Spring Boot with embedded Tomcat behind Apache SSL proxy

I'm searching for a solution to be able to run a Spring application behind an Apache SSL proxy. I tried a lot of configurations without success. All Spring responses go to http causing a Not Found error.

The following is apache configuration:

        SetEnv proxy-initial-not-pooled 1         ProxyPreserveHost On         KeepAlive On         SSLProxyVerify none         SSLProxyCheckPeerCN off         SSLProxyCheckPeerName off         SSLProxyCheckPeerExpire off         ServerName server.mydomain.dom         ProxyTimeout 600         ProxyPass  /excluded !        RequestHeader set X-Forwarded-Proto https        RequestHeader set X-Forwarded-Port 443         ProxyPass / http://127.0.0.1:8081/         ProxyPassReverse / http://127.0.0.1:8081/

These are the Spring options:
server.port=8081 server.forward-headers-strategy=NATIVE #server.tomcat.redirect-context-root=false server.tomcat.remote_ip_header=x-forwarded-for server.tomcat.protocol_header=x-forwarded-proto server.tomcat.internal-proxies=.*

I'm using Spring Boot 2.5.6 on Apache Tomcat/9.0.54. The OS Apache is a 2.4.25 version running on a Debian 9.13.

The problem seems to happen after login into the application and logout. If I substitute http to https after the login action, I'm able to navigate into the application. All links works fine until I logout. When I logout the application goes again to http.

Someone can help me?

I haven't done this by myself but here is an article dealing with that topic: https://stormpath.com/blog/secure-spring-boot-webapp-apache-letsencrypt-ssl

The basic approach is to use socalled AJP connector that requires to use Apache modules proxy and proxy_ajp.

In addition adding the lines to the Apache virtual hosty for SSL is essential:

ProxyPass / ajp://localhost:9090/
ProxyPassReverse / ajp://localhost:9090/

Roland Mueller wrote:I haven't done this by myself but here is an article dealing with that topic: https://stormpath.com/blog/secure-spring-boot-webapp-apache-letsencrypt-ssl

The basic approach is to use socalled AJP connector that requires to use Apache modules proxy and proxy_ajp.

In addition adding the lines to the Apache virtual hosty for SSL is essential:

ProxyPass / ajp://localhost:9090/
ProxyPassReverse / ajp://localhost:9090/

Thank you. The information in the article is a bit old, but I found the new configurations so it seems to work fine.

Thank you. The information in the article is a bit old, but I found the new configurations so it seems to work fine.

I guess the approach to have Java or other servers behind a Webserver such as Apache or Nginx is not a new concept and will not be subject of many changes or radical changes.

Roland Mueller wrote:
I guess the approach to have Java or other servers behind a Webserver such as Apache or Nginx is not a new concept and will not be subject of many changes or radical changes.

The concept is known as a reverse proxy and is probably older than some of the people on the Ranch at this point. You'll often hear it simply called "proxy", but a true web proxy acts as a single access point for outbound requests. A Reverse Proxy acts as a client for inbound requests.

Probably the most popular "proxy" servers are Apache, Nginx, and IIS, although others can also serve. Or you can use a physical proxy server device such as the popular F5 line.

Apache uses modules and there are several. The mod_jk module talks to Tomcat workers and in theory should be better for load balancing, but mod_proxy is the generally-recommended one. They don't connect to port 8080, but rather to the Tomcat proxy port (8009) and use private (coyote) protocols. The SSL connection is between the outside and Apache. Normally one trusts that the DMZ side of Apache is secure enough to go directly to Tomcat.

Only one problem remains. When the session goes in timeout (I don't know how to set it), I'm redirected to the HTTP login page instead of HTTPS, so I receive 404 Not found again.

Is there a way to solve it?