In this post, I ll show how to set up secure communication medium between client and server using SSL on Nginx as Reverse Proxy Server and Jboss EAP 6.1 as Origin Application Server.

Problem Statement:

1

We will set up HTTPS connection between client application and Nginx as it would be open i.e. on internet and rest of the communication between Nginx and Jboss remains HTTP as it would be internal i.e. on intranet (in most cases).

Refer the previous pont on Nginx as Reverse Proxy Server for JBoss for setting up Nginx as Reverse Proxy Server.

Steps

  • 1. Edit your default.conf file, we created in previous post using following command.

    vi /etc/nginx/conf.d/default.conf

    2. It will display something like this:

    proxy_cache_path /tmp/nginx levels=1:2 keys_zone=nginx_cache_zone:10m inactive=60m;
    proxy_cache_key "$scheme$request_method$host$request_uri";
    
    upstream myapp  {
    server 10.20.20.20:8080; //Jboss Server location
    }
    
    server {
      
      listen 80;
      server_name 10.20.20.20:8080; //Jboss Server location
    
      location /{
        try_files $uri @backend;
      }
    
      location @backend {
        proxy_pass  http://myapp;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
      }
    
    }
  • 3. Refer to How to get a trial SSL certificate post to get generate a trial SSL certificate from a Certification authority. You need to have a public domain name or a local DNS configured to access your application via a domain name instead of IP because SSL certificates are issued only for Domain Names not IPs.
  • 4. Now update your default.conf file with following configuration. Have a close look on SSL Code configuration lines.

    proxy_cache_path /tmp/nginx levels=1:2 keys_zone=nginx_cache_zone:10m inactive=60m;
    proxy_cache_key "$scheme$request_method$host$request_uri";
    
    upstream myapp  {
    server 10.20.20.20:8080; //Jboss Server location
    }
    
    server {
      
      #SSL Code
      listen 443 ssl;
      listen 80;
      server_name 10.20.20.20:8080; //Jboss Server location
    
      #SSL Code
      ssl on;
      ssl_certificate /xyz.com/final.crt;
      ssl_certificate_key /xyz.com/server.key;
      ssl_protocols TLSv1.2;
      
      #When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client's preference is used. 
      #If this directive is enabled, the server's preference  will be used instead.
      #SSL Code
      ssl_prefer_server_ciphers on; 
      ssl_session_cache shared:SSL:10m;
      
      #Disable weak/null/less common ciphers
      #SSL Code
      ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:
      RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'; 
      
      #force https connection.
      #SSL Code
      if ($scheme != "https") {
        rewrite ^ https://www.xyz.com$uri permanent; 
      } 
      
    location /{
        try_files $uri @backend;
      }
    
      location @backend {
        proxy_pass  http://myapp;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
      }
    }
    
  • 4. Now it’s time to make changes in Jboss’s standalone.xml configuration file. Look for your http connector tag. It is somthing like this:

    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" proxy-name="10.20.20.21" proxy-port="80"/>

    Now, update scheme attribute value to https and it will look something like this:

    <connector name="http" protocol="HTTP/1.1" scheme="https" socket-binding="http" proxy-name="10.20.20.21" proxy-port="80"/>

    Where, 10.20.20.21 and 80 are IP and Port of server where your Nginx Reverse Proxy Server is running.

  • That’s all. Now start your Jboss Server and access your application with following url:

    http://xyz.com/myapp

Setup SSL on Nginx Reverse Proxy Server with Jboss
Tagged on:                     

Leave a Reply

Your email address will not be published. Required fields are marked *