nginx as proxy for weblogic (with SSL)

Recently, I’ve encountered interesting task. I should create proxy with apache or nginx for weblogic application. So this article will be about it.

Overall configuration is following:

worker_processes  1;
error_log  logs/error.log;  
error_log logs/error.log notice;
error_log logs/error.log info;
pid        logs/nginx.pid;

events {  
worker_connections 1024;
}

http {  
include mime.types;
default_type application/octet-stream;
    sendfile        on;
keepalive_timeout 65;
    # 1
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
    # Redirect all http to https
server {
listen 80;
server_name example.com;
# 2
return 301 https://$server_name$request_uri;
}
    # SSL configuration
server {
#3
listen 443 ssl;
server_name example.com;
        ssl_certificate           certs/example.com.cer;
ssl_certificate_key certs/example.com.key;
        # Default SSL configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#4
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
ssl_prefer_server_ciphers on;
        #5
add_header Strict-Transport-Security max-age=31536000;
        access_log            logs/nginx/access.log;
        location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Front-End-Https on;
            # Fix the “It appears that your reverse proxy set up is broken" error.
#6
proxy_pass http://localhost:8282;
proxy_read_timeout 90;
            # Server is configured to answer as http request, so forward it to https
#7
proxy_redirect http://example.com/ https://example.com/;
}
}
}

It’s quite common configuration for HTTP to HTTPS forwarding with nginx. I’ve grab it from official website and this article will add some minor information about configuration, so you’ll get basic understanding what is going on in this config file.

#1 — while using proxy you could encounter following error:

[error] 2007#0: *5778 upstream sent too big header while reading response header from upstream:

So setting buffer size will resolve this error. It’s really important part of the configuration, because without it you’ll receive 502 or 503 error and you won’t be able to continue working with your website.

#2 — is reccomended redirection to another URL. If you have previous expirience with nginx, you could use your past knowledge, but this is reccomended way to redirect user to HTTPS.

#3 — this is also recommendation. Because you could also use directive ssl on;. This way of defining the ssl I think more convinient and readable.

#4 — this huge list of ciphers was used from StackOverflow question. It will allow to use modern encrypting algorithms, but at the same time you’ll have support for older browsers.

#5 — header that prevent man-in-the-middle attack. It tells visitor that website is using HTTPS connection.

#6 — this line will specify which IP and port should be proxied. With this you’ll be able to use several web-servers on one machine and proxy different uris with them.

#7 — other web servers couldn’t know about SSL usage, so they will return simple response. This could cause Mixed content error.

Like what you read? Give Artem Dracontis a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.