Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate
-
I have a running nginx reverse proxy that I'm trying to use to manage the ssl certificates for a tomcat server.
I installed nginx and it works with http traffic. I then tried to generate a self-signed ssl cert.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crtI created a strong Diffie-Hellman group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Here is my nginx server block
server { listen 443; server_name tomcat.domain.com; access_log /var/log/nginx/tomcat-access.log; error_log /var/log/nginx/tomcat-error.log; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://192.168.1.205:8080; } ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; ssl_dhparam /etc/ssl/certs/dhparam.pem; } server { client_max_body_size 40M; server_name tomcat.skynetli.com; listen 80; # rewrite ^ https://$server_name$request_uri? permanent; }tomcat
server.xml<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />The result is "Can't connect securely to this page"
-
Start with netstat. Is nginx listening?
netstat -tulpn -
@scottalanmiller said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
Start with netstat. Is nginx listening?
netstat -tulpnEdited for accuracy
-
Few obvious things to check for
- open ports
- selinux
- run nginx -t to verify config
- post nginx logs
-
@wirestyle22 said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
@scottalanmiller said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
Start with netstat. Is nginx listening?
netstat -tulpnActive Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 26420/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd tcp6 0 0 :::8443 :::* LISTEN 25783/java tcp6 0 0 127.0.0.1:8005 :::* LISTEN 25783/java tcp6 0 0 :::8009 :::* LISTEN 25783/java tcp6 0 0 :::80 :::* LISTEN 26420/nginx: master tcp6 0 0 :::8080 :::* LISTEN 25783/java tcp6 0 0 :::22 :::* LISTEN 913/sshd udp 0 0 127.0.0.1:323 0.0.0.0:* 866/chronyd udp6 0 0 ::1:323 :::* 866/chronydLooks like Nginx is not listening on port 443. Did you restart the service after config change?
-
@marcinozga said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
@wirestyle22 said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
@scottalanmiller said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
Start with netstat. Is nginx listening?
netstat -tulpnActive Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 26420/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd tcp6 0 0 :::8443 :::* LISTEN 25783/java tcp6 0 0 127.0.0.1:8005 :::* LISTEN 25783/java tcp6 0 0 :::8009 :::* LISTEN 25783/java tcp6 0 0 :::80 :::* LISTEN 26420/nginx: master tcp6 0 0 :::8080 :::* LISTEN 25783/java tcp6 0 0 :::22 :::* LISTEN 913/sshd udp 0 0 127.0.0.1:323 0.0.0.0:* 866/chronyd udp6 0 0 ::1:323 :::* 866/chronydLooks like Nginx is not listening on port 443. Did you restart the service after config change?
Yes I did. Sorry this was a test. I forgot to update it
-
Same behavior
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 26496/nginx: master tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 26496/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd tcp6 0 0 :::8443 :::* LISTEN 25783/java tcp6 0 0 127.0.0.1:8005 :::* LISTEN 25783/java tcp6 0 0 :::8009 :::* LISTEN 25783/java tcp6 0 0 :::80 :::* LISTEN 26496/nginx: master tcp6 0 0 :::8080 :::* LISTEN 25783/java tcp6 0 0 :::22 :::* LISTEN 913/sshd udp 0 0 127.0.0.1:323 0.0.0.0:* 866/chronyd udp6 0 0 ::1:323 :::* 866/chronyd -
Add
ssl on;to the config on the line abovessl_certificate.... ? -
https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/
You're missing ssl in first server block.
server { listen 443 ssl;I don't know if it's strictly required, I'd add it.
-
@marcinozga said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/
You're missing ssl in first server block.
server { listen 443 ssl;I don't know if it's strictly required, I'd add it.
lol fml. That was it. I knew it was something dumb
-
@marcinozga said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
I don't know if it's strictly required, I'd add it.
Because the one tells the port to listen on. The other tells it what protocol to use. Since you can use any port, with any protocol, it has to be listed. You can just add it to port 80 if you want, for example.
