Secure Socket Layer (SSL) is a protocol that provides security for communications between client and server by implementing encrypted data and certificate-based authentication. Technically, the term „SSL“ now refers to the Transport Layer Security (TLS) protocol, which is based on the original SSL specification.

TLS is a proposed Internet Engineering Task Force (IETF) standard, first defined in 1999 and updated in RFC 5246 (August 2008) and RFC 6176 (March 2011). It builds on the earlier SSL specifications (1994, 1995, 1996) developed by Netscape Communications[4]

SSL with Tomcat is not as widely supported by other software: Projects like Let’s Encrypt provide no native way of interacting with Tomcat. Furthermore, the Java keystore format requires conventional certificates to be converted before use, which complicates automation.

tested with:

hostnamectl 
  Operating System: CentOS Linux 7 (Core)
            Kernel: Linux 3.10.0-693.17.1.el7.x86_64
      Architecture: x86-64
nginx -v
nginx version: nginx/1.12.2

config firewall to allow port 80:

firewall-cmd --get-active-zones
public
 interfaces: eth0

for example, if your zone is public and you want to open port 80:

firewall-cmd --zone=public --add-port=80/tcp --permanent

reload the firewall for changes to take effect:

firewall-cmd --reload

to check scan port from client:

nmap -v -p 0-65535 -sS 192.168.0.94
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

now nginx setup:

yum install nginx acme-client libressl; # install nginx and stuff for let's encrypt

nginx -v; # check nginx version

nginx version: nginx/1.12.2

systemctl enable nginx; # enable nginx autostart

# backup config before editing
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup;
echo "" > /etc/nginx/nginx.conf; # empty config

# make docker container use default port 8080
# make docker container use fixed ip 172.18.0.3
docker run -d --name=example-app -p 8080:8080 --net=example-net --ip 172.18.0.3 -e DB_HOST=example-db -e DB_NAME=example -e DB_USER=example -e DB_PASSWORD=examplepwd tomcat/tomcat

docker start example-db example-app; # start tomcat

docker ps -a
CONTAINER ID        IMAGE                            COMMAND                  CREATED             STATUS                     PORTS               NAMES
9ac973cb4e2a        tomcat/tomcat                    "catalina.sh run"        41 minutes ago      Up 23 minutes              8080/tcp            example-app

docker exec -it 9ac973cb4e2a bash; # "login"
bash-4.3# ifconfig 
eth0 Link encap:Ethernet HWaddr 02:42:AC:12:00:03 
 inet addr:172.18.0.3 <- ip address of tomcat docker server
vim /etc/nginx/nginx.conf; # config nginx

worker_processes 1;

events { worker_connections 1024; }

http {

    sendfile on;

    upstream 172.18.0.3 {
        server 172.18.0.3:8080;
    }

    server {
        listen 80;

        location / {
            proxy_pass         http://172.18.0.3;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
        }
    }
}

# check the logs during access - what is going on and wrong?

find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} +

==> /var/log/audit/audit.log <== type=AVC msg=audit(1517792924.946:444): avc: denied { name_connect } for pid=3935 comm="nginx" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1517792924.946:444): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=563b0ede41a0 a2=10 a3=7ffe6d8103b0 items=0 ppid=3934 pid=3935 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1517792924.946:444): proctitle=6E67696E783A20776F726B65722070726F63657373 ==> /var/log/nginx/error.log <== 2018/02/04 20:08:44 [crit] 3935#0: *1 connect() to 172.18.0.3:8080 failed (13: Permission denied) while connecting to upstream, client: 192.168.0.222, server: , request: "GET / HTTP/1.1", upstream: "http://172.18.0.3:8080/", host: "192.168.0.94" ==> /var/log/nginx/access.log <==
192.168.0.222 - - [04/Feb/2018:20:08:44 -0500] "GET / HTTP/1.1" 502 173 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0"

grep httpd /var/log/audit/audit.log | audit2why
# gives explanation how to allow

setsebool -P httpd_can_network_connect 1



admin