I have already set the domain https://my-domain.com/ up correctly, this already works with nginx. Now I am trying to get rid of the default http://my-domain.com:8080 URL by trying to redirect it to https://my-domain.com/.

Is there a way to achieve this?

If you have set-up nginx as a reverse proxy this should be an easy task by modifying your proxy_pass directive. Check: https://www.linode.com/docs/web-servers/nginx/use-nginx-reverse-proxy/

Dear Jaime.bosque,
Thanks for your response, It is not clear to me what should I modify, my site can be visible with the port. And I want to redirect http://domain.com:8080 to https://domain.com. When I simply write domain.com it redirects me to https://domain.com but when I write http://domain.com:8080 then the site can be visible at http://domain.com:8080/

I have gone through the link you provided but not served.
Would you please explain me more.

Best Wishes…

server {
listen 80;
server_name my-domain.com www.my-domain.com;
return 301 https://my-domain.com$request_uri;
}

#HTTPS server

server {
listen 443 ssl;
server_name my-domain.com www.my-domain.com;
client_max_body_size 10M;

ssl                  on;
ssl_certificate      server.crt;
ssl_certificate_key  server.key;

ssl_session_cache    shared:SSL:20m;
ssl_session_timeout  10m;

ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers  on;

# Proxy pass to servlet container

location / {
  proxy_pass                http://my-domain.com:8080/;
  proxy_redirect            false;
  proxy_set_header          Host               $host;
  proxy_set_header          X-Real-IP          $remote_addr;
  proxy_set_header          X-Forwarded-For    $proxy_add_x_forwarded_for;
  proxy_set_header          X-Forwarded-Proto  https;
  proxy_buffer_size         128k;
  proxy_buffers             8 128k;
  proxy_busy_buffers_size   256k;
  proxy_cookie_path         ~*^/(.*) "/$1; SameSite=Lax";
}

}

For more clarification please… That is what I have used, but still the site can be reached at http://my-domain.com:8080/ and not redirecting it to https://my-domain.com

Hi @Bayzed.

Sorry, I missed the HTTPS thing. Actually what you need to do is two things (if I understood correctly your message):

1. Redirect from yourdomain.com:8080 to yourdomain.com (without the 8080)
2. Redirect your connections from a non secured connection to a secured connection, that is the HTTP -> HTTPS

You will need to forward your connections from HTTP to HTTPS, this means that when someone reaches http://yourdomain.com (by default this means using the port 80) they are redirected to https://yourdomain.com (which would be the same as typing http://yourdomain.com:443). This step can be achieved with a rewrite rule on your nginx (there are other ways, but let’s leave it there as it is the default and recommended).

For the second thing you need to have a valid SSL certificate, you can either buy one or use the free service by LetsEncrypt. For any of these you will need to have a valid domain name that is the one you will be using (here you are talking the whole time about domain.com so I assume you already have this). Then the last thing will be telling nginx to act as a reverse proxy, so it forwards the connections to the tomcat server, this is achieved via the proxy_pass.

I hope this helps. You can also check the official documentation where these steps are pretty well explained: https://docs.dhis2.org/2.34/en/dhis2_system_administration_guide/installation.html#enabling-ssl-with-nginx

Dear Jaime,
I have another problem after enabling ssl.
When I try to login to android tracker capture app, I have found following error:-

“error: java.security.cert.certpathvalidatorexception: trust anchor for certification path not found”

What should I do to fix this?

When you log in with a browser, do you see a certificate?

If yes, are you sure you are putting in the URL of the Android. https://your-domain?

Dear Jaime,
Yes I can see the certificate on web browser. Its working fine on browser. And I also put the url correctly to the android app.
I can access with the port no like “http://domain.com:8080/” but if i use “https://domain.com” then it gives me this error.

Thanks for your early and nice cooperation.

Regards…

Another information may help: I am using self signed certificate. Is it ok to use self signed certificate?

Sorry, just to understand:
Accessing http://domain.com:8080 works in Android and browser?
Accessing https://domain.com works only in browser?

Does it happen a redirection when you access http://domain.com:8080 towards https://domain.com?

Yes, it is ok to use self signed certificates. This shouldn’t impact in any case.

Thanks again for your replay:-

• Yes http://domain.com:8080 works in Android and browser.
• Yes https://domain.com works only in browser, android showing that error.
• http://domain.com:8080 towards https://domain.com redirection not happening
  For this I have used the following lines:
  server {
  listen 80;
  rewrite ^ https://domain.com$request_uri? permanent;
  }

Have you also modified the server.xml according to the documentation?

https://docs.dhis2.org/2.34/en/dhis2_system_administration_guide/installation.html#enabling-ssl-with-nginx

Yeah thanks…
I have added this two lines:
Connector address=“3.101.101.106” protocol=“HTTP/1.1”
Connector scheme=“https” proxyPort=“443”
Any other thing that I miss?

Uhmmmm, I am just reviewing the whole thread. I think I missed something, sorry… can you paste your current nginx.conf??

Because I think that your redirection (proxy_pass) should point to http://localhost:8080 which is your tomcat server address. Note that is localhost and not the URL.

Please, check.

Sure…
http {

NB: Enable caching use command just below, remove hash

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=dhis:250m inactive=1d;

gzip on; # Enables compression, incl Web API content-types
gzip_types
“application/json;charset=utf-8” application/json
“application/javascript;charset=utf-8” application/javascript text/javascript
“application/xml;charset=utf-8” application/xml text/xml
“text/css;charset=utf-8” text/css
“text/plain;charset=utf-8” text/plain;

HTTP server - rewrite to force use of SSL

server {
listen 80;
rewrite ^ https://domain.com$request_uri? permanent;
}

HTTPS server

server {
listen 443 ssl;
client_max_body_size 10M;

ssl                  on;
ssl_certificate      server.crt;
ssl_certificate_key  server.key;

ssl_session_cache    shared:SSL:20m;
ssl_session_timeout  10m;

ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers  on;

# Proxy pass to servlet container

location / {
  proxy_pass                http://domain.com:8080/;
  proxy_redirect            off;
  proxy_set_header          Host               $host;
  proxy_set_header          X-Real-IP          $remote_addr;
  proxy_set_header          X-Forwarded-For    $proxy_add_x_forwarded_for;
  proxy_set_header          X-Forwarded-Proto  https;
  proxy_buffer_size         128k;
  proxy_buffers             8 128k;
  proxy_busy_buffers_size   256k;
  proxy_cookie_path         ~*^/(.*) "/$1; SameSite=Lax";
}

}
}

Do I need to use IP (3.101.101.106) in the place of local host?

No, use localhost, look at the one in the documentation.

Strictly speaking you could use the IP but doesn’t make sense.

So you mean if I remain or write http://localhost.com:8080/ will be ok

I believe so

Thanks again…
I have changed it to localhost. But still its showing same error on android.

Your suggestion please…

I found one post inside github, but I don’t understand what it is actually, here is the link: