I have the following installation: Nginx + selfmade SLL cert + Wildfly running on the same host. On Wildfly I have Spring MVC app with context path /myapp with Spring Security. App is working perfectly when accessing it at http://192.168.13.13:8080/myapp (all pages, redirects, logins, etc.). So I want to access it through Nginx and root context path, i.e. http://192.168.13.13/. And at this moment I'm stuck. If I do not use SLL and proxying from / to / - it works. But I have to enter http://192.168.13.13/myapp to access http://192.168.13.13:8080/myapp. If I set proxy from / to /myapp - all Spring redirects are broke. If I enable SSL - I can't login to my app and Spring redirects also broke.
Could someone prompt for correct setup of my installation?
Current nginx config:
upstream wildfly {
server 127.0.0.1:8080 weight=100 max_fails=5 fail_timeout=5;
}
server {
underscores_in_headers on;
listen 80;
listen [::]:80;
server_name example.com;
return 301 https://example.com$request_uri;
}
server {
underscores_in_headers on;
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/self.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_trusted_certificate /etc/nginx/ssl/self.crt;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass_header X-CSRF-TOKEN;
proxy_pass http://wildfly/;
}
}
Current Spring Security config:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/index").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/error/**").permitAll()
.antMatchers("/platform/**").authenticated()
.and().cors()
.and().formLogin().loginPage("/login").usernameParameter("username").passwordParameter("password")
.successHandler(new CustomAuthenticationSuccessHandler())
.failureHandler(customAuthenticationFailureHandler())
.and().csrf().csrfTokenRepository(new CookieCsrfTokenRepository())
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.addLogoutHandler(new SecurityContextLogoutHandler())
.clearAuthentication(true)
.logoutSuccessUrl("/login?logout").deleteCookies("JSESSIONID")
.invalidateHttpSession(true)
.and().rememberMe().key("remembermekay").tokenValiditySeconds(60*60*24*14)
.and().exceptionHandling().accessDeniedPage("/error/access_denied");
}
If you need any other configs please ask...
Finally found the solution: in Wildfly I've configured virtual host and map it to my application. No other actions were required - now it's working as expected.
<host name="example.com" alias="example.com" default-web-module="myapp.war">
<access-log directory="${jboss.server.log.dir}/access" prefix="myapp_access_log."/>
</host>