Making Tomcat accessible only through nginx reverse proxy

Sadaf_N · April 20, 2016, 1:20pm

I have a Tomcat server serving a web application and I have a Nginx
server
running in front of it as a reverse proxy. Both the servers are on
Intranet,
in the same domain network. The issue I am facing is, the tomcat server
is
accessible through both IP addresses - if I use the Nginx IP, it
redirects
to the Tomcat FQDN (expected) but if I ping using the FQDN
tomcat.domain.com, it reveals the real IP of the Tomcat server and not
that
of Nginx server. Effectively, my Nginx server is not serving any
purpose. I
was suggested to firewall the Tomcat instance, but based on my findings
from
different forums, limiting Tomcat to listen to localhost seemed to be
the
way to go. In order to prevent Tomcat from listening to other IPs, I
added
“address=127.0.0.1” to the connector configuration. The entire connector
block is like this -

In the Nginx server, I have these lines for the server configuration.

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

    server_name <FQDN>;
    location / {
    proxy_pass <FQDN>;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;

}
}
Now, if I try to use the FQDN to access the web application, Chrome
reports
ERR_CONNECTION_REFUSED. My Nginx configuration seems to be the culprit
based
on what I understood. How can it be corrected?

Posted at Nginx Forum:

gischethans · April 20, 2016, 8:18pm

On Wed, Apr 20, 2016 at 07:19:55AM -0400, gischethans wrote:

Hi there,

I have a Tomcat server serving a web application and I have a Nginx server
running in front of it as a reverse proxy.

What you need is that your users talk to nginx, and that nginx is able
to talk to tomcat.

What you additionally want, is that your users do not talk to tomcat.

All of that network setup is outside of anything that nginx can do.

In order to prevent Tomcat from listening to other IPs, I added
“address=127.0.0.1” to the connector configuration.

That will mean that your users cannot talk to tomcat (unless you do
something special to allow them to).

It will also mean that nginx cannot talk to tomcat, unless you do
something special to allow it to.

The easiest special thing is probably to run nginx on the same server
as tomcat.

If that is not what you want, then you will probably need some
firewalling
/ ip forwarding on the tomcat machine to allow nginx connect to
something
which gets sent to tomcat.

(But at that point, it may be easier to just leave tomcat listening on
the public address, and add firewalling to block anything other than
nginx from accessing it.)

In the Nginx server, I have these lines for the server configuration.

On the nginx side, what you have looks fine. In the “proxy_pass” line,
it
will probably be simpler if you use the IP:port that tomcat is listening
on (that nginx can connect to) rather than the hostname.

Now, if I try to use the FQDN to access the web application, Chrome reports
ERR_CONNECTION_REFUSED. My Nginx configuration seems to be the culprit based
on what I understood. How can it be corrected?

I suspect that your request to the FQDN does not get to nginx. After
you have things configured correctly, changing name resolution (dns)
so that the FQDN corresponds to the nginx IP address instead of the
tomcat IP address will be a necessary step.

Good luck with it,

f

Francis D. [email protected]

gischethans · April 26, 2016, 4:07am

please check your proxy_pass parameter, it should point to your tomcat
endpoint:

hope this helps.

On Wed, Apr 20, 2016 at 7:19 PM, gischethans
[email protected]