nginx + tomcat + https配置

nginx + tomcat + https配置

模式:
客户端 ---https -----> nginx ----- http ------> tomcat

浏览器和 Nginx 之间走的 HTTPS 通讯,而 Nginx 到 Tomcat 通过 proxy_pass 走的是普通 HTTP 连接。

证书申请:

在有域名的服务器上部署申请证书的程序:

备注:python 版本在2.6以上

1.
#mkdir ~/cert/
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

2、mkdir ~/.pip
pip.conf配置文件:
[global]
index-url=https://pypi.doubanio.com/simple/

[install]
trusted-host=pypi.doubanio.com

3、安装申请证书所依赖的工具
cd ~/cert
#./certbot-auto

安装过程可能需要比较长的时间,有时可能是网络连接不好执行不成功


You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.lelaohui.com.cn
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.lelaohui.com.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.lelaohui.com.cn/privkey.pem
Your cert will expire on 2017-12-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew *all*
of your certificates, run "certbot-auto renew"


./certbot-auto certonly


4、网站申请证书

备注: 申请之前443端口应用关闭

#./certbot-auto certonly --standalone -d piaoyu.online -d www.piaoyu.online

申请成功后会在目录:/etc/letsencrypt/live/www.piaoyu.online/ 保存证书
#ls /etc/letsencrypt/live/www.piaoyu.online/
cert.pem chain.pem fullchain.pem privkey.pem

 

证书延期测试:
./certbot-auto renew --dry-run


自动续约证书:
30 */8 */80 * * root /root/cert/certbot-auto renew --quiet

备注: 续约之前443端口应用关闭

5、nginx 配置


[root@appserver88 conf.d]# cat default.conf
#
# The default server
#


server {
listen 80 default_server;
server_name _;
root /usr/share/nginx/html;


# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

location / {

proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_pass http://tomcat;
}

error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}

}


###########################

[root@appserver88 conf.d]# cat ssl.conf
#
# HTTPS server configuration
#

server {
listen 443 ssl default_server;
server_name _;
root /usr/share/nginx/html;
#
ssl_certificate /etc/letsencrypt/live/www.piaoyu.online/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.piaoyu.online/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
location / {

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
proxy_pass http://tomcat;
}
#
error_page 404 /404.html;
location = /40x.html {
}
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}

######################

[root@appserver88 conf.d]# cat upstream.conf
upstream tomcat {
#server 127.0.0.1:8080 fail_timeout=0;
server 10.28.11.117:8090;
}


########################


6、tomcat配置

主要修改:server.xml文件

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
proxyPort="443" />


添加:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />

注意的是必须有proxyPort=”443″,这是整篇文章的关键,当然 redirectPort 也必须是 443。
同时 <Value> 节点的配置也非常重要,否则你在 Tomcat 中的应用在读取 getScheme() 方法以及在 web.xml 中配置的一些安全策略会不起作用。

 

 


那么,在同一个IP上,如何配置多个HTTPS主机呢?
nginx支持TLS协议的SNI扩展(Server Name Indication,简单地说这个扩展使得在同一个IP上可以以不同的证书serv不同的域名)。不过,SNI扩展还必须有客户端的支持,另外本地的OpenSSL必须支持它。
如果启用了SSL支持,nginx便会自动识别OpenSSL并启用SNI。是否启用SNI支持,是在编译时由当时的 ssl.h 决定的(SSL_CTRL_SET_TLSEXT_HOSTNAME),如果编译时使用的OpenSSL库支持SNI,则目标系统的OpenSSL库只要支持它就可以正常使用SNI了。
nginx在默认情况下是TLS SNI support disabled。

 

2
# /usr/local/nginx/sbin/nginx -V
TLS SNI support enabled

 

posted @ 2019-09-16 17:21  rain88  阅读(2157)  评论(0编辑  收藏  举报