Nginx + Tomat https ssl 部署方案
之前就玩过这个https的部署方案,挺简单的,但是好久没搞,又有点忘了,果然好记性不如烂笔头
再重新温习一下....
1,准备证书
2,下载nginx
3,准备tomcat
4,配置nginx.conf,如示例
1 #user nobody; 2 worker_processes 1; 3 4 #error_log logs/error.log; 5 #error_log logs/error.log notice; 6 #error_log logs/error.log info; 7 8 #pid logs/nginx.pid; 9 10 11 events { 12 worker_connections 1024; 13 } 14 15 16 http { 17 include mime.types; 18 default_type application/octet-stream; 19 20 #log_format main '$remote_addr - $remote_user [$time_local] '$request' ' 21 # '$status $body_bytes_sent '$http_referer' ' 22 # ''$http_user_agent' '$http_x_forwarded_for''; 23 24 #access_log logs/access.log main; 25 26 sendfile on; 27 #tcp_nopush on; 28 29 #keepalive_timeout 0; 30 keepalive_timeout 65; 31 32 upstream xxyrpc { 33 server 127.0.0.1:8007 ; 34 #server 192.168.7.97:8080 ; 35 } 36 37 upstream xxyweb { 38 server 127.0.0.1:8007 ; 39 #server 127.0.0.1:8081 ; 40 } 41 42 ###############-------test--示例-------##################################### 43 server { 44 listen 80; 45 server_name xxy.jss.com.cn; 46 # root /usr/share/nginx/html; 47 location / { 48 rewrite ^(.*)$ https://$host$1 permanent; 49 } 50 } 51 52 server { 53 listen 443 ssl; #指定ssl监听端口 54 server_name xxy.jss.com.cn; #域名 55 ssl on; #开启ssl支持 56 access_log logs/aisino_access55.log; #访问日志 57 58 ssl_certificate E:/nginx-1.11.12/newkey/server.cer; #指定服务器证书路徿 59 ssl_certificate_key E:/nginx-1.11.12/newkey/server.key; #指定私钥证书路径 60 61 #ssl_session_cache shared:SSL:1m; 62 #ssl_session_timeout 5m; #SSL会话超时闿分钟 63 64 ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; #指定SSL服务器端支持的协议版朿 65 ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; #指定加密算法 66 ssl_prefer_server_ciphers on; #在使用SSLv3和TLS协议时指定服务器的加密算法要优先于客户端的加密算泿 67 charset utf-8; 68 69 error_page 500 502 503 504 /50x.html; 70 location = /50x.html { 71 root html; 72 } 73 74 #兼容用户可能收藏的页面 75 location = /pc.do { 76 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 77 proxy_set_header Host $http_host; 78 proxy_set_header X-Forwarded-Proto https; 79 proxy_redirect off; 80 proxy_connect_timeout 15s; 81 proxy_send_timeout 15s; 82 proxy_read_timeout 15s; 83 proxy_pass http://xxyrpc/xxy_rpc/pc.do; 84 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 85 } 86 87 location = /app.do { 88 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 89 proxy_set_header Host $http_host; 90 proxy_set_header X-Forwarded-Proto https; 91 proxy_redirect off; 92 proxy_connect_timeout 15s; 93 proxy_send_timeout 15s; 94 proxy_read_timeout 15s; 95 proxy_pass http://xxyrpc/xxy_rpc/app.do; 96 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 97 } 98 99 location = /nuoyan.do { 100 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 101 proxy_set_header Host $http_host; 102 proxy_set_header X-Forwarded-Proto https; 103 proxy_redirect off; 104 proxy_connect_timeout 15s; 105 proxy_send_timeout 15s; 106 proxy_read_timeout 15s; 107 proxy_pass http://xxyrpc/xxy_rpc/nuoyan.do; 108 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 109 } 110 111 location /xxy_rpc { 112 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 113 proxy_set_header Host $http_host; 114 proxy_set_header X-Forwarded-Proto https; 115 proxy_redirect off; 116 proxy_connect_timeout 15s; 117 proxy_send_timeout 15s; 118 proxy_read_timeout 15s; 119 proxy_pass http://xxyrpc/xxy_rpc; 120 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 121 } 122 123 location / { 124 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 125 proxy_set_header Host $http_host; 126 proxy_set_header X-Forwarded-Proto https; 127 proxy_redirect off; 128 proxy_connect_timeout 15s; 129 proxy_send_timeout 15s; 130 proxy_read_timeout 15s; 131 proxy_pass http://xxyweb/xxy_web; 132 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 133 access_log logs/aisino_access2.log; 134 } 135 136 #兼容用户可能收藏的页面 137 location = /welcome.do { 138 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 139 proxy_set_header Host $http_host; 140 proxy_set_header X-Forwarded-Proto https; 141 proxy_redirect off; 142 proxy_connect_timeout 15s; 143 proxy_send_timeout 15s; 144 proxy_read_timeout 15s; 145 proxy_pass http://xxyweb/xxy_web/welcome.do; 146 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 147 access_log logs/aisino_access2.log; 148 } 149 150 151 location = /main/query.do { 152 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 153 proxy_set_header Host $http_host; 154 proxy_set_header X-Forwarded-Proto https; 155 proxy_redirect off; 156 proxy_connect_timeout 15s; 157 proxy_send_timeout 15s; 158 proxy_read_timeout 15s; 159 proxy_pass http://xxyweb/xxy_web/main/query.do; 160 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 161 access_log logs/aisino_access2.log; 162 } 163 164 location /xxy_web { 165 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 166 proxy_set_header Host $http_host; 167 proxy_set_header X-Forwarded-Proto https; 168 proxy_redirect off; 169 proxy_connect_timeout 60s; 170 proxy_send_timeout 60s; 171 proxy_read_timeout 60s; 172 proxy_pass http://xxyrpc/xxy_web; 173 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 174 } 175 } 176 177 ###############-------test--示例-------##################################### 178 179 }
5,修改tomcat下server.xml配置
Host 节点下增加一行(nginx 代理https后,应用redirect https变成http,即https请求,tomcat 输出的确实http 问题):
<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" remoteIpHeader="X-Forwarded-For"/>
1 <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true"> 2 3 <!-- SingleSignOn valve, share authentication between web applications 4 Documentation at: /docs/config/valve.html --> 5 <!-- 6 <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> 7 --> 8 <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" remoteIpHeader="X-Forwarded-For"/> 9 <!-- Access log processes all example. 10 Documentation at: /docs/config/valve.html 11 Note: The pattern used is equivalent to using pattern="common" --> 12 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/> 13 14 <!--<Context path="/images" docBase="E:/workspace/out/artifacts/images" debug="0" reloadable="true"/>--> 15 </Host>
6,部署项目,start nginx ,输入域名访问。