Skip to main content
Skip table of contents

Recommendation for SSL integration

This page offers example configuration for SSL termination of XNAT.  Please note these examples do not necessarily represent recommended configuration for a production environment.  Indeed, copy/pasting verbatim may break things.

Apache SSL Termination

Example Apache v2.2+ vhost config.  This blurb assumes the Tomcat instance is configured with its AJP connector at port 8009 locally, and HTTP connector at 8080.  Note that you can put Tomcat + JVM + XNAT on a separate machine (assumed within a secure LAN), and update the ProxyPass parameters accordingly.

<VirtualHost *:443>

  ## Logging
  ErrorLog "/var/log/httpd/customname.xnat.org_ssl_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/customname.xnat.org_ssl_access_ssl.log" combined 

  ## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost Off
  ProxyPass / ajp://localhost:8009/
  ProxyPassReverse / http://localhost:8080/

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/pki/tls/certs/"
  SSLCertificateKeyFile   "/etc/pki/tls/private/"
  SSLCACertificatePath    "/etc/pki/tls/certs"
  SSLCACertificateFile    "/etc/pki/tls/certs/customname.xnat.org_chain.crt"


Nginx SSL Termination

Example Nginx v2.2+ vhost config.  This blurb assumes the Tomcat instance is configured with an HTTP connector at 8080.  As above, the Tomcat + JVM + XNAT stack could live on another machine.  Note that Nginx expects chained certification files, e.g. your certificate, chain file, and CA file concatenated into a single file.

# Redirect http requests to https
server {
  listen 80 default_server;
  listen [::]:80 default_server;
  return 301 https://$server_name$request_uri;

server {


    ssl    on;
    ssl_certificate    /etc/pki/tls/certs/customname.xnat.org_crt+chain.crt;
    ssl_certificate_key    /etc/pki/tls/private/;

    location / {
        root /var/lib/tomcat/webapps/ROOT;

        proxy_pass                          http://localhost:8080;
        proxy_redirect                      http://localhost:8080 $scheme://customname;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-Host   $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_connect_timeout               150;
        proxy_send_timeout                  100;
        proxy_read_timeout                  100;
        proxy_buffers                       4 32k;
        client_max_body_size                0;
        client_body_buffer_size             128k;

    access_log /var/log/nginx/customname.access_ssl.log;
    error_log /var/log/nginx/customname.error_ssl.log;

Nginx SSL termination may also require that you set up RemoteIPValve in the Host stanza of your Tomcat's server.xml:

      <Host name="localhost" appBase="empty" unpackWARs="true" autoDeploy="false">
        <!-- Mark HTTP as HTTPS forward from SSL termination at nginx proxy -->
        <Valve className="org.apache.catalina.valves.RemoteIpValve"



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.