nginx(ssl offload)+tomcat
nginxでssl offloadしてtomcatをバックに置く場合の簡易設定メモです。
nginx
/etc/nginx/conf.d/app.conf
upstream app {
server localhost:8080;
keepalive 16;
}
server {
listen *:443 default_server;
server_name app.example.com;
server_tokens off;
# ssl
ssl on;
ssl_certificate /etc/nginx/certs/app/certificate.crt;
ssl_certificate_key /etc/nginx/certs/app/rsa-secret.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!ADH:!MD5;
access_log /var/log/nginx/app_access.log;
error_log /var/log/nginx/app_error.log;
location / {
# proxy
proxy_read_timeout 60;
proxy_connect_timeout 5;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://app;
}
}
tomcat
これを設定しないとLocationヘッダがhttpになる。
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />
