I have a standard reverse proxy, with nginx and Tomcat 8.
I want nginx to handle encryption, but still inform tomcat whether the connection is secure or not.
i have
location /{
listen 80;
proxy_pass http://backend:8080;
}
location /{
listen 443 ssl;
proxy_pass https://backend:8443;
}
tomcat has the following config:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="false" scheme="https" secure="true" clientAuth="false" URIEncoding="UTF-8"/>
however I am getting error
SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 185.3.147.237, server: backing, request: "GET /favicon.ico HTTP/1.1", upstream: "https://127.0.0.1:8443/favicon.ico", host: "
How do I tell nginx that connection to backend is not encrypted even though the address starts with https?
Best Answer
Your Tomcat configuration has
SSLEnabled=false
. Therefore your Tomcat listens to standard HTTP on8443
port, and nginx fails to connect to it.I would implement this so that I would use a single upstream port to Tomcat, and set HTTP header which would contain the SSL status. Something like this:
This server block receives both to
http
andhttps
, passes all request to Tomcathttp
backend and sets a headerX-SCHEME
, which is eitherhttp
orhttps
. Then you have the information you want in your backend.