use Nginx (HTTPS) to do a reverse proxy for Tomcat (HTTP)
The company uses Tomcat to deploy a service that needs to be delivered externally via the Internet. In view of security considerations, the company requires the use of HTTPS external services, in the configuration of Nginx reverse proxy, when the reverse proxy for Tomcat through HTTP test normal; When you reverse proxy for Tomcat through HTTPS, you can either skip to the Tomcat site, You can either not jump between the pages of the Tomcat site. After a day of searching through the Internet, finally found a solution (if Tomcat is also configured to Https,nginx using HTTPS to do the reverse proxy for Tomcat), now you do not need to configure Tomcat as HTTPS, Nginx (HTTPS) can be implemented as a reverse proxy for Tomcat (HTTP).
The configuration scenario is as follows:
Tomcat's access address is: Http://192.168.1.23:8080/yyt-ort
Nginx's address is: https://192.168.1.25:2443
The external address of the Nginx for Tomcat after the reverse proxy is:
Through local access: Https://192.168.1.25:2443/yyt-ort
Access by domain name: https://www.xxxxx.com:1234/yyt-ort
1, Nginx configuration is as follows:
server {
listen 2443 SSL;
server_name www.xxxxx.com:2443;
SSL on ;
Ssl_certificate cert/cert.crt;
Ssl_certificate_key Cert/cert.key;
Ssl_session_timeout 5m;
Ssl_protocols SSLv2 SSLv3 TLSv1;
Ssl_ciphers high:!anull:! MD5;
Ssl_prefer_server_ciphers on ;
Proxy_redirect http://$scheme://;
Port_in_redirect on;
Location ~ ^/yst-orp {
Proxy_pass http://192.168.1.23:8081;
Proxy_set_header Host $host: $server _port;
Proxy_set_header Host $host;
Proxy_set_header x-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}
2, the main configuration instructions in Nginx
Nginx (HTTPS) is able to successfully reverse proxy for Tomcat (HTTP), mainly through three configuration parameters
(1) Proxy_redirect parameters;
This parameter is mainly used to change the "Location" and "Refresh" fields in the answer headers from the proxy server.
The configuration syntax is: proxy_redirect [Default|off|redirect replacement]
The default value is: Proxy_redirect default
tags to use: http,server,location
This is where you configure Proxy_redirect http://$scheme://To modify HTTP returned from Tomcat to HTTPS.
Official Document Address: Http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect
(2) Port_in_redirect parameters;
The purpose of this parameter is to enable or disable the specified port in an absolute redirect published by Nginx.
Configuration syntax: Port_in_redirect [Off|on]
Default value: Port_in_redirect on
Tags that can be used with this configuration: http,server,location
This is configured as Port_in_redirect on to replace the port that jumps to when the Nginx reverse proxy jumps to Tomcat as Nginx listening port.
Official Document Address: Http://nginx.org/en/docs/http/ngx_http_core_module.html#port_in_redirect
(3) Proxy_set_header parameters
The function of this parameter is to allow redefining or adding a request header to the backend server. Value can contain text, variables, or their combinations. If and only if the Proxy_set_header directive is not defined at the current configuration level, the configuration is inherited from the level above. By default, only two request headers are redefined:
Proxy_set_header Host $proxy _host;
Proxy_set_header Connection Close;
Configuration syntax Format: Port_in_redirect field value;
tags to use: http,server,location
This is set to Proxy_set_header Host $host: $server _port To change the IP of the client that is the header of the requested message to the IP and port of the listener that is currently the reverse proxy nginx. The back-end Tomcat then returns to Nginx when the request is processed, and the Nginx agent returns the result to the client. Otherwise, the back-end service processes the request directly back to the client, which causes the HTTPS jumps requested by the client to be HTTP, and the request times out.
Official Document Address: Http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
3 bound domain name, access through domain name
After the configuration is complete, HTTPS that is configured locally via nginx can be accessed normally (HTTPS is configured to prompt for security issues when accessing via IP port), but it is not accessible through the externally provided domain name plus port.
This is caused by the setting of the Proxy_set_header parameter in the Nginx configuration, Proxy_set_header set to host $host: $server _port, This causes the client request message header source address to be modified to nginx local listener address plus port namely: (192.168.1.25): 2443,, in the internal and external port inconsistency when the external request results returned to the client when the target address will become: Domain name (www.xxxxx.com) : 2443, which causes the customer to enter the address www.xxxxx.com:1234 into www.xxxxx.com:2443 when accessing through the domain name. To solve this problem, you only need to change the configuration (modify the matching value Proxy_set_header Host $host: $server _port;) to:
Proxy_set_header Host www.xxxxx.com:1234;
The purpose of this setting is that the server handles the request and returns the processing result to the client at the end of the www.xxxxx.com:1243 Proxy service. This setting will also jump to the domain name address when it is accessed directly by the Nginx host locally.
Note : When testing through the domain name plus port, nginx external mapping address and its own test of the terminal's export address can not be the same public network IP, otherwise. cannot be accessed while passing a domain name test locally.