Making Tomcat accessible only through nginx reverse proxy

Francis Daly francis at daoine.org
Wed Apr 20 18:17:55 UTC 2016 

On Wed, Apr 20, 2016 at 07:19:55AM -0400, gischethans wrote:

Hi there,

> I have a Tomcat server serving a web application and I have a Nginx server
> running in front of it as a reverse proxy.

What you need is that your users talk to nginx, and that nginx is able
to talk to tomcat.

What you additionally want, is that your users do not talk to tomcat.

All of that network setup is outside of anything that nginx can do.

> In order to prevent Tomcat from listening to other IPs, I added
> "address=127.0.0.1" to the connector configuration.

That will mean that your users cannot talk to tomcat (unless you do
something special to allow them to).

It will also mean that nginx cannot talk to tomcat, unless you do
something special to allow it to.

The easiest special thing is probably to run nginx on the same server
as tomcat.

If that is not what you want, then you will probably need some firewalling
/ ip forwarding on the tomcat machine to allow nginx connect to something
which gets sent to tomcat.

(But at that point, it may be easier to just leave tomcat listening on
the public address, and add firewalling to block anything other than
nginx from accessing it.)

> In the Nginx server, I have these lines for the server configuration.

On the nginx side, what you have looks fine. In the "proxy_pass" line, it
will probably be simpler if you use the IP:port that tomcat is listening
on (that nginx can connect to) rather than the hostname.

> Now, if I try to use the FQDN to access the web application, Chrome reports
> ERR_CONNECTION_REFUSED. My Nginx configuration seems to be the culprit based
> on what I understood. How can it be corrected?

I suspect that your request to the FQDN does not get to nginx. After
you have things configured correctly, changing name resolution (dns)
so that the FQDN corresponds to the nginx IP address instead of the
tomcat IP address will be a necessary step.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list