nginx 搭建https访问后端tomcat的http
安装nginx
yum install -y nginx
systemctl enable nginx.service
systemctl start nginx.service
配置https访问nginx
nginx ssl配置
1.创建服务器证书密钥文件 server.key:
openssl genrsa -des3 -out server.key 1024
输入密码,确认密码,自己随便定义,但是要记住,后面会用到。
2.创建服务器证书的申请文件 server.csr
openssl req -new -key server.key -out server.csr
4.备份一份服务器密钥文件
cp server.key server.key.org
5.去除文件口令
openssl rsa -in server.key.org -out server.key
6.生成证书文件server.crt
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
nginx.conf配置如下
upstream test_tomcat{ ip_hash; #根据用户访问ip进行hash分配到server,这样能完整保存session server 10.99.201.64:80; server 10.122.49.231:8081; #server 10.122.49.231:8082; } server { listen 80; server_name dbss.lenovo.com; #核心代码 rewrite ^(.*)$ https://${server_name}$1 permanent; } server { listen 443 ssl http2 default_server; server_name localhost; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location /{ proxy_pass http://test_tomcat; # 后端的Web服务器可以通过X-Forwarded-For获取用户真实IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; add_header Access-Control-Allow-Origin *; proxy_set_header X-Forwarded-Proto https; #此处是https访问的关键环节 proxy_redirect off; } #error_page 500 /500.json ; #location ^~ /500 { #root /usr/share/nginx/html ; #} error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } }
tomcat中server.xml的关键配置
<!-- proxyPort一定要配置成443 --> <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" proxyPort="443"/> <Host name="localhost" appBase="" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />
tomcat中jks文件转nginx的crt以及key文件
keytool -importkeystore -srckeystore server.jks -srcalias server -destkeystore newkeystore.p12 -deststoretype PKCS12
openssl pkcs12 -in newkeystore.p12 -nokeys -clcerts -out server-ssl.crt
openssl pkcs12 -in newkeystore.p12 -nokeys -cacerts -out gs_intermediate_ca.crt
合并crt文件
cat server-ssl.crt gs_intermediate_ca.crt >server.crt
openssl pkcs12 -nocerts -nodes -in newkeystore.p12 -out server.key