How do I fix net::ERR_SSL_PROTOCOL_ERROR error when I put nginx in front of Tomcat?

How do I fix net::ERR_SSL_PROTOCOL_ERROR error when I put nginx in front of Tomcat?


#user nobody;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;


events {
    worker_connections 1024;
}


http {
    include mime.types;
    default_type application/octet-stream;

    #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    # '$status $body_bytes_sent "$http_referer" '
    # '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log logs/access.log main;

    sendfile on;
    #tcp_nopush on;

    #keepalive_timeout 0;
    keepalive_timeout 65;

    upstream tomcat {
        server 127.0.0.1:8330;
    }

    charset utf-8;



    #gzip on;

    server {
        listen 8331;
        server_name localhost;

        # return 301 https://$host$request_uri;
        #charset koi8-r;

        #access_log logs/host.access.log main;

        location / {
            # root html;
            # index index.html index.htm;
            # proxy_pass http://sgmng.pluggolf.com;

            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-NginX-Proxy true;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_set_header Origin "";
            # new

            # Copy the upstream path set above
            proxy_pass https://tomcat;
            # proxy_redirect off;
            charset utf-8;
        }

        #error_page 404 /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
            root html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        # proxy_pass http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        # root html;
        # fastcgi_pass 127.0.0.1:9000;
        # fastcgi_index index.php;
        # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
        # include fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        # deny all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    # server {
    # listen 8080;
    # listen somename:8080;
    # server_name somename alias another.alias;

    # location / {
    # root html;
    # index index.html index.htm;
    # }
    # }


    # HTTPS server
    
    server {
       listen 8332 ssl;
       server_name localhost;

       charset utf-8;

       ssl_certificate D:/service/cbdc_dt/nginx/cert/plusity.crt;
       ssl_certificate_key D:/service/cbdc_dt/nginx/cert/plusity.key;

    # ssl_session_cache shared:SSL:1m;
    # ssl_session_timeout 5m;

       ssl_ciphers HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers on;

       location / {
        # root html;
        # index index.html index.htm;
        proxy_pass http://tomcat;

        proxy_set_header Host $http_host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            # proxy_set_header X-Forwarded-Proto $scheme;
            # proxy_set_header X-NginX-Proxy true;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection '';
        proxy_set_header Origin "";
        proxy_http_version 1.1;
        chunked_transfer_encoding off;

        proxy_buffering off;
        proxy_cache off;
        proxy_read_timeout 7d;
        proxy_redirect off;
        charset utf-8;
       }
    }

}

After applying ssl to all requests coming to ports 8331 and 8332 as follows, I wrote a code that redirects to port 8330 of tomcat.

However, the problem is that if you go to 8330 through nginx like this, GET https://serverIP:8330/itf/subscribe net::ERR_SSL_PROTOCOL_ERROR error occurs.

/itf/subscribe works normally when nginx is not present.

But there seems to be a problem when calling from within the address of https.

I am wondering how can I solve that problem.

Best Regards!


Solution 1:

According to your nginx configuration, port 8330 is handled by your upstream server (Tomcat). If you haven't configured Tomcat to use SSL, then you will get SSL error when you connect to it with an https URL.

With your configuration, you need to connect to https://example.com:8332/ to use SSL. This connects to nginx port that is configured for SSL, and then nginx proxies the request to Tomcat server.