Reverse Proxy Tomcat for easy HTTPS

How to use DSM 6 reverse proxy for easy HTTPS access to Tomcat

After having written abundantly about the problems I faced when updating my DiskStation to DSM 6 I am now happy to write about the new features of Synology’s latest OS version. In particular the Let’s Encrypt integration and the ability to configure a reverse proxy right from the GUI.
If you are interested in how to combine these features to easily set up HTTPS access to your Tomcat 7 (and potentially other application servers) on your DiskStation, this if for you.

Haven’t we done that?

If you were following this blog, you might have noticed that I already described both how to get a Let’s Encrypt certificate for your Diskstation and how to use the same certificate to serve your Tomcat apps through HTTPS. If you are not familiar with HTTPS and Let’s Encrypt, I invite you to read these older posts upfront.
The approach described in my two older posts worked just fine and allowed me to encrypt all traffic coming to my DiskStation with a trusted certificate months before Synology integrated Let’s Encrypt support directly into DSM. However the described method had a few shortcomings:

  • Let’s Encrypt client did not run on the DiskStation itself
  • manual process to generate and import certificates
  • separate manual process to create keystore for Tomcat
  • repeat both manual processes every 90 days for renewal

For these reasons my old way of doing this could not be a long term solution.
Thankfully DSM 6 integrated Let’s Encrypt support, which allows fully automated certificate creation and renewal for their DSM 6 compatible products. However this takes care of Synology’s own web applications and the things you serve from your DiskStation through Synology’s Web Station, only. In my old setup I allowed direct access to Tomcat by forwarding its HTTPS port and thus had to configure HTTPS support in Tomcat separately.
This means although DSM 6 automatically creates and renews certificates, I would still be required to do the manual steps I described in my old post to use the certificate for Tomcat, too. To avoid this I needed to somehow make Tomcat accessible through the internet using HTTPS without requiring Tomcat itself to handle HTTPS connections directly. This is where the new reverse proxy feature comes into play!

What is a reverse proxy?

WikiPedia offers the following defintion:

[…] a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers.
These resources are then returned to the client as though they originated from the proxy server itself.1

So this means you can have a reverse proxy to handle all client requests, do the HTTPS encryption and decryption and thus become your internet facing entry point to another server that actually contains the resources your clients are requesting. The server itself does not need to be accessible through the internet anymore and does not need to take care of HTTPS.
In my scenario Synology’s Web Station (which is basically a pre-configured NGINX web server) would be the HTTPS enabled reverse proxy and Tomcat would be the server. This way we do not need to allow direct internet access to Tomcat and do not need to teach Tomcat how to use our certificate for HTTPS. Instead we have only Web Station taking care of handling HTTPS traffic. Sounds good, right? So let’s see how to get this done!

Get HTTPS: The easy way

First of all we need a Let’s Encrypt certificate, of course. You can do this in DSM 6 by going to Control Panel -> Security and clicking on the tab Certificate. I won’t describe the process, since it is really nothing more than clicking through a wizard and providing a few details. A fellow blogger already described in detail how to use this new feature. Check out his post here!
There is only one thing to note: During certificate creation be sure to provide an alternative name, that is the domain you want to use for accessing your Tomcat apps. So if you have a domain like you.myds.me, you could use something like tomcat.you.myds.me as an alternative name.
Once you are done, you can access all web sites and applications on your Synology through HTTPS! So https://you.myds.me would serve whatever you have as index inside your web folder, https://you.myds.me/photo would grant you HTTPS access to your Photo Station and so on.

Now on to setting up the reverse proxy feature for your new tomcat.you.myds.me domain.
Once logged in to DSM go to Control Panel -> Application Portal and click on the tab Reverse Proxy. There you can setup the reverse proxy feature for redirecting HTTPS requests hitting https://tomcat.you.myds.me to your local, HTTP Tomcat address (localhost:7070 by default).
The configuration should look like in the following screenshot:

reverse proxy setup for Tomcat
reverse proxy setup for Tomcat

Hit ok to apply these new settings, but don’t call https://tomcat.you.myds.me just yet! For Tomcat and its deployed applications to work correctly, there is one more action to take.

Our last step is to reconfigure Tomcat’s default HTTP connector to let it know the proxy port and the scheme, because Tomcat needs to be explicitly told that it’s being proxied through port 443(SSL)!2
Tomcat’s connectors are configured inside the server.xml file, which in my case is located in /volume1/@appstore/Tomcat7/src/conf.
So connect to your DiskStation through SSH, find the server.xml file, locate the currently active port 7070 connector and add the attributes proxyPort and scheme like highlighted in line 5 and 6 of the following example:

<Connector port="7070" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
URIEncoding="UTF-8"
proxyPort="443"
scheme="https" />

Save your changes to the server.xml file, restart Tomcat (you can use DSM Package Center for that) and voila!
You can now access Tomcat through HTTPS by calling https://tomcat.you.myds.me! If you have an app deployed to Tomcat, let’s say Jenkins, you can access it through HTTPS by calling https://tomcat.you.myds.me/jenkins, accordingly.

Reaping the rewards

Congratulations! You can now access all your DiskStaion’s websites and applications – even the ones served with Tomcat – through HTTPS using a valid Let’s Encrypt certificate. And the best thing about it: This was a one time setup!
The certificate will be renewed by DSM 6 automatically. You will not need to recreate the certificate yourself nor will you need to change anything in Tomcat.
This is exactly the lazy-friendly, long term approach I was looking for!


  1. From Wikipedia, on the 26th of May 2016 
  2. From the blog Weird rocketry 

15 thoughts on “Reverse Proxy Tomcat for easy HTTPS”

  1. Hello!

    Thank you for the guide. I am trying to apply this solution to a Apache Server using:
    https://wiki.apache.org/httpd/TomcatReverseProxy, which is pretty straight forward.

    But I cannot get Let’s Encrypt and Tomcat to play together.
    I am constantly being presented with the following error in Chrome: “This site can’t provide a secure connection”
    Same error is produced, if I try one of your previous solutions with a keystone:
    https://community.letsencrypt.org/t/how-to-use-the-certificate-for-tomcat/3677/34

    Have you stumpled upon this issue and might happen to know what the issue could be?

    1. Hey GnaXi!

      Just to be sure: Is your Apache Server already setup for HTTPS with a valid certificate? You can test by trying to access any resource inside Apache’s DocumentRoot through HTTPS. Make sure this is working before continuing.

      The idea is that Tomcat does not have to play with Let’s Encrypt at all. Once Apache is setup for HTTPS, using it as a reverse proxy for Tomcat frees you from configuring HTTPS in Tomcat. You would not need to create a keystore for Tomcat anymore.

  2. Hey,

    Do I need a domain in order to do this?

    if so can you point me in a direction of getting and setting up a domain?

    Do I have to change settings in my router in orer to do so?

    Thanks in advance,

    Jacob Bibby

    1. Hey Jacob,

      yes you’ll need a domain, because the described solution makes use of a subdomain to reverse proxy traffic hitting that subdomain to the Tomcat server.
      Not having a domain would mean only using an IP and I am not aware of a feasible way of doing something like I described in this post by just using an IP.

      If you are ok with a dynamic DNS service (I know I am), you can get a free dyndns domain from Synology.
      They have an easy to follow article about it: https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/connection_ddns
      If you are not using a DiskStation, just google for “free dyndns” and you should find something to help you out.

      Once you have a domain you do not need to change things on your router for the domain specifically. However you will need to setup port-forwarding rules (at least port 443) on your router in order to be able to connect from internet to whatever machine your server is running on.
      If your router supports UPnP and you use a DiskStation, you can just define the rules on the DiskStation and let the DiskStation setup your router accordingly as described here:
      https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/connection_routerconf

      Hope this helps!

  3. Hi there,

    I have a DS213 which uses a Marvell Kirkwood 88F6282 ARM CPU. Synology doesn’t provide the tomcat7 package for this type (I don’t know why), could you maybe point me in the right direction where I was to find a similar comprehensive tutorial to install tomcat on this system? Ultimate goal for me would be to install GitBlit like you described in another post.

    thx

    1. Hey Philip,

      this could be a tricky one, because you will need a JRE to run Tomcat and Synology does not provide their Java installer for your DiskStation.

      So first get the right Java Embedded package: http://www.oracle.com/technetwork/java/embedded/embedded-se/downloads/index.html
      Next follow the instructions on https://pcloadletter.co.uk/2011/08/23/java-package-for-synology to get this Java installer to your DiskStation and use it as described in the pc load letter blog post to install the Java package you downloaded in the first step.
      Last step would be to install Tomcat. If I were you I would go for Tomcat 8 instead of 7, because it supports newer apps like Jenkins 2. You can find a description here: https://thorpora.fr/installation-de-tomcat-8-sur-synology/
      It is in French but Google Translate does a good job with that.

      Hope this helps and I would love to hear back from you to know how it worked out!

  4. Hello,

    Me again. Having issues with getting tomcat to work with reverse proxy. Can’t even access tomcat using my local IP and port 7070. I do have the package and all that installed. Really want to get this working and fixed. I do have a Synology url and it is working. I have port 443 open as well as 80, 7070. Do I need to open any other ports? Is there any other things I need to do? I have already changed the settings in tomcat and restarted the Nas a few times. I am using the latest version of DSM and tomcat 7.

    Any help would be appreciated

    Best regards,

    Jacob Bibby

    1. Hey Jacob, welcome back =)

      I believe the first thing that must be sorted out is getting access to Tomcat with your local IP and port 7070. In fact if you want to follow along my reverse proxy guide, you won’t even need to open port 7070 to the internet and I suggest you don’t.

      Can I assume that you have both Java and Tomcat 7 installed with the help of the Synology packages from their package center?
      Is Tomcat displayed as up and running in package center?

      When I first started using Tomcat on my DS214play I followed this guide: http://ludovic-fernandez.com/homelabs/continuous-integration-part1/
      The important part here is to define an admin user, so we can actually access Tomcat’s management interface.
      If you have done that, calling http://your-local-ip:7070 would show a “not found” page, while http://your-local-ip:7070/manager should present you with a basic auth form. Providing the username and password should then show the Tomcat manager-gui.

      Have you tested calling http://your-local-ip:7070/manager?

      1. Do I need to install Java 8? I have Java 7.

        Have tried to login the the manager gui using the link you hve provided with the setup.

        Put in the username and password it just does the login screen again and says your connection is not private. Have tried it a couple times still have issues logging in locally.

        1. You don’t have to install Java 8 to run Tomcat 7. In fact I still run Java 7 on the DS.
          I am confused about the statement “connection is but private”. You do use http rather than https when calling the local IP, right?

          1. The login says connection is private and then I try and login with my username and password and it just repeats that screen 🙁

          2. Well that is weird :-/
            I’m currently on the go but will be home alone tomorrow and can offer more help then. I guess we can crosscheck your config files and log output (I don’t know the full path to the Tomcat log from the top of my head)

          3. Thanks! I appreciate it!

            Will be at work tomorrow so I won’t get back to.you till later on.

          4. Have you checked Tomcat’s logs when trying to reach Tomcat (for example the manager) on your NAS’s local IP?
            On my DS214play I can find the logs in “/volume1/@appstore/Tomcat7/src/logs/”.
            There are logs for manager, access logs etc. Maybe tailing one of those logs while accessing manager and performing the login can give you a clue about what is going wrong.

            About the actual reverse proxy issue: Maybe you can provide your public domain and a screenshot of your reverse proxy setup?
            You are positive that you did correctly modify Tomcat’s server.xml for the connector on port 7070 to know about the proxyPort and the scheme to expect, right?

Leave a Reply