Recommendation for SSL integration

This page offers example configuration for SSL termination of XNAT.  Please note these examples do not necessarily represent recommended configuration for a production environment.  Indeed, copy/pasting verbatim may break things.

Apache SSL Termination

Example Apache v2.2+ vhost config.  This blurb assumes the Tomcat instance is configured with its AJP connector at port 8009 locally, and HTTP connector at 8080.  Note that you can put Tomcat + JVM + XNAT on a separate machine (assumed within a secure LAN), and update the ProxyPass parameters accordingly.

<VirtualHost *:443>
  ServerName customname.xnat.org

  ## Logging
  ErrorLog "/var/log/httpd/customname.xnat.org_ssl_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/customname.xnat.org_ssl_access_ssl.log" combined 

  ## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost Off
  ProxyPass / ajp://localhost:8009/
  ProxyPassReverse / http://localhost:8080/

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/pki/tls/certs/customname.xnat.org.crt"
  SSLCertificateKeyFile   "/etc/pki/tls/private/customname.xnat.org.key"
  SSLCACertificatePath    "/etc/pki/tls/certs"
  SSLCACertificateFile    "/etc/pki/tls/certs/customname.xnat.org_chain.crt"
</VirtualHost>

Nginx SSL Termination

Example Nginx v2.2+ vhost config.  This blurb assumes the Tomcat instance is configured with an HTTP connector at 8080.  As above, the Tomcat + JVM + XNAT stack could live on another machine.  Note that Nginx expects chained certification files, e.g. your certificate, chain file, and CA file concatenated into a single file.

# Redirect http requests to https
server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name customsite.xnat.org;
  return 301 https://$server_name$request_uri;
}

server {
    listen customname.xnat.org:443;

    server_name customname.xnat.org;

    ssl    on;
    ssl_certificate    /etc/pki/tls/certs/customname.xnat.org_crt+chain.crt;
    ssl_certificate_key    /etc/pki/tls/private/customname.xnat.org.key;


    location / {
        root /var/lib/tomcat/webapps/ROOT;

        proxy_pass                          http://localhost:8080;
        proxy_redirect                      http://localhost:8080 $scheme://customname;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-Host   $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_connect_timeout               150;
        proxy_send_timeout                  100;
        proxy_read_timeout                  100;
        proxy_buffers                       4 32k;
        client_max_body_size                0;
        client_body_buffer_size             128k;
    }

    access_log /var/log/nginx/customname.access_ssl.log;
    error_log /var/log/nginx/customname.error_ssl.log;
}

Nginx SSL termination may also require that you set up RemoteIPValve in the Host stanza of your Tomcat's server.xml:

      <Host name="localhost" appBase="empty" unpackWARs="true" autoDeploy="false">
        ...
        <!-- Mark HTTP as HTTPS forward from SSL termination at nginx proxy -->
        <Valve className="org.apache.catalina.valves.RemoteIpValve"
          remoteIpHeader="x-forwarded-for"
          remoteIpProxiesHeader="x-forwarded-by"
          protocolHeader="x-forwarded-proto"
          />
        ...
      </Host>

$label.name