nginx + tomcat配置https的两种方法
# The frist method:
— Nginx and Tomcat using HTTPS:
1. nginx configuration:
upstream test {
server 172.16.7.30:8443 weight=1;
}
upstream master {
server 172.16.7.31:8443 weight=1;
}
server {
listen 80;
server_name test.hbc315.com master.hbc315.com;
rewrite ^(.*)$ https://$host$1 permanent; # Used together ports 80 and 443; Redirect request port from 80 to 443
}
server {
listen 443 ssl;
server_name test.mysite.com master.mysite.com;
ssl on;
ssl_certificate server.pem;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;
ssl_prefer_server_ciphers on;
location / {
set $domain "";
if ($http_host ~* "^(test)" ) {set $domain "test";}
if ($http_host ~* "^(master)" ) {set $domain "master";}
proxy_pass https://$domain;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded--Proto https;
client_max_body_size 500m;
client_body_buffer_size 1m;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffer_size 400k;
proxy_buffers 4 1m;
proxy_busy_buffers_size 2m;
proxy_temp_file_write_size 1m;
}
}
2. tomcat configuration:
1) Execute the following command:
# keytool -genkey -alias tomcat -keyalg RSA -keystore /root/tomcat/conf/ssl.keystore # Generate certificate KEY
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: 192.16.7.30 # domain or IP
What is the name of your organizational unit?
[Unknown]: hbc
What is the name of your organization?
[Unknown]: hbc
What is the name of your City or Locality?
[Unknown]: bj
What is the name of your State or Province?
[Unknown]: bj
What is the two-letter country code for this unit?
[Unknown]: cn # The default CN of china
Is CN=192.16.7.30, OU=hbc, O=hbc, L=bj, ST=bj, C=cn correct?
[no]: y
Enter key password for <tomcat>
(RETURN if same as keystore password):
Re-enter new password:
2) Configure server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/root/tomcat/conf/ssl.keystore"
keystorePass="tomcat" /> # The above steps to set the password
=========================================
# The second method:
— Nginx using HTTPS; Nginx with Tomcat interaction using HTTP
1. nginx configuration:
upstream test {
server 172.16.7.30:8080 weight=1; # Here is different from above
}
upstream master {
server 172.16.7.31:8080 weight=1; # Here is different from above
}
server {
listen 80;
server_name test.hbc315.com master.hbc315.com;
rewrite ^(.*)$ https://$host$1 permanent; # Used together ports 80 and 443; Redirect request port from 80 to 443
}
server {
listen 443 ssl;
server_name test.mysite.com master.mysite.com;
ssl on;
ssl_certificate server.pem;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;
ssl_prefer_server_ciphers on;
location / {
set $domain "";
if ($http_host ~* "^(test)" ) {set $domain "test";}
if ($http_host ~* "^(master)" ) {set $domain "master";}
proxy_pass http://$domain; # Here is different from above
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded--Proto https; # Here is different from above
client_max_body_size 500m;
client_body_buffer_size 1m;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffer_size 400k;
proxy_buffers 4 1m;
proxy_busy_buffers_size 2m;
proxy_temp_file_write_size 1m;
}
}
2. tomcat configuration:
Configure server.xml file(On the basis of the default configuration file):
1) Add port proxy forwarding:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" # Take 8443 to 443
proxyPort="443"/> # Add a line parameters
2) Add <host> tag value:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/>