12 Feb 2010, 14:02

Nginx SSL + Tomcat (for Confluence)


I have an Nginx frontend to serv everything but confluence which was not happy with my SSLized conf, here is the solution !

This doc is related to confluence but will works with any java apps in a tomcat

First don’t use the standalone version of confluence (which is a Tomcat 5.5), use the EAR/WAR tar gz archive.

We need Tomcat 6 cause we will use a “Valve” RemoteIPValve that will check for a header (X-Forwarded-Proto) to see if the source request was secured by SSL.

Inside tomcat server.xml simply add a Valve configuration in your Host definition:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
protocolHeader="X-Forwarded-Proto"  protocolHeaderHttpsValue="https" />

In your nginx.conf, just forward the header:

location /confluence {
proxy_pass  http://localhost:8010;
proxy_set_header X-Forwarded-Proto  https;
proxy_set_header Host $http_host;

This is the same mechanism you will find with rails or Django and Nginx.

Remember to listen only on localhost with Tomcat or your nginx proxy is useless:

<Connector address="" port="8010" protocol="HTTP/1.1"
URIEncoding="UTF-8"  />

Happy SSL !

Thanks to Super Chinois for the java mess.