20150717 nginx as an openam reverse proxy - plembo/onemoretech GitHub Wiki
title: Nginx as an OpenAM reverse proxy link: https://onemoretech.wordpress.com/2015/07/17/nginx-as-an-openam-reverse-proxy/ author: phil2nc description: post_id: 9941 created: 2015/07/17 12:34:19 created_gmt: 2015/07/17 16:34:19 comment_status: closed post_name: nginx-as-an-openam-reverse-proxy status: publish post_type: post
Nginx as an OpenAM reverse proxy
OK, so here it is: my recipe for an nginx based reverse proxy to frontend OpenAM. On a newer Red Hat base system you'd be editing /etc/nginx/nginx.conf: [code language="bash" gutter="false"] location /openam { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://localhost:8080/openam; } [/code] Assuming you're preserving both the host name and the /openam path, the above code block should be inserted into both the HTTP and HTTPS virtual host or "server" blocks. The two proxy_set_header directives that come right above the proxy_pass directive are the equivalent of "ProxyPreserveHost" in an Apache configuration: they preserve the illusion that this is just another subfolder on the Apache published web site, obscuring the backend Tomcat application server ports (and any host name differences between the web and application server where your Tomcat instance is located on another host). This is what my full HTTPS block in nginx.conf looks like: [code language="bash" gutter="false"] server { listen 443 ssl; server_name sso.example.com; root /var/www/html; ssl on; ssl_certificate /etc/pki/tls/certs/example.crt; ssl_certificate_key /etc/pki/tls/private/example.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; error_log /var/log/nginx/sso.example.com-ssl_error.log; access_log /var/log/nginx/sso.example.com-ssl_access.log main; include /etc/nginx/default.d/.conf; location / { autoindex on; try_files $uri $uri/ /index.php?q=$uri&$args; } location /openam { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://localhost:8080/openam; } } [/code] In my previous article on making Apache an OpenAM proxy I presented this RewriteRule in the HTTP (port 80) virtual host that ensured the user's session would always use HTTPS: [code language="bash" gutter="false"] RewriteEngine On RewriteCond %{HTTPS} off RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] [/code] The equivalent in nginx that would need to go in the virtual host block for the port 80 server would be: [code language="bash" gutter="false" highlight="5"] server { listen 80 default_server; server_name sso.example.com; root /var/www/html; return 301 https://$server_name$request_uri; [/code] Yeah, that's right. A Single Freaking Line. I have to admit that nginx is a little annoying at first, especially for Apache veterans: because it forces us to learn how to do old things in new ways. But that sort of goes with the territory of system administration. Doesn't it?
Copyright 2004-2019 Phil Lembo