5.4. Proxy Configuration for Tomcat

For integration tasks you may need a proxy server. This part describes the configuration of Nginx HTTP-server as a proxy for CUBA application.

If you set up a proxy, do not forget to set cuba.webAppUrl value.

Tomcat Setup

If Tomcat is used behind a proxy server - it should be configured as well, so that Tomcat can properly dispatch proxy server’s headers.

First, add Valve to Tomcat configuration conf/server.xml, copy and paste the following code:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
        remoteIpHeader="X-Forwarded-For"
        requestAttributesEnabled="true"
        internalProxies="127\.0\.0\.1"/>

There is another setting you should consider to change in the conf/server.xml file - AccessLogValve pattern attribute. Add %{x-forwarded-for}i to the pattern, so that Tomcat access log records both original source IP address and IP address(-es) of proxy server(s):

<Valve className="org.apache.catalina.valves.AccessLogValve"
    ...
    pattern="%h %{x-forwarded-for}i %l %u %t &quot;%r&quot; %s %b" />

Then restart Tomcat:

sudo service tomcat8 restart
NGINX

For Nginx there are 2 configurations described below. All examples were tested on Ubuntu 18.04.

For example, your web application works on http://localhost:8080/app.

Run command to install Nginx:

sudo apt-get install nginx

Navigate to http://localhost and ensure that Nginx works, you will see Nginx welcome page.

Now you may delete the symlink to default Nginx site:

rm /etc/nginx/sites-enabled/default

Next, configure your proxy one of the options selected below.

Direct Proxy

In this case the requests are handled by proxy, transparently passing to the application.

Create Nginx site configuration file /etc/nginx/sites-enabled/direct_proxy:

server {
    listen 80;
    server_name localhost;

    location /app/ {
        proxy_set_header Host               $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Proto  $scheme;

        # Required to send real client IP to application server
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP          $remote_addr;

        # Optional timeouts
        proxy_read_timeout      3600;
        proxy_connect_timeout   240;
        proxy_http_version      1.1;

        # Required for WebSocket:
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_pass              http://127.0.0.1:8080/app/;
    }
}

and restart Nginx

sudo service nginx restart

Now you can access your site via http://localhost/app.

Redirect to Path

This example describes how to change the application’s URL path from /app to /, as if the application were deployed in the root context (similar to /ROOT). This will allow you to access the application at http://localhost.

Create Nginx site configuration file /etc/nginx/sites-enabled/root_proxy:

server {
    listen 80;
    server_name localhost;

    location / {
        proxy_set_header Host               $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Proto  $scheme;

        # Required to send real client IP to application server
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP          $remote_addr;

        # Optional timeouts
        proxy_read_timeout      3600;
        proxy_connect_timeout   240;
        proxy_http_version      1.1;

        # Required for WebSocket:
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_pass              http://127.0.0.1:8080/app/;

        # Required for folder redirect
        proxy_cookie_path       /app /;
        proxy_set_header Cookie $http_cookie;
        proxy_redirect http://localhost/app/ http://localhost/;
    }
}

and restart Nginx

sudo service nginx restart

Now you can access your site via http://localhost.

Please note that similar deployment instructions are valid for Jetty, WildFly etc. You may need an additional configuration of those servers.