How to setup the nginx for https reverse proxy

Here is just one example how you can setup the nginx server to let it forward the https call and consume the ssl  cert (you have created in my last article).

In fact at the location section you can forward request to the non https server which could in your DMZ. Outside surf will surf the public domain and with https secured.

server {
 listen 443 ssl;

ssl_certificate cert_wayneshare/cert_wayneshare.crt;
 ssl_certificate_key cert_wayneshare/key_wayneshare.pem;

ssl_session_cache shared:SSL:1m;
 ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
 ssl_prefer_server_ciphers on;

client_body_buffer_size 200k;
 client_header_buffer_size 20k;
 client_max_body_size 256m;
 large_client_header_buffers 16 32k;

access_log /var/log/nginx/node0.access.log;
 error_log /var/log/nginx/node0.error.log info;

location /internal/ {
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-IP $remote_addr;


As you have the https enabled now, so you can set a force redirect of your http site or URL to a https URL. just use nginx setting :


server {
 listen 80;
 location /internal/ {
    return 301 https://$server_name$request_uri;


How to setup at tomcat to consume the https cert

After I get my signed ssl/https cert from a CA, I need to use it for web server like apache, nginx and tomat. Here I give one example how to import the cert to key store and then config the tomcat to use it at 443 port:

1. To import an existing certificate signed by root CA into a PKCS12 keystore using OpenSSL you would execute a command like:

openssl pkcs12 -export -in wayneshare.crt -inkey mykey.key -out wayneshare.p12 -name mycerts -CAfile myCA.crt -caname root -chain

Or by keytool:

The cert you got from CA normally is signed by several level root CA in cert, it is a chain cert structure. So if you import the Chain Certificate into your keystore by key tool, you need import the root CA cert first by levels:

keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>

And finally you can import your signed new Certificate

keytool -import -alias mycerts -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>

Such as for my case, i have two levels of root Cert to import before I import my real cert:

keytool -import -alias root -keystore keystore.jks -trustcacerts -file wayneshare_com.ca0.crt
keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file wayneshare_com.ca1.crt
keytool -import -alias waynecert -keystore keystore.jks -storepass mypass -trustcacerts -file wayneshare_com.crt


2. After crt is added to the key store, not we can change the server.xml of tomcat to add key store there:

port="443" maxThreads="500"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/home/certificate/keystore.jks" keystorePass="mypass"
clientAuth="false" sslProtocol="TLS"/>

/home/certificate/ is a folder i use to put my cert and keystores

3. restart your tomcat then you should be ok at 443 port!




How to get a https certificate for your website.

It is common that your web site need a ssl certificate to ensure the https secure. There are some free cert creation and suppliers there. Here I am going to use SSLS.COM – a budget supplier as example supplier to list  the steps that to get a cert for your web site

1. First, create a Java keystore contains your 2048 bit private key, assign a validate years:

sudo keytool -genkey -alias mycert -keystore keystore.jks -storepass mypass -keyalg RSA -keysize 2048 -keypass mypass -validity 3650 -dname ",OU=Dept Name,O=Wayne Share LLC,L=Palo Alto,ST=CA,C=US"

also save as a PKCS key format.

sudo keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype pkcs12
keytool -list -v -keystore keystore.jks -storepass mypass
keytool -list -v -keystore keystore.p12 -storetype PKCS12 -storepass mypass

2. Create a CSR by private key, To create your CSR, run the following command:

sudo keytool -certreq -keyalg RSA -alias waynecert -file certreq.csr -keystore keystore.jks

3. I use the to create our SSL cert. make an order there.

4. active the ssl cert there by our CSR content at the SSLS.COM

4.1 paste the CSR content to active step of

less certreq.csr


4.2 input myself info for contact:

Administrative wayne zhou
3888 Miranda Place
Palo Alto, CA, 94304
United States

4.3 So, to confirm you have the domain, SSLS.COM has two ways at here:
one is use a email under your domain account, like the another one is need to access your website server, such as apache/nginx to put a verification file over there for comodoca (root CA) to verify your site under your control.

Download a file from for cert verification, you get this msg first:
“You’re almost done. Upload file to /.well-known/pki-validation/ public directory of Do not rename the file or edit its contents. If you’re not sure what to do, please contact support.”

File name we got is: F26FF4AD68EEB3785D28B5420663D6A5.txt
File Content just One line: 591E88059BC38F2F09DC9C426E83C607F7414728CFDAD1D1F4711A4658904C1F 5a1ca2e34e5ee

5. Put F26FF4AD68EEB3785D28B5420663D6A5.txt to my nginx server:
As I use nginx as the reverse proxy, so I need to install the https at nginx side, not at the tomcat side.
So this step is to put the challenge onto the nginx server to prove you are the owner of the website

Add this line and restart the nginx
location = /.well-known/pki-validation/F26FF4AD68EEB3785D28B5420663D6A5.txt {
alias /home/www/.well-known/pki-validation/F26FF4AD68EEB3785D28B5420663D6A5.txt;

After I put the file under the /home/www folder, this link should work:

then you can contact the support of the SSLS.COM and soon you will get email about the cert file. Just save the cert for your site to use it.

6. import the signed cert into the keystore file for web server usage.
sudo keytool -certreq -keyalg RSA -alias waynecert -file certreq.csr -keystore keystore.jks



Notes: related command for keytool

keytool –list

# export the private key

# export the cert
keytool -export -rfc -alias mycerts -file cert_1.crt

# import key from another key store

keytool -importkeystore -srckeystore ~/.keystore -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias mycerts -deststorepass mypass -destkeypass mypass

Export certificate using openssl:

openssl pkcs12 -in keystore.p12 -nokeys -out cert_1.pem

Export unencrypted private key:

openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key_1.pem