nginx + tomcat配置https的两种方法
# The frist method: — Nginx and Tomcat using HTTPS: 1. nginx configuration: upstream test { server 172.16.7.30:8443 weight=1; }upstream master { server 172.16.7.31:8443 weight=1; }
server { listen 80; server_name test.hbc315.com master.hbc315.com; rewrite ^(.*)$ https://$host$1 permanent; # Used together ports 80 and 443; Redirect request port from 80 to 443 }
server { listen 443 ssl; server_name test.mysite.com master.mysite.com;
ssl on; ssl_certificate server.pem; ssl_certificate_key server.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM; ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP; ssl_prefer_server_ciphers on;
location / { set $domain ""; if ($http_host ~* "^(test)" ) {set $domain "test";} if ($http_host ~* "^(master)" ) {set $domain "master";} proxy_pass https://$domain; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded--Proto https; client_max_body_size 500m; client_body_buffer_size 1m; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; proxy_buffer_size 400k; proxy_buffers 4 1m; proxy_busy_buffers_size 2m; proxy_temp_file_write_size 1m; } } 2. tomcat configuration: 1) Execute the following command: # keytool -genkey -alias tomcat -keyalg RSA -keystore /root/tomcat/conf/ssl.keystore # Generate certificate KEY Enter keystore password: Re-enter new password: What is your first and last name? :192.16.7.30 # domain or IP What is the name of your organizational unit? :hbc What is the name of your organization? :hbc What is the name of your City or Locality? :bj What is the name of your State or Province? :bj What is the two-letter country code for this unit? :cn # The default CN of china Is CN=192.16.7.30, OU=hbc, O=hbc, L=bj, ST=bj, C=cn correct? :y
Enter key password for <tomcat> (RETURN if same as keystore password): Re-enter new password:
2) Configure server.xml: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/root/tomcat/conf/ssl.keystore" keystorePass="tomcat" /> # The above steps to set the password
=========================================
# The second method: — Nginx using HTTPS; Nginx with Tomcat interaction using HTTP 1. nginx configuration: upstream test { server 172.16.7.30:8080 weight=1; # Here is different from above }
upstream master { server 172.16.7.31:8080 weight=1; # Here is different from above }
server { listen 80; server_name test.hbc315.com master.hbc315.com; rewrite ^(.*)$ https://$host$1 permanent; # Used together ports 80 and 443; Redirect request port from 80 to 443 }
server { listen 443 ssl; server_name test.mysite.com master.mysite.com;
ssl on; ssl_certificate server.pem; ssl_certificate_key server.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM; ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP; ssl_prefer_server_ciphers on;
location / { set $domain ""; if ($http_host ~* "^(test)" ) {set $domain "test";} if ($http_host ~* "^(master)" ) {set $domain "master";} proxy_pass http://$domain; # Here is different from above proxy_http_version 1.1; proxy_set_header Connection ""; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded--Proto https; # Here is different from above client_max_body_size 500m; client_body_buffer_size 1m; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; proxy_buffer_size 400k; proxy_buffers 4 1m; proxy_busy_buffers_size 2m; proxy_temp_file_write_size 1m; } } 2. tomcat configuration: Configure server.xml file(On the basis of the default configuration file): 1) Add port proxy forwarding: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" # Take 8443 to 443 proxyPort="443"/> # Add a line parameters 2) Add <host> tag value: <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto"/>
页:
[1]