読者です 読者をやめる 読者になる 読者になる

nginx(ssl offload)+tomcat

nginxでssl offloadしてtomcatをバックに置く場合の簡易設定メモです。

nginx

/etc/nginx/conf.d/app.conf

upstream app {
  server localhost:8080;
  keepalive 16;
}

server {
  listen *:443 default_server;
  server_name app.example.com;
  server_tokens off;

  # ssl
  ssl                  on;
  ssl_certificate      /etc/nginx/certs/app/certificate.crt;
  ssl_certificate_key  /etc/nginx/certs/app/rsa-secret.key;
  ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers          HIGH:!ADH:!MD5;

  access_log  /var/log/nginx/app_access.log;
  error_log   /var/log/nginx/app_error.log;

  location / {
    # proxy
    proxy_read_timeout 60;
    proxy_connect_timeout 5;

    proxy_redirect off;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_pass http://app;
  }
}

tomcat

これを設定しないとLocationヘッダがhttpになる。

<Valve className="org.apache.catalina.valves.RemoteIpValve"
       remoteIpHeader="x-forwarded-for"
       remoteIpProxiesHeader="x-forwarded-by"
       protocolHeader="x-forwarded-proto" />