Nginx + Tomat https ssl 部署方案

之前就玩过这个https的部署方案,挺简单的,但是好久没搞,又有点忘了,果然好记性不如烂笔头

再重新温习一下....

 

1,准备证书

2,下载nginx

3,准备tomcat

4,配置nginx.conf,如示例

  1 #user  nobody;
  2 worker_processes  1;
  3 
  4 #error_log  logs/error.log;
  5 #error_log  logs/error.log  notice;
  6 #error_log  logs/error.log  info;
  7 
  8 #pid        logs/nginx.pid;
  9 
 10 
 11 events {
 12     worker_connections  1024;
 13 }
 14 
 15 
 16 http {
 17     include       mime.types;
 18     default_type  application/octet-stream;
 19 
 20     #log_format  main  '$remote_addr - $remote_user [$time_local] '$request' '
 21     #                  '$status $body_bytes_sent '$http_referer' '
 22     #                  ''$http_user_agent' '$http_x_forwarded_for'';
 23 
 24     #access_log  logs/access.log  main;
 25 
 26     sendfile        on;
 27     #tcp_nopush     on;
 28 
 29     #keepalive_timeout  0;
 30     keepalive_timeout  65;
 31     
 32     upstream xxyrpc {
 33         server 127.0.0.1:8007 ;
 34         #server 192.168.7.97:8080 ;
 35     }
 36     
 37     upstream xxyweb {
 38         server 127.0.0.1:8007 ;
 39         #server 127.0.0.1:8081 ;
 40     }
 41     
 42     ###############-------test--示例-------#####################################
 43     server {
 44         listen       80;
 45         server_name  xxy.jss.com.cn;
 46         # root       /usr/share/nginx/html;
 47         location / {
 48             rewrite ^(.*)$ https://$host$1 permanent;
 49         }
 50     }
 51     
 52     server {
 53         listen       443 ssl;                             #指定ssl监听端口
 54         server_name  xxy.jss.com.cn;                    #域名
 55         ssl on;                                           #开启ssl支持
 56         access_log logs/aisino_access55.log;                #访问日志
 57 
 58         ssl_certificate      E:/nginx-1.11.12/newkey/server.cer;      #指定服务器证书路徿
 59         ssl_certificate_key  E:/nginx-1.11.12/newkey/server.key;     #指定私钥证书路径
 60         
 61         #ssl_session_cache    shared:SSL:1m;
 62         #ssl_session_timeout  5m;                         #SSL会话超时闿分钟
 63         
 64         ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;  #指定SSL服务器端支持的协议版朿
 65         ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;    #指定加密算法
 66         ssl_prefer_server_ciphers   on;                   #在使用SSLv3和TLS协议时指定服务器的加密算法要优先于客户端的加密算泿
 67         charset utf-8;
 68         
 69         error_page   500 502 503 504  /50x.html;
 70         location = /50x.html {
 71             root   html;
 72         }
 73         
 74         #兼容用户可能收藏的页面
 75         location = /pc.do {
 76             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 77             proxy_set_header Host $http_host;
 78             proxy_set_header X-Forwarded-Proto https;
 79             proxy_redirect off;
 80             proxy_connect_timeout      15s;
 81             proxy_send_timeout         15s;
 82             proxy_read_timeout         15s;
 83             proxy_pass   http://xxyrpc/xxy_rpc/pc.do;
 84             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 85         }
 86         
 87         location = /app.do {
 88             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 89             proxy_set_header Host $http_host;
 90             proxy_set_header X-Forwarded-Proto https;
 91             proxy_redirect off;
 92             proxy_connect_timeout      15s;
 93             proxy_send_timeout         15s;
 94             proxy_read_timeout         15s;
 95             proxy_pass   http://xxyrpc/xxy_rpc/app.do;
 96             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 97         }
 98         
 99         location = /nuoyan.do {
100             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
101             proxy_set_header Host $http_host;
102             proxy_set_header X-Forwarded-Proto https;
103             proxy_redirect off;
104             proxy_connect_timeout      15s;
105             proxy_send_timeout         15s;
106             proxy_read_timeout         15s;
107             proxy_pass   http://xxyrpc/xxy_rpc/nuoyan.do;
108             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
109         }
110 
111         location /xxy_rpc {
112             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
113             proxy_set_header Host $http_host;
114             proxy_set_header X-Forwarded-Proto https;
115             proxy_redirect off;
116             proxy_connect_timeout      15s;
117             proxy_send_timeout         15s;
118             proxy_read_timeout         15s;
119             proxy_pass   http://xxyrpc/xxy_rpc;
120             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
121         }
122         
123         location / {
124             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
125             proxy_set_header Host $http_host;
126             proxy_set_header X-Forwarded-Proto https;
127             proxy_redirect off;
128             proxy_connect_timeout      15s;
129             proxy_send_timeout         15s;
130             proxy_read_timeout         15s;
131             proxy_pass   http://xxyweb/xxy_web;
132             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
133             access_log logs/aisino_access2.log; 
134         }
135         
136         #兼容用户可能收藏的页面
137         location = /welcome.do {
138             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
139             proxy_set_header Host $http_host;
140             proxy_set_header X-Forwarded-Proto https;
141             proxy_redirect off;
142             proxy_connect_timeout      15s;
143             proxy_send_timeout         15s;
144             proxy_read_timeout         15s;
145             proxy_pass   http://xxyweb/xxy_web/welcome.do;
146             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
147             access_log logs/aisino_access2.log; 
148         }
149         
150         
151         location = /main/query.do {
152             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
153             proxy_set_header Host $http_host;
154             proxy_set_header X-Forwarded-Proto https;
155             proxy_redirect off;
156             proxy_connect_timeout      15s;
157             proxy_send_timeout         15s;
158             proxy_read_timeout         15s;
159             proxy_pass   http://xxyweb/xxy_web/main/query.do;
160             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
161             access_log logs/aisino_access2.log; 
162         }
163         
164         location /xxy_web {
165             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
166             proxy_set_header Host $http_host;
167             proxy_set_header X-Forwarded-Proto https;
168             proxy_redirect off;
169             proxy_connect_timeout      60s;
170             proxy_send_timeout         60s;
171             proxy_read_timeout         60s;
172             proxy_pass   http://xxyrpc/xxy_web;
173             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
174         }
175     }
176     
177     ###############-------test--示例-------#####################################
178     
179 }

5,修改tomcat下server.xml配置

Host 节点下增加一行(nginx 代理https后,应用redirect https变成http,即https请求,tomcat 输出的确实http 问题):

<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" remoteIpHeader="X-Forwarded-For"/>

 1 <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
 2 
 3         <!-- SingleSignOn valve, share authentication between web applications
 4              Documentation at: /docs/config/valve.html -->
 5         <!--
 6         <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
 7         -->
 8         <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" remoteIpHeader="X-Forwarded-For"/>
 9         <!-- Access log processes all example.
10              Documentation at: /docs/config/valve.html
11              Note: The pattern used is equivalent to using pattern="common" -->
12         <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>
13 
14       <!--<Context path="/images" docBase="E:/workspace/out/artifacts/images" debug="0" reloadable="true"/>-->
15  </Host>

6,部署项目,start nginx ,输入域名访问。

 

posted @ 2018-07-27 10:41  江湖小谢*VIP  阅读(888)  评论(0编辑  收藏  举报