Page tree
Skip to end of metadata
Go to start of metadata

The applications within IHTSDO follow the same broad model

User -> | Nginx | -> | Application |


Nginx acts as a proxy the application, providing TLS support where neccasery and optionally serving static files for the application. A typical site with TLS support and redirection from HTTP to the SSL would be as follows.

# Redirect HTTP traffic to HTTPS, acting as default site
server {
  listen 80 default;
  rewrite ^ https://$host$request_uri permanent;

# Serve HTTPS traffic for the given host and the default if the Host header
# doesn't match another server block
server {
  listen 443 ssl default;

  # SSL Configuration. This section aim to get an A rating at
  ssl_certificate     /etc/ssl/certs/testservice.crt;
  ssl_certificate_key /etc/ssl/certs/testservice.key;
  ssl_dhparam /etc/nginx/dhparam.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 5m;

  add_header Strict-Transport-Security max-age=15768000;

  # Server static assets
  location / {
      rootdir /srv/http/;

  # Pass requests to anything under /app_path via the proxy to the listening application
  location /app_path {
      proxy_pass http://localhost:10010/app_path
      proxy_http_version 1.1;
      # Set header for the application to use
      proxy_set_header Connection "";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto "https";
      proxy_set_header X-Url-Scheme $scheme;
      # General tuning
      proxy_connect_timeout 150;
      proxy_send_timeout 100;
      proxy_read_timeout 100;
      proxy_buffers 4 32k;
      client_max_body_size 8m;
      client_body_buffer_size 128k;
      proxy_busy_buffers_size    64k;
      proxy_temp_file_write_size 64k;
      # Redirect http:// responses to https://
      proxy_redirect http:// https://;


For test purposes, generate a self signed certificate and configure accordingly. Your application can use headers passed to it to ascertain the nature of the incoming connection to, for example, return correct URLs to the client.

Note that where an application bundles it's own nginx configuration this will usually just be a basic configuration to allow the application to run to some degree on deployment.

server {

        listen          80 default;
        server_name testservice;
        sendfile off; # Avoid file descriptor trouble in a virtual machine environment

        location /mapping-rest {
            client_max_body_size    2048m;
            proxy_set_header        Host    $http_host;
            proxy_pass                              http://localhost:8080/test-service;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        location / {
                root /srv/http/otf-mapping-service-web;


The actual configuration will usually be put in place, when required, by the projectsAnsible role.

Java application configuration

The application should run on a given port - see the service ports document for assignments, adding your application if neccasery.

Maven is configured to produce stand alone jar files which only need a configuration file to run. To run this jar outside of the package run:

/usr/bin/java -Xms256m -Xmx512m -jar app.jar -httpPort=10010 -resetExtract -extractDirectory extract


Change to the name used by your application to specific the configuration file.

The application will continue to run in the foreground and listen on for HTTP on the port given by -httpPort=

The application should be confiured to output to stdout and stderr so errors can be seen as they occur.

If you want to run the application longer term, there is a supervisor configuration for each application. Copy to that to /etc/supervisor/conf.d/appname.conf, create the user given in that file and either put the jar file in the location given in the file or edit the configuration accordingly. Run supervisorctl update to start the application.

Alternatively, if you're build is hooked in Jenkins and their is an Ansible role, you can run that against the server, or let that process set up the test servers.

You can also configure nginx to proxy directly to Tomcat. Make sure Tomcat does not listen on the same port as nginx and change the proxy_pass line in the nginx configuration accordingly.

  • No labels