Nginx as reverse proxy?

  • tsalmi


    I am having some issues configuring nginx as a reverse ssl proxy for Guacamole. I assume some of you have been able to set this up succesfully? Am I missing something?

    Hereby the config so far:

    Tomcat (under connector)


    Nginx (location stuff)

    location / {
    proxy_pass http://localhost:8080/guacamole/;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    proxy_redirect off;
    proxy_buffering off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_pass_header Set-Cookie;
    proxy_pass_header P3P;

  • I've got this NGINX setup in my sites-enabled for usage with Tomcat7 and Guacamole 0.9.4:

    # SERVER LISTENING ON PORT 80 to redirect to HTTPS per default
    server {
        listen 80;
        location / {
                rewrite ^/(.*)$1 permanent;
    # ANOTHER SERVER LISTENING ON PORT 443 (SSL) to secure the Guacamole traffic and proxy the requests to Tomcat7
    server {
        listen 443 ssl;
    # This part is for SSL config only
        ssl on;
        ssl_certificate      /etc/nginx/ssl/your-external-servername.pem;
        ssl_certificate_key  /etc/nginx/ssl/your-external-servername.key;
        ssl_session_cache shared:SSL:10m;
        ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
    # Found below settings to be performing best but it will work with your own
        tcp_nodelay    on;
        tcp_nopush     off;
        sendfile       on;
        client_body_buffer_size 10K;
        client_header_buffer_size 1k;
        client_max_body_size 8m;
        large_client_header_buffers 2 1k;
        client_body_timeout 12;
        client_header_timeout 12;
        keepalive_timeout 15;
        send_timeout 10;
    # HINT: You might want to enable access_log during the testing!
        access_log off;
    # Don't turn ON proxy_buffering!; this will impact the line quality
        proxy_buffering off;
        proxy_redirect  off;
    # Enabling websockets using the first 3 lines; Check /var/log/tomcat7/catalina.out while testing; guacamole will show you a fallback message if websockets fail to work.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    # Just something that was advised by someone from the dev team; worked fine without it too.
        proxy_cookie_path /guacamole/ /;
        location / {
                # I am running the Tomcat7 and Guacamole on the local server
                proxy_pass http://localhost:8080;
    Last edit: Eric Oud Ammerveld 2015-01-15