Using NGINX to Redirect HTTPS Traffic into your Jar File.
I have a spring boot app that I’m compiling to a single jar for deployment on a server. I want encrypted traffic to my server, but don’t want my jar file to know about it. How can I get there from here? I’ve spent some time working on this and thought I’d share my work since I couldn’t find a decent tutorial online.
Generating The Certificate
The first thing we’ll need is a certificate. If you’re purchasing one, you can simply skip this step.
Since we’re only testing at this point, I’m using a self-signed certificate. I will use a production one later. At the command prompt (after installing openssl if appropriate) simply run:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx-selfsigned.key -out nginx-selfsigned.crt
This will create the two files nginx-selfsigned.key and nginx-selfsigned.crt in the local directory.
Installing the Certificate
I am using /etc/nginx/ssl to hold my certificates. I moved my two certificate files created in the last step to my web server in that path. (I had to create the ssl sub-directory.) Once moved, we are ready to modify the nginx.conf file.
The NGINX Configuration
On my system, the nginx.conf file is in the /etc/nginx directory. I edited with sudo and made the following changes to the http section.
server {
listen 80;
# add ssl settings
return 301 https://$host$request_uri;
}
http {
# other HTTP configuration skipped as not important to this tutorial
server {
listen 443 ssl default_server;
ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
location / {
proxy_pass http://localhost:8844;
}
}
}
Let’s take these one at a time and find out what they mean.
listen 443 ssl default_server;
This means this server will listen for ssl traffic on port 443 and that this is the default server configuration for this host.
ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
This is where you point to the crt and key files copied into the ssl directory in the previous step.
location / {
}
Without any further locations defined, this will route all traffic that comes into this server to this location handler. You could qualify this and make it more specific as well.
proxy_pass http://localhost:8844;
This is the actual conversion. My boot app is on this host and listens on port 8844. You could point it to another host as well and use this as a kind of load-balancer.
Test and Restart Nginx
After saving your work, you will want to test your configuration. You can do this by:
sudo nginx -t
This will test the configuration file and report any errors, if any. Next you will want to restart nginx. On my server, you do this:
sudo systemctl restart nginx
Summary
So now we’ve created an nginx configuration that redirects all https traffic coming into this server into http://localhost:8844. This will allow remove the encryption and allow the request through without compromising security.
Happy coding!