Nginx ssl offload for Tomcat in SmartOS

本篇的目的主要在使用Nginx Reverse Proxy的功能來卸載HTTPS SSL

也就是說Tomcat走HTTP 8080 Port，本身無HTTPS SSL

然後透過Nginx來加上HTTPS SSL，提供HTTPS服務於443 Port上

環境以MiCloud SmartOSPlus64為主

Environment

# uname -a

SunOS MiCloudDBT.local 5.11 joyent_20120808T224832Z i86pc i386 i86pc Solaris

Installation

# pkgin -y in nginx-1.0.4 apache-tomcat-6.0.32 sun-jdk6-6.0.26 

Servers

Tomcat server: 123.123.123.123 (Port: 8080)

Nginx server: 123.123.123.123 (Port: 80, 443)

Nginx Configure (/opt/local/etc/nginx/nginx.conf)

# 說明 - 此部份設定主要包含：

# 1. 建立tomcat - nginx upstream設定

# 2. 設定Nginx https server over 443 port，並指定ssl key

# 3. 設定欲轉址的Tomcat context(ex: http://123.123.123.123:8080/examples/ --> https://123.123.123.123/examples/)
# ps: http 80段落的設定(紫色)，是強制將http 80的所有request轉導至https，必須有這個設定，不然每個tomcat的link都會被導到http而非https

user   www  www;

worker_processes  1;

events {

    worker_connections  1024;

}

http {

    include       /opt/local/etc/nginx/mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    upstream tomcat_server {

        server 123.123.123.123:8080 fail_timeout=0;

    }

    server {

        listen 80;

        rewrite ^(.*) https://$host$1 permanent;

    }

    server {

        listen       443;

        ssl on;

        ssl_certificate /opt/local/etc/openssl/private/selfsigned.pem;

        ssl_certificate_key /opt/local/etc/openssl/private/selfsigned.pem;

        ssl_prefer_server_ciphers on;

        location / {

            root   share/examples/nginx/html;

            index  index.html index.htm;

        }

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

            root   share/examples/nginx/html;

        }

        location /examples {

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_set_header Host $http_host;

            proxy_set_header X-Forwarded-Proto https;

            proxy_redirect off;

            proxy_connect_timeout      240;

            proxy_send_timeout         240;

            proxy_read_timeout         240;

            proxy_pass http://tomcat_server;

        }

    }

}

Tomcat Configure (/opt/local/share/tomcat/conf/server.xml)

<!--

設定tomcat 8080 port的reverse proxy轉導的port

如設定port number，則不會直接轉到該port，而不會有協定上的改變(ex: 會變成 http://123.123.123.123:443/examples)

如設定https，則可以直接走預設443 port的HTTPS SSL 

-->

<Connector port="8080" protocol="HTTP/1.1" 

               connectionTimeout="20000" 

               redirectPort="8443" 

               proxyPort="https" />

Test
瀏覽器連線：https://123.123.123.123/examples/