Nginx、Tomcat配置SSL证书
一、软件环境及框架
1.环境:keepalived、CentOS 6.5、Nginx1.8.1、Tomcat8
2.框架简述:A、B两台服务器,IP假设为10.32.31.111、10.32.31.112,每台服务器上都安装keepalived(主从配置)、Nginx(端口:80)和两个Tomcat(端口:8081、8082)
虚拟IP:10.32.31.110,两个web项目(firstWeb、secondWeb)根据路径不同进行区分,如下图所示:
二、配置SSL证书
1.Tomcat配置
修改tomcat8081的conf/server.xml文件,做下面调整(proxyName配置域名或者IP,若想同时生效,忽略proxyName配置):
<Connector port="8081" protocol="HTTP/1.1"
connectionTimeout="20000" URIEncoding="UTF-8"
redirectPort="8442" scheme="https" proxyName="10.32.31.110" proxyPort="443"/>
修改tomcat8082的conf/server.xml文件,做下面调整:
<Connector port="8082" protocol="HTTP/1.1"
connectionTimeout="20000" URIEncoding="UTF-8"
redirectPort="8443" scheme="https" proxyName="10.32.31.110" proxyPort="443"/>
2.Nginx配置
先检查下Nginx是否安装相应模块:http_ssl_module,如下图:
找到Nginx的配置文件nginx.conf,做下面修改(红色是重点,如果不需要强制跳转,去掉绿色文字):
worker_processes 4;
user super;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream alam {
ip_hash;
server 10.32.31.111:8081;
server 10.32.31.112:8081;
}
upstream alarm {
ip_hash;
server 10.32.31.111:8082;
server 10.32.31.112:8082;
}
server {
listen 80;
server_name 10.32.31.110 域名;#此处可填写多个域名、IP
return 301 https://$server_name$request_uri; #强制跳转
}
server {
listen 443 ssl; #443是默认端口
server_name 10.32.31.110 域名;
location /firstWeb {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#禁用缓存
proxy_buffering off;
#反向代理的地址
proxy_pass http://alam;
#上传文件大小限制
client_max_body_size 2000m;
}
location /secondWeb {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#禁用缓存
#proxy_buffering off;
#反向代理的地址
proxy_pass http://alarm;
#上传文件大小限制
client_max_body_size 2000m;
}
ssl_certificate server.pem; #(证书公钥)
ssl_certificate_key server.key; #(证书私钥)
ssl_session_cache shared:SSL:10m;
}
}
SSL证书可以自己生成,也可以购买!
