nginx(ssl offload)+tomcat
nginxでssl offloadしてtomcatをバックに置く場合の簡易設定メモです。
nginx
/etc/nginx/conf.d/app.conf
upstream app { server localhost:8080; keepalive 16; } server { listen *:443 default_server; server_name app.example.com; server_tokens off; # ssl ssl on; ssl_certificate /etc/nginx/certs/app/certificate.crt; ssl_certificate_key /etc/nginx/certs/app/rsa-secret.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!ADH:!MD5; access_log /var/log/nginx/app_access.log; error_log /var/log/nginx/app_error.log; location / { # proxy proxy_read_timeout 60; proxy_connect_timeout 5; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://app; } }
tomcat
これを設定しないとLocationヘッダがhttpになる。
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />