Skip to content

Commit

Permalink
Fixes kartoza#293 - although this is marked as resolved, the resoluti…
Browse files Browse the repository at this point in the history 
…on isn't entirely correct and forces all requests to `https`. This can cause the local healthcheck to fail.

This fix is for hosting Geoserver behind an SSL layer e.g. AWS Load Balancer or Cloudfront. It will  allow it to be accessed via http OR https.
1. nginx.conf: the proxy headers are passed by the Nginx reverse proxy
2. server.xml: a fix for tomcat to accept the proxy scheme (e.g. https) using RemoteIpValve
*There may be a better way to write the xml insertion..
  • Loading branch information
@carderm
carderm committed Apr 29, 2023
1 parent a69ec35 commit 7539c94
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
4 changes: 4 additions & 0 deletions scripts/start.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,10 @@ if [[ -f ${EXTRA_CONFIG_DIR}/server.xml ]]; then
else
# default value
eval "$transform"
# Add x-forwarded headers
sed -r '/\<\Host\>/ i\ \t<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" protocolHeaderHttpsValue="https"/>' ${CATALINA_HOME}/conf/server.xml > ${CATALINA_HOME}/conf/server.xml.tmp
cp ${CATALINA_HOME}/conf/server.xml ${CATALINA_HOME}/conf/server.xml.orig
cp ${CATALINA_HOME}/conf/server.xml.tmp ${CATALINA_HOME}/conf/server.xml
fi


Expand Down
8 changes: 5 additions & 3 deletions sites-enabled/nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,11 @@ server {

location / {
proxy_pass http://geoserver/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_addr;
proxy_set_header Host $host; # the host requested by the client
proxy_set_header X-Real-IP $remote_addr; # the real visitor IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # the client IP
proxy_set_header X-Forwarded-Host $host:$server_port; # the host used for the request
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; # the scheme used for the request, http or https
port_in_redirect off;
proxy_connect_timeout 600;
}
Expand Down

0 comments on commit 7539c94

Please sign in to comment.