Introducing a ready-to-use Nginx Reverse proxy Configuration tailored for Adobe ColdFusion and Lucee servers. This downloadable resource helps you place Nginx in front of your CFML engine (Tomcat-based), enabling SSL/TLS termination, HTTP/2, compression, caching, and controlled access to administrative endpoints. It’s valuable for developers and sysadmins who want a production-grade Reverse proxy that improves Performance, Security, and observability without reinventing the wheel.

Contents show

What You’ll Get

A complete, production-ready Nginx Configuration set:
- nginx.conf (global configuration tuned for reverse proxying)
- conf.d/coldfusion.conf (HTTP to HTTPS redirect, SSL server, upstreams)
- snippets/proxy-cf.conf (hardened proxy headers and timeouts)
- snippets/ssl-params.conf (strong TLS settings with HTTP/2)
- snippets/admin-protect.conf (restrict or protect CF Administrator)
Optional examples for:
- Load balancing multiple ColdFusion/Lucee nodes
- WebSocket proxy hints for CF web-socket Features
- Static asset caching
Quick-start README (instructions below)
Code examples you can paste directly into your server
Guidance on integrating with Tomcat’s RemoteIpValve for accurate client IP and HTTPS scheme propagation

Save the provided code into files as indicated, or bundle them into a ZIP for distribution in your environment.

Overview

This configuration positions Nginx as a high-Performance, front-end proxy in front of Adobe ColdFusion or Lucee (running on Tomcat, typically ports 8500/8888). It handles TLS offloading, redirects, compression, caching of static assets, and safe forwarding of client information through X-Forwarded headers. It also supports rate and buffer tuning for heavy CFML applications.

Supported Environments

Operating systems:
- Ubuntu 20.04/22.04/24.04
- Debian 11/12
- RHEL/Rocky/Alma 8/9
Nginx Open source 1.18+ (or distribution defaults)
Adobe ColdFusion 2018/2021/2023
Lucee 5.x
Java 11+ or 17+ (for Tomcat where CF/Lucee runs)
Optional: Certbot for Let’s Encrypt

Benefits

Performance: SSL/TLS termination, HTTP/2, compression (gzip/Brotli), connection reuse, keepalive to backend.
Security: Hardened TLS, locked-down CFIDE/administrator paths, robust proxy headers, reduced attack surface.
Observability: Real client IPs via X-Forwarded-For; structured access logs; simplified log analysis.
Flexibility: Single backend or load-balanced cluster; seamless Maintenance with upstream failover.
Simplicity: Copy, adjust, go. Clearly commented and modular.

File Contents

Path	Purpose
/etc/nginx/nginx.conf	Global settings (logging, timeouts, maps, includes)
/etc/nginx/conf.d/coldfusion.conf	Server blocks (80/443), upstream, caching, admin protection
/etc/nginx/snippets/proxy-cf.conf	Common proxy headers and timeouts for CF
/etc/nginx/snippets/ssl-params.conf	Strong TLS configuration, stapling, ciphers
/etc/nginx/snippets/admin-protect.conf	IP allowlist or Basic Auth for CF Admin

How to Use

Prerequisites

A running ColdFusion or Lucee instance:
- Adobe ColdFusion often listens on port 8500 (Tomcat under the hood).
- Lucee typically listens on 8888 or 8080.
A domain name pointed to your Nginx server (A/AAAA DNS record).
Root or sudo access.

Step-by-Step Installation

Install Nginx

Ubuntu/Debian:
- sudo apt update && sudo apt install -y nginx
RHEL/Rocky/Alma:
- sudo dnf install -y nginx
- sudo systemctl enable –now nginx

Create directories

sudo mkdir -p /etc/nginx/snippets

Replace nginx.conf
Create or replace /etc/nginx/nginx.conf with:

user nginx;
worker_processes auto;

error_log /var/log/nginx/error.log warn;
pid /run/nginx.pid;

events {
worker_connections 1024;
multi_accept on;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for” ‘
‘$request_time $upstream_response_time’;

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;

Upgrade map for WebSockets

map $http_upgrade $connection_upgrade {
default upgrade;
” close;
}

Gzip (enable by default, consider Brotli via dynamic module if available)

gzip on;
gzip_types text/plain text/css application/json application/javascript application/xml image/svg+xml;
gzip_min_length 1024;

include /etc/nginx/conf.d/*.conf;
}

Create common proxy settings
Create /etc/nginx/snippets/proxy-cf.conf:

proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;

Avoid rewriting Location headers incorrectly

proxy_redirect off;

Timeouts appropriate for long CFML actions

proxy_read_timeout 300s;
proxy_send_timeout 120s;

Buffering (tune for large pages/responses)

proxy_buffering on;
proxy_buffers 32 16k;
proxy_busy_buffers_size 64k;

Uploads

client_max_body_size 50m;

Create strong TLS parameters
Create /etc/nginx/snippets/ssl-params.conf:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ‘TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256’;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

OCSP stapling

ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;

HSTS (enable after confirming HTTPS is stable; includes subdomains if desired)

add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” always;

Security headers (adjust CSP to your app)

add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header Referrer-Policy strict-origin-when-cross-origin;

Create admin protection snippet
Create /etc/nginx/snippets/admin-protect.conf (choose one of the approaches):

Option A: IP allowlist (recommended)

allow 203.0.113.10; # your office/VPN IP
allow 127.0.0.1;
deny all;

Option B: Basic Auth (uncomment and configure .htpasswd)

auth_basic “Restricted”;

auth_basic_user_file /etc/nginx/.htpasswd;

Create the ColdFusion server block
Create /etc/nginx/conf.d/coldfusion.conf and adjust domain/ports:

Upstream (single node)

upstream cf_backend {
server 127.0.0.1:8500 max_fails=3 fail_timeout=30s;
keepalive 32;
}

server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include snippets/ssl-params.conf;

Main app

location / {
proxy_pass http://cf_backend;
include snippets/proxy-cf.conf;
}

Static asset caching (adjust extensions as needed)

location ~* .(?:css|js|png|jpe?g|gif|svg|webp|ico|woff2?)$ {
expires 7d;
access_log off;
add_header Cache-Control “public, max-age=604800, immutable”;
try_files $uri @app;
}

location @app {
proxy_pass http://cf_backend;
include snippets/proxy-cf.conf;
}

WebSocket example (adjust path to your app)

location /ws/ {
proxy_pass http://cf_backend;
include snippets/proxy-cf.conf;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}

Protect CF Administrator (Adobe CFIDE; comment out if not applicable)

location ~* ^/(CFIDE|cfide)/administrator/ {
include snippets/admin-protect.conf;
proxy_pass http://cf_backend;
include snippets/proxy-cf.conf;
}

Block access to CFIDE tooling by default

location ~* ^/(CFIDE|cfide)/ {
return 403;
}
}

Obtain TLS certificates

Let’s Encrypt (Ubuntu/Debian):
- sudo apt install -y certbot python3-certbot-nginx
- sudo certbot –nginx -d example.com -d www.example.com
RHEL/Rocky/Alma:
- sudo dnf install -y certbot python3-certbot-nginx
- sudo certbot –nginx -d example.com -d www.example.com

Test and reload Nginx

sudo nginx -t
sudo systemctl reload nginx

Configure Tomcat (ColdFusion/Lucee) for correct client IP and scheme
In Tomcat’s server.xml (ColdFusion’s embedded Tomcat), enable RemoteIpValve:

If your application needs correct HTTPS scheme and port, add to the HTTP Connector used by CF/Lucee:

Restart ColdFusion/Lucee after changes.

Load balancing (Optional)

Replace the upstream with multiple nodes:

upstream cf_backend {
server 10.0.1.10:8500 max_fails=3 fail_timeout=30s;
server 10.0.1.11:8500 max_fails=3 fail_timeout=30s;
keepalive 64;

ip_hash; # optionally enable for sticky-ish behavior

}

Nginx uses passive health checks; a failing node is skipped after errors until fail_timeout elapses.

Best practices

Keep CFIDE and administrative paths behind VPN, IP allowlists, or strong Basic Auth. Consider moving Admin to a separate interface if possible.
Enable HSTS only after verifying HTTPS works across the whole site.
Tune proxy_read_timeout for long-running reports and Scheduled tasks.
Use Brotli if your distro provides the module; keep gzip as a fallback.
Use separate server_name blocks for admin consoles on a restricted subdomain.
Rotate and monitor logs. Consider JSON logs for centralized logging.
With SELinux, allow Nginx outbound connections to Tomcat (setsebool -P httpd_can_network_connect 1).

Benefits and Use Cases

Faster page loads: TLS offloading, HTTP/2 multiplexing, compression, and static caching improve perceived and actual performance.
Safer surface: Nginx shields Tomcat, restricts administrative URLs, and adds strict TLS and Security headers.
Simpler Scaling: Add additional Lucee/ColdFusion nodes behind the upstream without changing public endpoints.
Cleaner operations: Real client IPs in logs, consistent headers, and simple reload-based config changes ease Maintenance.
Ideal for: Migrating from IIS/Apache to Nginx, consolidating SSL termination, introducing a WAF in front of CFML, or preparing for horizontal scale.

How This Saves Time

Pre-baked patterns remove guesswork for headers, timeouts, and TLS specifics for CFML apps.
Modular snippets allow quick reuse across dev, staging, and production.
Copy, paste, and customize—no need to search for compatible examples.

Key Takeaways

Use Nginx as a front-end reverse proxy to enhance performance, security, and manageability for ColdFusion or Lucee.
Protect CFIDE/administrator paths via IP allowlists or Basic Auth to reduce risk.
Ensure Tomcat consumes X-Forwarded headers with RemoteIpValve for correct scheme and client IP handling.
Leverage HTTP/2, compression, and caching for faster delivery; add load balancing when you scale.

FAQ

How do I change the backend port if my ColdFusion/Lucee is on 8888 or 8080?

Edit the upstream in conf.d/coldfusion.conf to server 127.0.0.1:8888; (or :8080). Reload Nginx: sudo systemctl reload nginx.

Can I terminate SSL on Nginx and still show HTTPS in my application?

Yes. Terminate TLS at Nginx and forward to Tomcat over HTTP. Ensure X-Forwarded-Proto is set and enable RemoteIpValve plus proxyPort/scheme settings in Tomcat so your app recognizes HTTPS.

How do I secure CFIDE/administrator properly?

Apply the admin-protect.conf snippet with IP allowlists or Basic Auth. For maximum safety, restrict admin access to a VPN or a dedicated, access-controlled subdomain.

Do I need WebSocket settings for ColdFusion?

Only if your application uses CF WebSocket Features or custom WebSocket endpoints. Configure a location block with Upgrade/Connection headers as shown for /ws/ and forward to the backend.

What about Brotli support?

If your Nginx build includes the Brotli module, enable it alongside gzip for additional compression gains. Otherwise, keeping gzip enabled is sufficient and widely compatible.