DEV Community

Tek Kshetri
Tek Kshetri

Posted on • Edited on

Using NGINX to put Geoserver HTTPS

#geoserver #nginx #tomcat #https

I recently tried to install the SSL certificate to my NGINX using cartbot. I was overwhelming and I spend one full day to figure out the actual error. I will explain everything in this article.

After installation of the SSL certificate on NGINX, we have to set the proxy settings in nginx.conf file (For me, It is located inside /etc/nginx/nginx.conf directory),

location /geoserver {
            proxy_pass http://127.0.0.1:8080/geoserver;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_redirect off;
         }
Enter fullscreen mode Exit fullscreen mode

I consider that you deployed the geoserver on the tomcat server using the 8080 port. The above proxy setting will help to redirect the geoserver link from http://localhost:8080/geoserver to http://localhost/geoserver. For detail information about the proxy setting please read reference 2.

After adding the geoserver proxy, you may face some problem in the Web-interface of the geoserver. To get it to work, I also added my domain name under Settings > Global > Proxy Base URL in the GeoServer admin site:

https://mydomain.com
Enter fullscreen mode Exit fullscreen mode

Make sure to check, Use headers for Proxy URL.

After that I reloaded the configuration Server Status > Reload, Reload the NGINX settings, sudo service nginx reload and restart the tomcat server sudo service tomcat restart.

If you are still facing some issue in web-interface of geoserver, this might be due to Cross-Site Request Forgery (CORS) problem. This can be solved by adding the following code in web.xml (For me, it is located inside /usr/share/tomcat/webapps/geoserver/WEB-INF/web.xml directory,

<context-param>
  <param-name>GEOSERVER_CSRF_WHITELIST</param-name>
  <param-value>example.org</param-value>
</context-param>
Enter fullscreen mode Exit fullscreen mode

You also need to enable the proxy base url as below in web.xml file,

    <context-param>
      <param-name>PROXY_BASE_URL</param-name>
      <param-value>https://example.com/geoserver</paramvalue>
    </context-param>
Enter fullscreen mode Exit fullscreen mode

Also, you might need to add the CORS header setting. There are two possible way to do that.

1. Update the geoserver web.xml file. (You just need to uncomment the following code from web.xml file),

<filter>
      <filter-name>cross-origin</filter-name>
      <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
      <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>*</param-value>
      </init-param>
      <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,PUT,DELETE,HEAD,OPTIONS</param-value>
      </init-param>
      <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>*</param-value>
      </init-param>
 </filter>
Enter fullscreen mode Exit fullscreen mode 
 <filter-mapping>
        <filter-name>cross-origin</filter-name>
        <url-pattern>/*</url-pattern>
 </filter-mapping>
Enter fullscreen mode Exit fullscreen mode

2. Update the web.xml file of tomcat ($CATALINA_HOME/conf/web.xml). You need to add following line of code to your web.xml file,

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
Enter fullscreen mode Exit fullscreen mode

Great!!! Now you successfully setup HTTPS in geoserver. This work can be done by updating the tomcat settings without using the NGINX proxy. If you are interested to install the SSL certificate for tomcat, checkout this geoserver documentation: Configure Tomcat for SSL. ( I never tried this method, give it a try and let me know 😄)

I tried the geoserver-rest library which has a pycurl dependency for testing the geoserver REST operation. I found that it was not working with the https geoserver URL but working fine with the python request library. So, only for the REST operation, I used the geoserver URL without proxy as http:localhost:8080/geoserver. If you found, why it is not working on pycurl please let me know 😜.

References

  1. Digital ocean: How To Secure Nginx with Let's Encrypt on CentOS 8

  2. Understanding Nginx HTTP Proxying, Load Balancing, Buffering, and Caching

  3. Stackoverflow: GeoServer behind Nginx: web admin crashes

  4. Stackoverflow: Use Nginx with Tomcat to put GeoServer under HTTPS

  5. GeoServer documentation: CSRF Protection

Top comments (2)

Collapse
 
vincedchart profile image
vincedchart • Edited

Hello. thanks for this tutorial, I'm eager to try that. When It's installed, could I still install websites in Nginx (Wordpress, Piwigo, Opencart, and so on)?
Because that's what I want to do: I have one essential Ssl, from namecheap, basic, but I still want to use it for both wordpress and geoserver but get https and get rid of :8080 at the end of the url

Collapse
 
foussenitoure profile image
foussenitoure

Hi !
you can explain this is on movie in youtube please.
I do it not okay for my problem

Read next

sign_my_code profile image

Know Everything About Blind XSS and How to Detect and Prevent Blind XSS Attacks

SignMyCode -

aishwarya_raj_978520e6399 profile image

Python Asynchronous Programming: Simplifying Concurrency Like a Pro

Aishwarya Raj -

suin profile image

Deploying Helm Charts to Multiple Kubernetes Clusters with Cluster API's HelmChartProxy

suin -

saquibe profile image

10 Key Insights into Express.js for Building Scalable Web Applications

Mohammad Saquib -