nginx reverse proxy glassfish issues
I have nginx serving as reverse proxy for a glassfish server with ssl, serving three glassfish context's, one demo site, one jenkins and one glassfish admin server. Root is redirected to the demo site. Http is redirected to https, nginx doing the ssl offloading. All is working perfectly exept two issues:
- When browsing the first time to the demo site (or after deleting browser history) i get the glassfish root without being redirected to https. Doing a refresh i get redirected correctly to the https demo site.
- When browsing to the glassfish admin i get a blank page, the index of the admin page is loaded correctly, but all resources aren't loaded (404). The nginx error log shows me the following errors:
2015/11/19 08:27:13 [error] 12656#0: *2 open() "/usr/share/nginx/html/resource/community-theme/images/login-product_name_open.png" failed (2: No such file or directory), client: <ip-address>, server: demo.domain.nl, request: "GET /resource/community-theme/images/login-product_name_open.png HTTP/1.1", host: "demo.domain.nl", referrer: "https://demo.domain.nl/admin/"
Any help greatly appreciated! Below you can find my nginx conf:
server {
listen 80;
listen [::]:80;
server_name demo.domain.nl;
return 301 https://$server_name$request_uri;
}
server {
listen 443 default ssl;
server_name demo.domain.nl;
client_max_body_size 5M;
ssl on;
ssl_certificate conf.d/ssl/demo.domain.nl.crt;
ssl_certificate_key conf.d/ssl/demo.domain.nl.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 60;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
access_log /var/log/nginx/demo.https.access_log;
error_log /var/log/nginx/demo.https.error_log;
rewrite_log on;
location = / {
rewrite ^ /demo/ last;
}
location /demo/ {
proxy_pass http://localhost:8080/demo/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
location /jenkins/ {
proxy_pass http://localhost:8080/jenkins/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
location /admin/ {
proxy_pass https://localhost:4848/;
proxy_redirect https://localhost:4848 https://demo.domain.nl/admin;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
}
}
Solution 1:
I had a lot of trouble making GF4.1 admin console work ok with an Nginx reverse proxy so leaving this here in case anybody comes looking.
The big trouble is not making it work, but that GlassFish's web app uses many XMLHttpRequests which make life hard. See below a working config. I listeneed on 8484 as a sort of "hiding" of the console but you can listen on something else, should work fine. Note you might not need all these settings to just get it working. We had rather strict requirements on ciphers etc. but it will get you an A+ rating on ssllabs
server {
listen 8484;
server_name yourdomain.com;
ssl on;
ssl_certificate /path/to/linked.crt;
ssl_certificate_key /path/to/keyfile.key;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
client_max_body_size 4G;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers On;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 !DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_dhparam /etc/nginx/ssl/dhparam2048.pem; #NB generate custom dhparam for logjam as follows: openssl dhparam -out dhparams.pem 2048
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
ssl_stapling on;
access_log /var/log/nginx/nginx-access.log;
error_log /var/log/nginx/nginx-error.log;
location / {
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
proxy_pass_request_headers on;
proxy_no_cache $cookie_nocache $arg_nocache$arg_comment;
proxy_no_cache $http_pragma $http_authorization;
proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment;
proxy_cache_bypass $http_pragma $http_authorization;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host:$server_port; #Very nb to add :$server_port here
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Access-Control-Allow-Origin *;
proxy_set_header Access-Control-Allow-Origin *;
proxy_redirect /web/ https://yourdomain.com:8484/web/; #silly Xmlhttprequests
proxy_pass https://127.0.0.1:4848;
# proxy_ssl_verify off; #include this is using Nginx > 1.8
}
}