How to configure WildFly/Undertow for EJBCA with reverse proxy? (manual install)

[takakv]

Hello, I was trying to build and install EJBCA CE 9 using the documentation on EJBCA installation.
Everything went well, however, the documented set up does not work well with a reverse proxy, where the proxy terminates the TLS connection and serves the server certificate issued by a public CA.

I then tried adapting the undertow configuration following what I gathered from standalone.xml in the Docker container:

• I did the step Remove Existing TLS and HTTP Configuration
• I did the step Redirect to Application for Unknown URLs to avoid messy reverse proxy rewrites later
• Instead of following the 2/3-port separation instructions, I set up the following interface and bindings:

/opt/wildfly/bin/jboss-cli.sh --connect '/interface=proxy-http:add(inet-address="127.0.0.1")'
/opt/wildfly/bin/jboss-cli.sh --connect \
    '/socket-binding-group=standard-sockets/socket-binding=proxy-http:add(port="8081", interface="proxy-http")'
/opt/wildfly/bin/jboss-cli.sh --connect \
    '/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port="8082", interface="proxy-http")'

• Then I added the HTTP listeners

/opt/wildfly/bin/jboss-cli.sh --connect \
    '/subsystem=undertow/server=default-server/http-listener=proxy-https-listener:add(socket-binding="proxy-https", \
    secure="true", max-post-size="33554432", allow-encoded-slash="true", certificate-forwarding="true", \
    proxy-address-forwarding="true")'
/opt/wildfly/bin/jboss-cli.sh --connect \
    '/subsystem=undertow/server=default-server/http-listener=proxy-http-listener:add(socket-binding="proxy-http", \
    max-post-size="33554432", allow-encoded-slash="true", redirect-socket="proxy-https", proxy-address-forwarding="true")'

While this approach works, it also feels quite "hacky". I was thus wondering if you could please provide some insight into any intended reverse proxy set-up with manually installed EJBCA?

If this approach is solid, then perhaps it would be a nice addition to the documentation? The repository with Ansible scripts unfortunately only uses AJP which, to my understanding, is not usable with nginx. I'll also move the post under the Show and Tell category in that case.

I am also a bit puzzled about what the web.enableproxiedauth=true in web.properties is supposed to do, as I observed no differences in standalone.xml with and without it.

Thank you in advance for any insights.

---

Reverse proxy configuration:

server {
    listen 443 ssl;
    server_name pki.local;
    server_tokens off;

    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_certificate     /etc/ssl/certs/localhost.crt;
    ssl_certificate_key /etc/ssl/private/localhost.key;

    ssl_verify_client optional_no_ca;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;

        proxy_pass http://127.0.0.1:8082$request_uri;
    }
}