https-->http and http-->https bitransfer

openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -status -cert client.pem -verify 1 -showcerts

curl -E my.pem https://some.site

http-->https
https://www.cnblogs.com/yun007/p/3739182.html



    Install the OpenSSL package in order to generate key and certificate. Note: you probably already have this package installed if you are under Linux, or *BSD.
    Install the pyOpenSSL package, it is an OpenSSL library binding. You'll need to import this module for accessing OpenSSL's components.
    Generate a self-signed certificate compounded of a certificate and a private key for your server with the following command (it outputs them both in a single file named server.pem): openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
    Assuming you saved this recipe in SimpleSecureHTTPServer.py, start the server (with the appropriate rights): python SimpleSecureHTTPServer.py
    Finally, browse to https://localhost, or https://localhost:port if your server listens a different port than 443.

https://www.imhdr.com/articles/1851/nginx-tomcat-https-original-configuration-is-not-required-to-enable-ssl-support-on-tomcat/

最终配置的方案是浏览器和 Nginx 之间走的 HTTPS 通讯，而 Nginx 到 Tomcat 通过 proxy_pass 走的是普通 HTTP 连接。

下面是详细的配置（Nginx 端口 80/443，Tomcat 的端口 8080）：

Nginx 这一侧的配置没什么特别的：

其中最为关键的就是 ssl_certificate 和 ssl_certificate_key 这两项配置，其他的按正常配置。不过多了一个 proxy_set_header X-Forwarded-Proto https; 配置。

最主要的配置来自 Tomcat，下面是我测试环境中的完整 server.xml：

上述的配置中没有什么特别的，但是特别特别注意的是必须有 proxyPort="443"，这是整篇文章的关键，当然 redirectPort 也必须是 443。同时 <Value> 节点的配置也非常重要，否则你在 Tomcat 中的应用在读取 getScheme() 方法以及在 web.xml 中配置的一些安全策略会不起作用。

<Connector port="8083" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" URIEncoding="UTF-8"
               proxyPort="443"
               scheme="https" />