Nginx SSL+tomcat集群,request.getScheme() 取到https正確的協議
轉自:http://feitianbenyue.iteye.com/blog/2056357
最近在做一個項目, 架構上使用了 Nginx +tomcat 集群, 且nginx下配置了SSL,tomcat no SSL,項目使用https協議
但是,明明是https url請求,發現 log裏面,
Xml代碼
- 0428 15:55:55 INFO (PaymentInterceptor.java:44) preHandle() - requestStringForLog: {
- "request.getRequestURL():": "http://trade.feilong.com/payment/paymentChannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6",
- "request.getMethod:": "GET",
- "_parameterMap": {
- "id": ["212"],
- "s": ["a84485e0985afe97fffd7fd7741c93851d83a4f6"]
- }
- }
瞬間要顛覆我的Java觀,API上寫得很清楚:
getRequestURL():
Java代碼
- Reconstructs the URL the client used to make the request.
- The returned URL contains a protocol, server name, port number, and server path,
- but it does not include query string parameters.
也就是說, getRequestURL() 輸出的是不帶query string的路經(含協議,端口,server path等信息).
並且,還發現
Xml代碼
- request.getScheme() //總是 http,而不是實際的http或https
- request.isSecure() //總是false(因為總是http)
- request.getRemoteAddr() //總是 nginx 請求的 IP,而不是用戶的IP
- request.getRequestURL() //總是 nginx 請求的URL 而不是用戶實際請求的 URL
- response.sendRedirect( 相對url ) //總是重定向到 http 上 (因為認為當前是 http 請求)
查閱了一些資料,找到了解決方案:
解決方法很簡單,只需要分別配置一下 Nginx 和 Tomcat 就好了,而不用改程序。
配置 Nginx 的轉發選項:
Xml代碼
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
配置Tomcat server.xml 的 Engine 模塊下配置一個 Valve:
Xml代碼- <Valve className="org.apache.catalina.valves.RemoteIpValve"
- remoteIpHeader="X-Forwarded-For"
- protocolHeader="X-Forwarded-Proto"
- protocolHeaderHttpsValue="https"/>
配置雙方的 X-Forwarded-Proto 就是為了正確地識別實際用戶發出的協議是 http 還是 https。
這樣以上5項測試就都變為正確的結果了,就像用戶在直接訪問 Tomcat 一樣。
關於 RemoteIpValve,有興趣的同學可以閱讀下 doc
http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
Xml代碼
- Tomcat port of mod_remoteip, this valve replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. "X-Forwarded-For").
- Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").
看了下他們的源碼,比較簡單,在各種框架,各種算法面前,這個類對性能影響很小
- 如果沒有配置protocolHeader 屬性, 什麽都不做.
- 如果配置了protocolHeader,但是request.getHeader(protocolHeader)取出來的值是null,什麽都不做
- 如果配置了protocolHeader,但是request.getHeader(protocolHeader)取出來的值(忽略大小寫)是配置的protocolHeaderHttpsValue(默認https),scheme設置為https,端口設置為 httpsServerPort
- 其他設置為 http
Java代碼
- if (protocolHeader != null) {
- String protocolHeaderValue = request.getHeader(protocolHeader);
- if (protocolHeaderValue == null) {
- // don‘t modify the secure,scheme and serverPort attributes
- // of the request
- } else if (protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) {
- request.setSecure(true);
- // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0
- request.getCoyoteRequest().scheme().setString("https");
- request.setServerPort(httpsServerPort);
- } else {
- request.setSecure(false);
- // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0
- request.getCoyoteRequest().scheme().setString("http");
- request.setServerPort(httpServerPort);
- }
- }
參考:
SSL證書與Https應用部署小結
http://han.guokai.blog.163.com/blog/static/136718271201211631456811/
Nginx SSL+tomcat集群,request.getScheme() 取到https正確的協議