server {
server_name www.example.com;
listen 443;
ssl on;
ssl_certificate /etc/ssl/certs/www.example.com.crt;
ssl_certificate_key /etc/ssl/private/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location ~* \.(jpg|jpeg|gif|css|png|js|ico|html|txt|pdf)$ {
root /var/www;
access_log off;
expires 365d;
}
location / {
proxy_pass http://localhost:8181/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
}
}
Issues and troubleshoots
1. While installing certificates, in the configuring you do not need to keep the intermediate certificate as you would have seen in Apache. Browsers usually store intermediate certificates which they receive and which are signed by trusted authorities, so actively used browsers may already have the required intermediate certificates and may not complain about a certificate sent without a chained bundle.
To check that try this URL : http://www.sslshopper.com/ssl-checker.html
To solve this possible issue : copy the intermediate certificate content in the main certificate content but after the main content.
$ cat bundle.crt >> www.example.com.crt
2. Here is a known error which you might face
"SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed (SSL: error:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch)"
This error means "nginx has tried to use the private key to use the certificate" and you might have copied the intermediate certificate first and then main certificate content, because in that case private key will not match. So change the content on www.example.com.crt to have main content first and
then intermediate certificate contents.
$ cat main_certificate bundle.crt > www.example.com.crt
If that is the not the case, possibly you should check the certificate issuing authorities, because somehow private key is not matching. Or try to figure out by reading the log file "/var/log/nginx/error.log".
3. One of the most important thing is to add these lines in configuration
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
Because when you do the proxy_pass you do it on http protocol, so even if user is making https request, your back-end server won't be aware of that. So pass that information in a X header, "X-Forwarded-Proto" is de-facto to pass the protocol information over proxies.
Correspondingly in tomcat, if you are using JAVA based application, request.isSecure() will not work any more. So write a central API to get the
protocol information, something like this.
public static boolean isSecure(HttpServletRequest request){
String protocol=request.getHeader("X-Forwarded-Proto");
if("https".equals(protocol)){
return true;
}else{
return request.isSecure();
}
}
