Nginx – Disable ssl between reverse proxy and proxied server

nginxreverse-proxyssltomcat

I have a standard reverse proxy, with nginx and Tomcat 8.

I want nginx to handle encryption, but still inform tomcat whether the connection is secure or not.

i have

location /{
 listen 80;
 proxy_pass http://backend:8080;
}

location /{
  listen 443 ssl;
  proxy_pass https://backend:8443;
}

tomcat has the following config:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="false" scheme="https" secure="true" clientAuth="false" URIEncoding="UTF-8"/>

however I am getting error

SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 185.3.147.237, server: backing, request: "GET /favicon.ico HTTP/1.1", upstream: "https://127.0.0.1:8443/favicon.ico", host: "

How do I tell nginx that connection to backend is not encrypted even though the address starts with https?

Best Answer

Your Tomcat configuration has SSLEnabled=false. Therefore your Tomcat listens to standard HTTP on 8443 port, and nginx fails to connect to it.

I would implement this so that I would use a single upstream port to Tomcat, and set HTTP header which would contain the SSL status. Something like this:

server {
    listen 80;
    listen 443 ssl;
    server_name example.com;
    proxy_set_header X-SCHEME $scheme;

    proxy_pass http://backend:8080;
}

This server block receives both to http and https, passes all request to Tomcat http backend and sets a header X-SCHEME, which is either http or https. Then you have the information you want in your backend.

Related Solutions

Nginx – Problem with GWT behind a reverse proxy – either nginx or apache

I think you should

location /context/ {
    proxy_pass        http://backend/context/;
}

and then use rewrite to strip /context part from URL

The difference between Load Balancer and Reverse Proxy

Your confusion is reasonable - they are often the same thing. But not always. When you refer to a load balancer you are referring to a very specific thing - a server or device that balances inbound requests across two or more web servers to spread the load. A reverse proxy, however, typically has any number of features:

load balancing: as discussed above
caching: it can cache content from the web server(s) behind it and thereby reduce the load on the web server(s) and return some static content back to the requester without having to get the data from the web server(s)
security: it can protect the web server(s) by preventing direct access from the internet; it might do this through simple means by just obfuscating the web server(s) or it may have some more active components that actually review inbound requests looking for malicious code
SSL acceleration: when SSL is used; it may serve as a termination point for those SSL sessions so that the workload of dealing with the encryption is offloaded from the web server(s)

I think this covers most of it but there are probably a few other features I've missed. Certainly it isn't uncommon to see a device or piece of software marketed as a load balancer/reverse proxy because the features are so commonly bundled together.

Best Answer

Related Solutions

Nginx – Problem with GWT behind a reverse proxy – either nginx or apache

The difference between Load Balancer and Reverse Proxy

Related Topic