Nginx ssL +Tomcat实现https

1、nginx的配置

upstream tomcat {
    server 127.0.0.1:8080 fail_timeout=0;
}

# HTTPS server
server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate      你的证书.crt;
    ssl_certificate_key  你的秘钥.key;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto https;  # 很关键
        proxy_redirect off;
        proxy_connect_timeout      240;
        proxy_send_timeout         240;
        proxy_read_timeout         240;
        # note, there is not SSL here! plain HTTP is used
        proxy_pass http://tomcat;
    }
}

2、Tomcat中server.xml配置

<?xml version=‘1.0‘ encoding=‘utf-8‘?>
<Server port="8005" shutdown="SHUTDOWN">
  <Service name="Catalina">
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443"
               proxyPort="443"/>  # 注意

    <Engine name="Catalina" defaultHost="localhost">

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
            <Valve className="org.apache.catalina.valves.RemoteIpValve"  # 注意
                  remoteIpHeader="x-forwarded-for"
                  remoteIpProxiesHeader="x-forwarded-by"
                  protocolHeader="x-forwarded-proto"
            />   # 注意
            <Context path="" docBase="/oschina/webapp" reloadable="false"/>
      </Host>
    </Engine>
  </Service>
</Server>

proxyPort代理端口配置443,如果某涉及到redis的话,也需要将redistport改成443。
Valve模块,此模块只能存在一个,此处为标准安全策略配置,格外注意portocolHeader的值。

Nginx ssL +Tomcat实现https

上一篇:netcat-flume-logger


下一篇:645 webpack常用plugins:clean-webpack-plugin,html-webpack-plugin,webpack.DefinePlugin,copy-webpack-plugin