Configure Reverse Proxy and Audit Logging

With Apache Tomcat and a reverse proxy server (NGINX) set up correctly, SuperWEB2 is capable of correctly generating full external links (scheme and host) for the user registration process without anything having to be configured or hard-coded separately.

Additionally, you can configure Tomcat so that audit logging will correctly display end-user IP addresses in logs, rather than the IP address of the gateway or reverse proxy. 

Prerequisites

To configure reverse proxy for SuperWEB2 you will need:

  • NGINX installed on an internet facing machine that has a public IP.
    This can be your SuperWEB2 machine, but we recommend using an independent VM. Your DNS server should point to this machine. 
  • SSL certificate and key files.

Configure Reverse Proxy

Configure NGINX

  1. In a text editor, open <nginx_home>\conf\nginx.conf.
  2. Add or edit the following lines of text in the http {} block.

    Example
    http { 
    
        server {
            server_name public.server.name.com; 
    
            listen 443 ssl http2;   
            
            ssl_certificate /etc/ssl_certs/public.server.name.com/fullchain.pem; 
            ssl_certificate_key /etc/ssl_certs/public.server.name.com/privkey.pem;
    
            proxy_http_version 1.1; 
            proxy_read_timeout 20m; 
    
            location / { 
                proxy_pass http://internal.superweb2.address:8080 
                proxy_set_header   Host             $http_host; 
                proxy_set_header   X-Real-IP        $remote_addr; 
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for; 
            } 
        } 
    } 

    Update server and file entries with details of your configuration.

    EntryDescription
    server_nameHost name of your NGINX server.

    ssl_certificate

    ssl_certificate_key

    Path to the locations of your key and certificate files.

    proxy_pass

    Path to your SuperWEB2 instance.
    This could be http://localhost:8080/webapi if hosted on the same machine, or http://10.1.1.123:8080/webapi if hosted elsewhere.

    http://<host>:<port>

  3. Save your changes and restart NGINX.

Configure Tomcat

  1. In a text editor, open <tomcat_home>\conf\server.xml.
  2. Add the following lines of text.

    <Connector port="8080" connectionTimeout="20000" redirectPort="8443" 
                       maxThreads="48" minSpareThreads="10" 
                       enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8" 
                       protocol="org.apache.coyote.http11.Http11NioProtocol" 
                       scheme="https" secure="true" proxyName="public.server.name.com" proxyPort="443"/> 


  3. At proxyName, enter the domain name of the URL that SuperWEB2 will be accessed from.
  4. Save your changes and restart the Tomcat service.

Configure Audit Logging

Complete this step when configuring Audit Logging to configure Tomcat to use the built-in Remote IP Valve feature to replace the remote host, address and scheme values.

This step ensures that your audit logs will record the end user's IP address. Without this configuration, your audit logs will record the IP address of the reverse proxy instead. 


  1. In a text editor, open <tomcat_home>\conf\server.xml.
  2. Locate the block beginning with <Engine name="Catalina" defaultHost="localhost">.

  3. Add the following lines of text to this block.

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
            internalProxies="127\.0\.[0-1]\.1"
            remoteIpHeader="x-forwarded-for"
            requestAttributesEnabled="true"
            protocolHeader="x-forwarded-proto"
            protocolHeaderHttpsValue="https"/>
  4. Save your changes and restart the Tomcat service.