Nginx+tomcat实现https访问(tomcat不配ssl证书)
用户端与Nginx通讯使用https,Nginx与tomcat通讯可以只使用http,简化证书配置。Nginx端配置nginx.conf
user nginx;
worker_processes2;
error_loglogs/error.log;
#error_loglogs/error.lognotice;
#error_loglogs/error.loginfo;
pid /usr/local/nginx/nginx.pid;
events {
worker_connections1024;
}
http {
charsetutf-8;
server_names_hash_bucket_size 128;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
client_max_body_size 300m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
client_body_buffer_size512k;
proxy_connect_timeout 5;
proxy_read_timeout 30;
proxy_send_timeout 5;
proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
gzip on;
gzip_min_length1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
server_tokens off;
log_formatmain'$http_x_forwarded_for - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$upstream_cache_status" $remote_addr';
proxy_cache_path/ngx_cache/proxy_cache/cache1levels=1:2 keys_zone=cache1:20m inactive=3d max_size=500m;
proxy_cache_path/ngx_cache/proxy_cache/cache2levels=1:2 keys_zone=cache2:20m inactive=3d max_size=500m;
upstream 8090
{
server 0.0.0.0:8090 max_fails=2 fail_timeout=30s;
}
server {
listen 90;
server_namewww.ddzrh.com;
location / {
return 301 https://203.195.144.57$request_uri;
}
}
server {
listen 443;
server_namewww.ddzrh.com;
ssl on;
ssl_certificate /usr/local/nginx/ssl/cunguan.crt;
ssl_certificate_key/usr/local/nginx/ssl/cunguan.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout10m;
ssl_protocolsTLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
location ~ /purge(/.*) {
allow all;
proxy_cache_purge cache2 $host$1$is_args$args;
}
location ~ \.*(jpeg|jpg|png|css|js)$ {
proxy_pass http://8090;
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_set_header Host$host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Nginx-Cache $upstream_cache_status;
proxy_cache cache2;
proxy_cache_key $host$uri$is_args$args;
#proxy_cache_valid 200 304 30m;
expires 1d;
}
location / {
proxy_pass http://8090;
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_set_header Host$http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
}
error_page 500 502 503 504/50/50.html;
location ~ /50(/.*) {
root html;
}
}
} 其中最为关键的就是 ssl_certificate 和 ssl_certificate_key 这两项配置,其他的按正常配置。不过多了一个 proxy_set_header X-Forwarded-Proto https; 配置。
tomcat端配置server.xml
必须有 proxyPort="443",这是整篇文章的关键,当然 redirectPort 也必须是 443。同时 节点的配置也非常重要,否则你在 Tomcat 中的应用在读取 getScheme() 方法以及在 web.xml 中配置的一些安全策略会不起作用。
页:
[1]