标签:nginx 代理
一.配置tomcat
生成私钥
openssl genrsa -out tomcatkey.pem
2. 使用私钥自签证书
openssl req -new -x509 -key tomcatkey.pem -out tomcatca.pem -days 1095
3.配置tomcat的https连接器,修改server.xml文件,这里是配置的apr模式
<Connector port="8443" SSLEnabled="true" protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLCertificateFile="/home/hxtest/tomcat6/conf/ssl/tomcatca.pem" SSLCertificateKeyFile="/home/hxtest/tomcat6/conf/ssl/tomcatkey.pem" maxThreads="500" scheme="https" secure="true" sslProtocol="TLSv1+TLSv1.1+TLSv1.2" SSLVerifyClient="optional" />
二.配置nginx
1.生成私钥
openssl genrsa -des3 -out ssl.key 1024
2.创建证书签名请求(CSR)
openssl req -new -key ssl.key -out ssl.csr
3.清除SSL启动nginx时提示必须输入密钥
cp ssl.key ssl.key.org
openssl rsa -in ssl.key.org -out ssl.key
4.使用刚生成的私钥和CSR进行证书签名
openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt
5.把私钥和证书加入到nginx.conf的配置文件中
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
三.配置nginx 使用https协议代理tomcat。
# HTTPS server
#
server {
listen 443 ;
server_name 192.168.100.2;#本机nginx的IP地址
ssl on;
### SSL log files ###
access_log /var/log/nginx/ssl-access.log;
error_log /var/log/nginx/ssl-error.log;
### SSL cert files ###
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
### Limiting Ciphers ########################
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Intermediate configuration. tweak to your needs.
# ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
ssl_prefer_server_ciphers on;
# ssl_ecdh_curve secp384r1;
# ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nonsniff;
##############################################
### We want full access to SSL via backend ###
location / {
proxy_pass https://192.168.100.2:8443;#代理的tomcat的IP地址
# root html;
index index.html index.htm index.php;
# proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# add_header Front-End-Https on;
# proxy_redirect off;
}
本文出自 “服务器运维” 博客,请务必保留此出处http://shamereedwine.blog.51cto.com/5476890/1790398
标签:nginx 代理
原文地址:http://shamereedwine.blog.51cto.com/5476890/1790398