buying ssl certificate for nginx and tomcat setup

1
votes

Our web application has this setup:

Nginx (Static content) -> Tomcat (APIs are hosted here)

We are hosting these two servers in a public cloud, possibly on different physical servers.

We want to make our website https, so bought a SSL certificate for our domain, which protects anything coming into Nginx.

Now my question is, how do I protect the requests from Nginx to Tomcat API? To secure that connection, do I need to buy a separate SSL certificate? If so, there is no domain for the APIs on tomcat, so what should I buy? I don't think I should buy using an IP address.. so what is the right approach? Thanks.

1
tomcatsslnginxhttps

1 Answers

3
votes

You've a number of options:

  1. Use http for the connection between Nginx and Tomcat. This is actually very common at present (though suspect it will become less common as https becomes the norm) and is reasonably safe if Tomcat is not publicly accessible from the Internet (though any internal employees could in theory sniff this http traffic depending on how exactly your network is set up). If tomcat is on same server then even safer still as network traffic shouldn't leave the server and so shouldn't be sniffable - in theory at least. Though on flip side normally you'd want as little as possible on your publicly available server (i.e. just Nginx ideally) so best practice would not be to host tomcat on same server.

  2. Use a self signed SSL cert for Tomcat rather than a "real" CA provided cert and configure Nginx to accept it (if it doesn't already by default - often Webservers don't check SSL config for proxy connections).

  3. Buy a wildcard cert (e.g. *.example.com) so you can use it for Tomcat server too (e.g. tomcat.example.com) without having to expose that server to the Internet. Note these are more expensive.

  4. Get a real cert for Tomcat server by adding DNS entry for this and verifying through that (either by opening up to Internet temporarily or by authenticating via DNS or similar). Wouldn't suggest this to be honest.

Note you cannot buy a cert with IP address. That's restricted as you don't own an IP address you own a domain. Also most internal IP addresses are not real IP addresses but NATed ones that are also used in other companies on their internal networks so definitely would want to be able to get a cert for those!