also uses spring-security, there's no need to configure it.

Also, because Spring-boot is automated enough, you can turn the above four lines into two lines:

Server.tomcat.protocol_header=x-forwarded-protoserver.use-forward-headers=true

The following can also be written:

Server.tomcat.remote_ip_header=x-forwarded-forserver.use-forward-headers=true

But you cannot write only one line:

Server.use-forward-headers=true

See http://docs.spring.io/spring-boot/docs/1.3.0.RELEASE/reference/htmlsingle/#howto-enable-https for details, which says:

Server.tomcat.remote_ip_header=x-forwarded-forServer.tomcat.protocol_header=x-forwarded-proto

 on the valve

In addition, although our Tomcat has been reversed by nginx, it can still access its 8080 port. To do this, add a line to the application.properties:

server.address=127.0.0.1

In this way, the 8080 port can only be accessed by the local machine, other machines cannot access it.

SPRING-BOOT+NGINX+TOMCAT+SSL Configuration Notes