这篇过气了!
重新补一个:http://www.cnblogs.com/hackyo/p/6809773.html
由于需要,得搭建个nginx+tomcat+https的服务器,搜了搜网上的发现总是有错,现在整理了些有用的,备忘。
环境:Centos6.5、JDK1.8、Tomcat8.5、Nginx1.10.2
准备材料:
1.JDK1.8安装包jdk-8u131-linux-x64.tar.gz
下载地址:http://www.oracle.com/technetwork/java/javase/downloads/index.html
2.Tomcat8安装包apache-tomcat-8.5.14.tar.gz
下载地址:http://tomcat.apache.org/download-80.cgi
3.Nginx1.10.2安装包nginx-1.10.2.tar.gz
下载地址:http://nginx.org/en/download.html
1、JDK安装配置
解压并安装到/usr/local/jdk
[root@localhost ~]# tar zxvf jdk-8u131-linux-x64.tar.gz
[root@localhost ~]# mv jdk1.8.0_131 /usr/local/jdk
配置JDK环境变量
[root@localhost ~]# vi /etc/profile
在底部加入以下内容
JAVA_HOME=/usr/local/jdk
JRE_HOME=$JAVA_HOME/jre
CLASSPATH=.:$JAVA_HOME/lib:$JRE_HOME/lib:$CLASSPATH
PATH=$JAVA_HOME/bin:$JRE_HOME/bin:$PATH
export JAVA_HOME JRE_HOME PATH CLASSPATH
应用环境变量
[root@localhost ~]# source /etc/profile
检测是否成功,显示版本说明成功
[root@localhost ~]# java -version
2、Tomcat安装配置
解压并安装到/usr/local/tomcat
[root@localhost ~]# tar zxvf apache-tomcat-8.5.14.tar.gz
[root@localhost ~]# mv apache-tomcat-8.5.14 /usr/local/tomcat
默认tomcat是root身份运行的,这样不安全,这里设置普通用户运行
[root@localhost ~]# groupadd tomcat
[root@localhost ~]# useradd -g tomcat tomcat
[root@localhost ~]# passwd tomcat
[root@localhost ~]# chown tomcat.tomcat -R /usr/local/tomcat
编辑Tomcat配置文件,开启https服务
[root@localhost ~]# vi /usr/local/tomcat/conf/server.xml
找到这行
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
修改为
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/cert.jks"
certificateKeystorePassword="此处修改为证书密码"
certificateKeyAlias="此处修改为证书别名"
type="RSA" />
</SSLHostConfig>
</Connector>
证书可自制,也可以免费申请到。
一般需要将证书转换为jks格式,可通过这里来在线转换https://www.chinassl.net/ssltools/convert-ssl.html
其中certificateKeystoreFile为证书文件的路径,certificateKeystorePassword为证书密码
certificateKeyAlias为证书别名,可使用JDK自带的工具查看,命令行:keytool -list -v -keystore mykey.jks -storepass mypassword
保存文件并退出
这样一来https就可以访问了,但是https并不是强制使用,所以还要继续设置
编辑Tomcat配置文件,强制使用https
[root@localhost ~]# vi /usr/local/tomcat/conf/web.xml
在最后的</welcome-file-list>后面加上下面的代码
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
这样Tomcat的https便配置成功。
此时可以启动Tomcat服务器,并且访问8080端口已经可以看到小猫了。
[root@localhost ~]# /usr/local/tomcat/bin/startup.sh
2、Nginx安装配置
配置Nginx用户
[root@localhost ~]# groupadd nginx
[root@localhost ~]# useradd -g nginx -s /sbin/nologin nginx
升级系统,并安装依赖包
[root@localhost ~]# yum -y update
[root@localhost ~]# yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel gcc
解压并进入文件夹
[root@localhost ~]# tar zxvf nginx-1.10.2.tar.gz
[root@localhost ~]# cd nginx-1.10.2
配置安装
[root@localhost nginx-1.10.2]# ./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module
[root@localhost nginx-1.10.2]# make && make install
配置Nginx
[root@localhost ~]# vi /usr/local/nginx/conf/nginx.conf
这一步需要手动将ssl证书放入/usr/local/nginx/conf/目录下,分别为cert.crt和cert.key文件
证书可自制,也可以免费申请到。
如果申请到证书为其他格式,可通过这里来在线转换https://www.chinassl.net/ssltools/convert-ssl.html
nginx主配置文件
user nginx nginx;
worker_processes ;
error_log logs/error.log;
pid logs/nginx.pid; events {
use epoll;
worker_connections ;
} http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main; proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout ;
proxy_send_timeout ;
proxy_read_timeout ;
proxy_buffer_size 4k;
proxy_buffers 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k; sendfile on;
keepalive_timeout ;
gzip on;
gzip_min_length 1k;
gzip_buffers 16k;
gzip_http_version 1.0;
gzip_comp_level ;
gzip_types text/plain application/x-javascripttext/css application/xml;
gzip_vary on; server {
listen ;
server_name www.xxx.cn xxx.cn;
return https://$server_name$request_uri;
} server {
listen ssl;
server_name www.xxx.cn xxx.cn;
ssl_certificate cert.crt;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/local/tomcat/webapps/ROOT;
index index.html index.jsp index.htm;
}
location ~ .*.(jsp|servlet)$ {
index index.html index.jsp index.htm;
proxy_pass https://127.0.0.1:8443;
}
location /nginxstatus {
stub_status on;
access_log on;
auth_basic "nginxstatus";
auth_basic_user_file /usr/local/nagois/etc/htpasswd.users;
}
error_page /Error.html;
}
}
最后启动Nginx服务器
[root@localhost ~]# /usr/local/nginx/sbin/nginx