Thursday 31 October 2013

Glassfish 4 behind (nginx) proxy

Problem: You want to put a proxy server (in this particular case it is nginx) in front of Glassfish 4 application server, but it ruins remote IP and scheme detection.

Solution consists of two main parts: (1) enabling "Auth Pass Through" property for HTTP connector and (2) configuring proxy server to add "Porxy-IP" and "Proxy-keysize" headers that will identify request scheme and remote IP address. Both header names are hard-coded and are not configurable.

First task is simple: open glassfish administration console and go to "Configurations" -> "server-config" -> "Network Config" -> "Network Listeners" -> "http-listener-1" and choose "HTTP" tab. Scroll all the way down and find "Auth Pass Through" property and enable it... "Save". No restart is needed (horray)!.

Second task - header configuration for nginx:

server {
        # listen 443;
        # ...

        # Glassfish-specific headers to properly resolve scheme and remote IP
        proxy_set_header        Proxy-IP  $remote_addr;
        proxy_set_header        Proxy-keysize 256;
        
        # ...
}

After changes, restart will be required. "Proxy-IP" header will be used in order to detect remote IP address, while having "Proxy-keysize" header greater than zero will force Glassfish to report schema as "https" (not "http"). It must be noted, however, that for non-SSL configuration only "Proxy-IP" header should be appended (otherwise non-SSL connections will be considered as secure):

server {
        # listen 80;
        # ...

        # Glassfish-specific headers to properly resolve remote IP and scheme
        proxy_set_header        Proxy-IP  $remote_addr;
        
        # ...
}

Important: Also consider setting proper proxy address in "General" tab in order to avoid security risks.

BTW, here's description for Apache's mod_proxy: http://www.manorrock.com/online/wiki/glassfish/UpgradeToGlassfish3

No comments:

Post a Comment