Configuring nginx for use with Tomcat and SSL
We have a similar configuration at my work; nginx terminates SSL and passes raw HTTP back to tomcat. Our application uses multiple domain names.
We've found that it is sufficient to add the lines to server.xml
:
scheme="https"
proxyPort="443"
proxyName was not required, nor were any other changes, neither to tomcat nor to nginx.
It's been more than six months but i'll give it a shot. I think you are missing X-Forwarded-Proto header. Relevant virtual host configuration on nginx:
server jira.site.com;
...
location /jira {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/jira;
}
In some cases, like JIRA above for example, you need to tell Tomcat that it's behind proxy:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443"
scheme="https"
proxyName="jira.site.com"
proxyPort="443"/>
That way you may end up with several ports for every application but it works just fine.
As for troyengel's, why would I bother with "Nginx + Tomcat"? Well, nginx is way faster and take next to nothing both memory and cpu-wise. That way there are more resources to waste, on Tomcat for example. :/
Finally, I wouldn't call Apache-AJP13-Tomcat a proper integration, not anymore. Once you enable Tomcat APR Listener:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
and sendfile (with tcnative library), the whole thing just flies. Then you just serve out static content directly from nginx and you still have enough power to run everyone's favorite php sites by proxying to php-fpm.
Well, that's just from my experience, ymmv though.