nginx + tomcat配置https的两种方法
# The frist method:— Nginx and Tomcat using HTTPS:
1. nginx configuration:
upstream test {
server 172.16.7.30:8443 weight=1;
}
upstream master {
server 172.16.7.31:8443 weight=1;
}
server {
listen 80;
server_name test.hbc315.com master.hbc315.com;
rewrite ^(.*)$ https://$host$1 permanent; # Used together ports 80 and 443; Redirect request port from 80 to 443
}
server {
listen 443 ssl;
server_name test.mysite.com master.mysite.com;
ssl on;
ssl_certificate server.pem;
ssl_certificate_keyserver.key;
ssl_session_timeout5m;
ssl_protocolsTLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphersHIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;
ssl_prefer_server_ciphers on;
location / {
set $domain "";
if ($http_host ~* "^(test)" ) {set $domain "test";}
if ($http_host ~* "^(master)" ) {set $domain "master";}
proxy_pass https://$domain;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded--Proto https;
client_max_body_size 500m;
client_body_buffer_size 1m;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffer_size 400k;
proxy_buffers 4 1m;
proxy_busy_buffers_size 2m;
proxy_temp_file_write_size 1m;
}
}
2. tomcat configuration:
1) Execute the following command:
# keytool -genkey -alias tomcat -keyalg RSA -keystore /root/tomcat/conf/ssl.keystore # Generate certificate KEY
Enter keystore password:
Re-enter new password:
What is your first and last name?
:192.16.7.30# domain or IP
What is the name of your organizational unit?
:hbc
What is the name of your organization?
:hbc
What is the name of your City or Locality?
:bj
What is the name of your State or Province?
:bj
What is the two-letter country code for this unit?
:cn# The default CN of china
Is CN=192.16.7.30, OU=hbc, O=hbc, L=bj, ST=bj, C=cn correct?
:y
Enter key password for
(RETURN if same as keystore password):
Re-enter new password:
2) Configure server.xml:
# The above steps to set the password
=========================================
# The second method:
— Nginx using HTTPS; Nginx with Tomcat interaction using HTTP
1. nginx configuration:
upstream test {
server 172.16.7.30:8080 weight=1;# Here is different from above
}
upstream master {
server 172.16.7.31:8080 weight=1;# Here is different from above
}
server {
listen 80;
server_name test.hbc315.com master.hbc315.com;
rewrite ^(.*)$ https://$host$1 permanent; # Used together ports 80 and 443; Redirect request port from 80 to 443
}
server {
listen 443 ssl;
server_name test.mysite.com master.mysite.com;
ssl on;
ssl_certificate server.pem;
ssl_certificate_keyserver.key;
ssl_session_timeout5m;
ssl_protocolsTLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphersHIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;
ssl_prefer_server_ciphers on;
location / {
set $domain "";
if ($http_host ~* "^(test)" ) {set $domain "test";}
if ($http_host ~* "^(master)" ) {set $domain "master";}
proxy_pass http://$domain; # Here is different from above
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded--Proto https; # Here is different from above
client_max_body_size 500m;
client_body_buffer_size 1m;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffer_size 400k;
proxy_buffers 4 1m;
proxy_busy_buffers_size 2m;
proxy_temp_file_write_size 1m;
}
}
2. tomcat configuration:
Configure server.xml file(On the basis of the default configuration file):
1) Add port proxy forwarding:
# Add a line parameters
2) Addtag value:
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/>
页:
[1]