Broadleaf Commerce Discussion Forums


http://forum.broadleafcommerce.org/

questions on configure nginx load balancing + tomcat + ssl

http://forum.broadleafcommerce.org/viewtopic.php?f=11&t=3118

Page 1 of 1

questions on configure nginx load balancing + tomcat + ssl

Posted: Mon May 26, 2014 6:15 am
by daniel_locious
Hi guys,

Have you configured nginx + tomcat + ssl for broadleaf commerce demo site?

I tried to build the test environment based on this, but just took me a very long time to eveb get close.

My idea is to build http and https on nginx, and leave tomcat serve http, because nginx -> tomcat will run in the internal networks, most likely on the same server.

I understand there are half dozen directories required https channel; my problem is I don't get how to write passProxy rules or rewrite rules to cover them.

here is my nginx conf

server {
listen 80; ## listen for ipv4; this line is default and implied

#listen [::]:80 default ipv6only=on; ## listen for ipv6

index index.html index.htm;

# Make site accessible from http://localhost/
server_name MyHostName;

error_page 403 /403.html;
error_page 404 /403.html;
location = /403.html {
root /opt/instance/http;
allow all;
}

location ^/login {
#|/register*|/account/**|/checkout/**|/null-checkout/**|/null-giftcard/**|/confirmation/**)$ {
rewrite ^ https://$http_host$request_uri? permanent; # this doesn't work

}

location /{
proxy_pass http://127.0.0.1:8080;
}
}



-------------------------------

Anyone can help me please?

Thank you

Dan

Re: questions on configure nginx load balancing + tomcat + ssl

Posted: Wed May 28, 2014 2:18 pm
by phillipuniverse
I haven't done Nginx but I have done it with Apache. If I understand correctly, you want to terminate SSL at Nginx and then just use Tomcat's HTTP connector to proxy through, right?

You actually don't have to worry about it much at all from the Nginx layer. The first thing I would do is remove that location ^/login block that you have there and just utilize the proxy_pass connection. Since you have declared that proxy as http, then Nginx will only communicate with Tomcat over http.

The only caveat is that on the Tomcat side you have to have some knowledge of whether you should treat the proxied connection as an http or https connection. This is VERY painless to do in Tomcat with the RemoteIpValve. Simply add this within the <Engine> element in your server.xml:

Code: Select all

<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" />


Then, you can set the X-Forwarded-Proto header at the Nginx layer (from http://wiki.nginx.org/SSL-Offloader):

Code: Select all

proxy_set_header        Host              $http_host;
proxy_set_header        X-Forwarded-By    $server_addr:$server_port;
proxy_set_header        X-Forwarded-For   $remote_addr;
proxy_set_header        X-Forwarded-Class $classification; # custom
proxy_set_header        X-Forwarded-Proto $scheme;


With that, then Tomcat will know that it's an https connection and not just http.

Finally, you should read the last comment on https://github.com/BroadleafCommerce/Br ... issues/424. It talks about what happens if you are using an http port other than port 80 (like 8080 in your case) and how to configure that bean.
All times are UTC-05:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/