Nginx as an OpenAM reverse proxy

OK, so here it is: my recipe for an nginx based reverse proxy to frontend OpenAM.

On a newer Red Hat base system you’d be editing /etc/nginx/nginx.conf:

location /openam {
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_pass http://localhost:8080/openam;

}

Assuming you’re preserving both the host name and the /openam path, the above code block should be inserted into both the HTTP and HTTPS virtual host or “server” blocks. The two proxy_set_header directives that come right above the proxy_pass directive are the equivalent of “ProxyPreserveHost” in an Apache configuration: they preserve the illusion that this is just another subfolder on the Apache published web site, obscuring the backend Tomcat application server ports (and any host name differences between the web and application server where your Tomcat instance is located on another host).

This is what my full HTTPS block in nginx.conf looks like:

    server {
        listen              443 ssl;
        server_name         sso.example.com;
        root                /var/www/html;
        ssl                 on;
        ssl_certificate     /etc/pki/tls/certs/example.crt;
        ssl_certificate_key /etc/pki/tls/private/example.key;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        error_log  /var/log/nginx/sso.example.com-ssl_error.log;
        access_log  /var/log/nginx/sso.example.com-ssl_access.log  main;

        include /etc/nginx/default.d/*.conf;

        location / {
          autoindex on;
          try_files $uri $uri/ /index.php?q=$uri&$args;
        }
        location /openam {
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;

           proxy_pass http://localhost:8080/openam;

        }
   }

In my previous article on making Apache an OpenAM proxy I presented this RewriteRule in the HTTP (port 80) virtual host that ensured the user’s session would always use HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

The equivalent in nginx that would need to go in the virtual host block for the port 80 server would be:

server {
   listen       80 default_server;
   server_name  sso.example.com;
   root         /var/www/html;
   return 301 https://$server_name$request_uri;

Yeah, that’s right. A Single Freaking Line. I have to admit that nginx is a little annoying at first, especially for Apache veterans: because it forces us to learn how to do old things in new ways. But that sort of goes with the territory of system administration. Doesn’t it?

This entry was posted in Identity Management, System Administration, Web on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).