码迷,mamicode.com
首页 > Web开发 > 详细

nginx + tomcat配置https的两种方法

时间:2016-07-22 23:21:02      阅读:791      评论:0      收藏:0      [点我收藏+]

标签:https

# The frist method:

— Nginx and Tomcat using HTTPS:

1. nginx configuration:

    upstream test {

       server 172.16.7.30:8443 weight=1;

    }


    upstream master {

       server 172.16.7.31:8443 weight=1;

    }


server {

        listen 80;

        server_name test.hbc315.com master.hbc315.com;

        rewrite ^(.*)$ https://$host$1 permanent;             # Used together ports 80 and 443; Redirect request port from 80 to 443

    }


    server {

        listen 443 ssl;

        server_name test.mysite.com master.mysite.com;


ssl                  on; 

        ssl_certificate      server.pem; 

        ssl_certificate_key  server.key; 

        ssl_session_timeout  5m; 

        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

        #ssl_ciphers  HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM; 

        ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;

        ssl_prefer_server_ciphers   on;


        location / { 

                set $domain "";

                if ($http_host ~* "^(test)" ) {set $domain "test";}

                if ($http_host ~* "^(master)" ) {set $domain "master";}

                proxy_pass https://$domain;

                proxy_http_version 1.1;

                proxy_set_header Connection "";

                proxy_redirect          off;

                proxy_set_header        Host $host;

                proxy_set_header        X-Real-IP $remote_addr;

                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

  #proxy_set_header   X-Forwarded--Proto https;

                client_max_body_size    500m;

                client_body_buffer_size 1m;

                proxy_connect_timeout   600;

                proxy_send_timeout      600;

                proxy_read_timeout      600;

                proxy_buffer_size       400k;

                proxy_buffers           4 1m;

                proxy_busy_buffers_size 2m;

                proxy_temp_file_write_size 1m;

        }

    }

2. tomcat configuration:

1) Execute the following command:

# keytool -genkey -alias tomcat -keyalg RSA -keystore /root/tomcat/conf/ssl.keystore       # Generate certificate KEY

Enter keystore password:  

Re-enter new password: 

What is your first and last name?

    [Unknown]:  192.16.7.30 # domain or IP

What is the name of your organizational unit?

    [Unknown]:  hbc

What is the name of your organization?

    [Unknown]:  hbc

What is the name of your City or Locality?

    [Unknown]:  bj

What is the name of your State or Province?

    [Unknown]:  bj

What is the two-letter country code for this unit?

    [Unknown]:  cn # The default CN of china

Is CN=192.16.7.30, OU=hbc, O=hbc, L=bj, ST=bj, C=cn correct?

    [no]:  y


Enter key password for <tomcat>

(RETURN if same as keystore password):  

Re-enter new password:


2) Configure server.xml:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

               maxThreads="150"

SSLEnabled="true"

scheme="https"

secure="true"

               clientAuth="false" sslProtocol="TLS" 

      keystoreFile="/root/tomcat/conf/ssl.keystore"

      keystorePass="tomcat" /> # The above steps to set the password



=========================================


# The second method:

— Nginx using HTTPS; Nginx with Tomcat interaction using HTTP

1. nginx configuration:

    upstream test {

       server 172.16.7.30:8080 weight=1; # Here is different from above

    }


    upstream master {

       server 172.16.7.31:8080 weight=1; # Here is different from above

    }


server {

        listen 80;

        server_name test.hbc315.com master.hbc315.com;

        rewrite ^(.*)$ https://$host$1 permanent;             # Used together ports 80 and 443; Redirect request port from 80 to 443

    }


    server {

        listen 443 ssl;

        server_name test.mysite.com master.mysite.com;


ssl                  on; 

        ssl_certificate      server.pem; 

        ssl_certificate_key  server.key; 

        ssl_session_timeout  5m; 

        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

        #ssl_ciphers  HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM; 

        ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;

        ssl_prefer_server_ciphers   on;


        location / { 

                set $domain "";

                if ($http_host ~* "^(test)" ) {set $domain "test";}

                if ($http_host ~* "^(master)" ) {set $domain "master";}

                proxy_pass http://$domain;               # Here is different from above

                proxy_http_version 1.1;

                proxy_set_header Connection "";

                proxy_redirect          off;

                proxy_set_header        Host $host;

                proxy_set_header        X-Real-IP $remote_addr;

                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_set_header   X-Forwarded--Proto https;               # Here is different from above

                client_max_body_size    500m;

                client_body_buffer_size 1m;

                proxy_connect_timeout   600;

                proxy_send_timeout      600;

                proxy_read_timeout      600;

                proxy_buffer_size       400k;

                proxy_buffers           4 1m;

                proxy_busy_buffers_size 2m;

                proxy_temp_file_write_size 1m;

        }

    }

2. tomcat configuration:

Configure server.xml file(On the basis of the default configuration file):

1) Add port proxy forwarding:

<Connector port="8080" protocol="HTTP/1.1"

connectionTimeout="20000"

redirectPort="443" # Take 8443 to 443

proxyPort="443"/> # Add a line parameters

2) Add <host> tag value:

<Valve className="org.apache.catalina.valves.RemoteIpValve"

remoteIpHeader="x-forwarded-for"

                   remoteIpProxiesHeader="x-forwarded-by"

                   protocolHeader="x-forwarded-proto"/>







本文出自 “zhenj8nanzhuce” 博客,请务必保留此出处http://784687488.blog.51cto.com/8774365/1828908

nginx + tomcat配置https的两种方法

标签:https

原文地址:http://784687488.blog.51cto.com/8774365/1828908

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!