Encryption with Tomcat & Nginx reverse proxy

  • I'm working with Tomcat and nginx as a reverse proxy and I'm trying to have a better understanding of how the traffic flows and of what the security issues are. Picture this as what I have in mind:

    1. Tomcat and a webapp are installed on server X, with ports 8080 (unsecure) and 8443 (secure) open.

    2. On another server which we'll call server Y, we have a nginx host whose role is only that of a reverse proxy to Tomcat (server X).

    3. On server Y, we have TLS enabled in nginx and all traffic going to https://domain.com is proxied to Tomcat on port 8443 on server X, which is then passed to the webapp which

    With this setup, my understanding is that without any additional things set-up, traffic from the client (browser) to server Y where nginx is installed is encrypted via TLS. However, Tomcat wasn't "secured" in the sense that we didn't set up a trust store on it with a keypair. This is where my understanding stops and I'm just really confused about what this implies.

    Here's the traffic flow that I have in mind:

    1. Client (browser) -> https://domain.com (server X)
    2. https://domain.com (server Y) -> tomcat (server X, port 8443)
    3. tomcat -> webapp
    4. webapp -> tomcat
    5. tomcat -> https://domain.com (server Y)
    6. https://domain.com -> client (browser)

    Is this high level flow even valid or am I misunderstanding something crucial? If it's not valid, could you please explain where it's wrong?

    Also, is there any reason one would set up a trust store on Tomcat in such a setup? From what I understand, setting up a trust store on Tomcat here could only help to prevent unsecured direct access to the webapp that Tomcat "handles", but I don't see any other use than that.

    Hope my scenario is clear, thanks a lot in advance!

  • There is most likely a self signed local certificate n the trust store (since default setups do that sort of thing).

    Which makes it like this:

    1. Client to nginx (tls on port 443) CERT valid for domain
    2. Nginx to tomcat server (tls on port 8443) CERT self signed for localhost.
    3. Tomcat internal routing to web app (NO TLS)
    4. Backtrack from tomcat to nginx (TLS)
    5. Backtrack from nginx to client (TLS)

    I hope this helps you understand.

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2