Encryption with Tomcat & Nginx reverse proxy
I'm working with Tomcat and nginx as a reverse proxy and I'm trying to have a better understanding of how the traffic flows and of what the security issues are. Picture this as what I have in mind:
Tomcat and a webapp are installed on server X, with ports 8080 (unsecure) and 8443 (secure) open.
On another server which we'll call server Y, we have a nginx host whose role is only that of a reverse proxy to Tomcat (server X).
On server Y, we have TLS enabled in nginx and all traffic going to https://domain.com is proxied to Tomcat on port 8443 on server X, which is then passed to the webapp which
With this setup, my understanding is that without any additional things set-up, traffic from the client (browser) to server Y where nginx is installed is encrypted via TLS. However, Tomcat wasn't "secured" in the sense that we didn't set up a trust store on it with a keypair. This is where my understanding stops and I'm just really confused about what this implies.
Here's the traffic flow that I have in mind:
- Client (browser) -> https://domain.com (server X)
- https://domain.com (server Y) -> tomcat (server X, port 8443)
- tomcat -> webapp
- webapp -> tomcat
- tomcat -> https://domain.com (server Y)
- https://domain.com -> client (browser)
Is this high level flow even valid or am I misunderstanding something crucial? If it's not valid, could you please explain where it's wrong?
Also, is there any reason one would set up a trust store on Tomcat in such a setup? From what I understand, setting up a trust store on Tomcat here could only help to prevent unsecured direct access to the webapp that Tomcat "handles", but I don't see any other use than that.
Hope my scenario is clear, thanks a lot in advance!
