Problem: You want to put a proxy server (in this particular case it is nginx) in front of Glassfish 4 application server, but it ruins remote IP and scheme detection.
Solution consists of two main parts: (1) enabling "Auth Pass Through" property for HTTP connector and (2) configuring proxy server to add "Porxy-IP" and "Proxy-keysize" headers that will identify request scheme and remote IP address. Both header names are hard-coded and are not configurable.
First task is simple: open glassfish administration console and go to "Configurations" -> "server-config" -> "Network Config" -> "Network Listeners" -> "http-listener-1" and choose "HTTP" tab. Scroll all the way down and find "Auth Pass Through" property and enable it... "Save". No restart is needed (horray)!.
Second task - header configuration for nginx:
server {
# listen 443;
# ...
# Glassfish-specific headers to properly resolve scheme and remote IP
proxy_set_header Proxy-IP $remote_addr;
proxy_set_header Proxy-keysize 256;
# ...
}
After changes, restart will be required. "Proxy-IP" header will be used in order to detect remote IP address, while having "Proxy-keysize" header greater than zero will force Glassfish to report schema as "https" (not "http"). It must be noted, however, that for non-SSL configuration only "Proxy-IP" header should be appended (otherwise non-SSL connections will be considered as secure):
server {
# listen 80;
# ...
# Glassfish-specific headers to properly resolve remote IP and scheme
proxy_set_header Proxy-IP $remote_addr;
# ...
}
Important: Also consider setting proper proxy address in "General" tab in order to avoid security risks.
BTW, here's description for Apache's mod_proxy: http://www.manorrock.com/online/wiki/glassfish/UpgradeToGlassfish3
No comments:
Post a Comment