Tomcat application (ERDDAP server) behind a proxy redirection issues

I have an ERDDAP instance running on a Tomcat server behind a NGINX reverse proxy. The environment is completely on Kubernetes, the RP is an NGINX ingress-controller that forwards the request on port 443 to the service instance on port 8080 associated to the container where Tomcat (and ERDDAP instance) runs.

I found this tutorial (https://www.n0r1sk.com/post/nginx-reverse-proxy-with-ssl-offloading-and-apache-tomcat-backends/) that shows how to configure server.xml for a Tomcat behind a reverse proxy, so the HTTP Connector for my Tomcat server is:

<Connector server="Apache" secure="true" port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
       proxyPort="443"
       relaxedPathChars='[]|'
       relaxedQueryChars='[]:|{}^&#x5c;&#x60;&quot;&lt;&gt;' />

With this configuration, when I request the URL https://erddap.ve.ismar.cnr.it/erddap:

 GET /erddap/ HTTP/1.1
 Host: erddap.ve.ismar.cnr.it
 X-Request-ID: 484e514b4038614090bf34061e9287f3
 X-Real-IP: 10.104.235.192
 X-Forwarded-For: 10.104.235.192
 X-Forwarded-Host: erddap.ve.ismar.cnr.it
 X-Forwarded-Port: 443
 X-Forwarded-Proto: https
 X-Scheme: https
 ...

I get the following response:

HTTP/1.1 302 
Strict-Transport-Security: max-age=0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow- 
Credentials
Location: https://erddap.ve.ismar.cnr.it/erddap/index.html
Content-Length: 0
Date: Thu, 24 Feb 2022 17:55:41 GMT
Server: Apache

and everything works fine with proxy forwarding and backend Tomcat reponse.

But if I add in Tomcat Connector configuration the parameter scheme="https" as suggested in the tutorial mentioned above:

<Connector server="Apache" secure="true" port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
       proxyPort="443"
       scheme="https"
       relaxedPathChars='[]|'
       relaxedQueryChars='[]:|{}^&#x5c;&#x60;&quot;&lt;&gt;' />

the same request fails and I get the following response from Tomcat:

HTTP/1.1 302 
Strict-Transport-Security: max-age=0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow- 
Credentials
Location: (not specified)/erddap/index.html
Content-Length: 0
Date: Thu, 24 Feb 2022 18:02:44 GMT
Server: Apache

You can notice the "Location:" header is completely wrong with "(not specified)" prefix and causes the client to make the subsequent request for the URL https://erddap.ve.ismar.cnr.it/erddap/(not%20specified)/erddap/index.html (and of course the request fails).

Can anyone of you help me to spot where could be the problem in my Tomcat configuration? Why the behaviour is so different just adding the scheme="https" parameter in server.xml?

Many thanks in advance, Pierpaolo

Your Tomcat connector configuration is missing the proxy information.

The relevant attributes are proxyName and proxyPort

Example:

<Connector server="Apache" secure="true" port="8080" protocol="HTTP/1.1" 
   connectionTimeout="20000"
   proxyName="example.com"
   proxyPort="443"
   scheme="https"
   relaxedPathChars='[]|'
   relaxedQueryChars='[]:|{}^&#x5c;&#x60;&quot;&lt;&gt;' />