Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate
-
Start with netstat. Is nginx listening?
netstat -tulpn -
@scottalanmiller said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
Start with netstat. Is nginx listening?
netstat -tulpnEdited for accuracy
-
Few obvious things to check for
- open ports
- selinux
- run nginx -t to verify config
- post nginx logs
-
@wirestyle22 said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
@scottalanmiller said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
Start with netstat. Is nginx listening?
netstat -tulpnActive Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 26420/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd tcp6 0 0 :::8443 :::* LISTEN 25783/java tcp6 0 0 127.0.0.1:8005 :::* LISTEN 25783/java tcp6 0 0 :::8009 :::* LISTEN 25783/java tcp6 0 0 :::80 :::* LISTEN 26420/nginx: master tcp6 0 0 :::8080 :::* LISTEN 25783/java tcp6 0 0 :::22 :::* LISTEN 913/sshd udp 0 0 127.0.0.1:323 0.0.0.0:* 866/chronyd udp6 0 0 ::1:323 :::* 866/chronydLooks like Nginx is not listening on port 443. Did you restart the service after config change?
-
@marcinozga said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
@wirestyle22 said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
@scottalanmiller said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
Start with netstat. Is nginx listening?
netstat -tulpnActive Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 26420/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd tcp6 0 0 :::8443 :::* LISTEN 25783/java tcp6 0 0 127.0.0.1:8005 :::* LISTEN 25783/java tcp6 0 0 :::8009 :::* LISTEN 25783/java tcp6 0 0 :::80 :::* LISTEN 26420/nginx: master tcp6 0 0 :::8080 :::* LISTEN 25783/java tcp6 0 0 :::22 :::* LISTEN 913/sshd udp 0 0 127.0.0.1:323 0.0.0.0:* 866/chronyd udp6 0 0 ::1:323 :::* 866/chronydLooks like Nginx is not listening on port 443. Did you restart the service after config change?
Yes I did. Sorry this was a test. I forgot to update it
-
Same behavior
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 26496/nginx: master tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 26496/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd tcp6 0 0 :::8443 :::* LISTEN 25783/java tcp6 0 0 127.0.0.1:8005 :::* LISTEN 25783/java tcp6 0 0 :::8009 :::* LISTEN 25783/java tcp6 0 0 :::80 :::* LISTEN 26496/nginx: master tcp6 0 0 :::8080 :::* LISTEN 25783/java tcp6 0 0 :::22 :::* LISTEN 913/sshd udp 0 0 127.0.0.1:323 0.0.0.0:* 866/chronyd udp6 0 0 ::1:323 :::* 866/chronyd -
Add
ssl on;to the config on the line abovessl_certificate.... ? -
https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/
You're missing ssl in first server block.
server { listen 443 ssl;I don't know if it's strictly required, I'd add it.
-
@marcinozga said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/
You're missing ssl in first server block.
server { listen 443 ssl;I don't know if it's strictly required, I'd add it.
lol fml. That was it. I knew it was something dumb
-
@marcinozga said in Tomcat with an NGINX Reverse Proxy and Self-signed SSL Certificate:
I don't know if it's strictly required, I'd add it.
Because the one tells the port to listen on. The other tells it what protocol to use. Since you can use any port, with any protocol, it has to be listed. You can just add it to port 80 if you want, for example.
