how to setup nginx as reverse proxy + tomcat ssl

kaiyuan nginx-forum at
Wed Mar 31 12:09:42 MSD 2010

Hey guys,

I am totally new to Nginx, I need some advice with my reverse proxy setup.

This is what i am trying to set up. Client(commit a client cert)<========>| Nginx (reverse proxy with ssl)|<========>Tomcat  (with SSL and clientAuth=true)

Follow is my  nginx.conf,but it don't work.The messge from nginx logs:
2010/04/01 15:18:53  23771#0: *51 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate) while SSL handshaking to upstream, client:, server: localhost, request: "GET /prepayms/ HTTP/1.1", upstream: "", host: ""


 upstream backssl{
    }# HTTPS server

    server {
        listen       48443  default ssl;
        server_name  localhost;

        ssl                  on;

        ssl_client_certificate   /home/newprepay/ca/ca-cert.pem;
        ssl_certificate  /home/newprepay/server/server-cert.pem;
        ssl_certificate_key  /home/newprepay/server/server.key;
        ssl_session_timeout  5m;
        ssl_verify_client on; 
ssl_verify_depth 12;
ssl_session_cache  builtin:1000  shared:SSL:10m;

        ssl_protocols  TLSv1 SSLv2 SSLv3;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+SSlv3:+EXP;
        ssl_prefer_server_ciphers   on;

        location / {
           root   html;
            index  index.html index.htm;
            proxy_redirect off;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $http_host;
proxy_pass https://backssl;

My questions are
 Can I have an SSL from Client to Nginx and another between Nginx and Tomcat ,nginx verify  the client certificate,and also transfer the 
client certificate to tomcat,tomcat also  verify  the client certificate.

if nginx can do this,how to setup.Can someboby give me an correct nginx.conf for this?

Thank You,

Posted at Nginx Forum:,69690,69690#msg-69690

More information about the nginx mailing list