Nginx + Tomcat 8.5 啟用SSL HTTPS
阿新 • • 發佈:2019-01-26
一、申請SSL證書
二、Nginx 配置SSL
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate cert/xxx.pem;
ssl_certificate_key cert/xxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
其他配置可以參考nginx官網
80埠重定向到 443 埠配置如下:
server {
listen 80;
server_name localhost;
rewrite ^(.*)$ https://$host$1 permanent;
}
可能的問題:
1. Nginx 沒有啟用SSL模組:
報錯:
./configure: error: the HTTP cache module requires md5 functions from OpenSSL library. You can either disable the module by using --without-http-cache option, or install the OpenSSL library into the system, or build the OpenSSL library statically from the source with nginx by using --with-http_ssl_module --with-openssl=<path> options.
解決辦法:
1. 安裝openssl 和 openssl-devel
yum -y install openssl openssl-devel
2. 如果已經安裝了,但還是報錯,則可以使用引數指定openssl原始碼路徑
./configure --with-http_v2_module --with-http_ssl_module--with-openssl=/work/openssl-1.0.2n
3. Nginx升級可以使用如下方式:
4. 如果之前安裝的Nginx沒有SSL模組可以參考下面連線升級:
5. 升級完成之後一定要重啟Nginx 注意,不是重新載入配置檔案 !!!
這樣Nginx基本就配置完了
三、Tomcat 8 配置SSL openSSL
注意:tomcat 8 配置ssl 有兩種配置方式,一種是apr 另外一種是JSSE。
四、配置說明
1. 使用 阿里雲負載均衡(https) + Nginx(http) + Tomcat(http),阿里雲負載均衡通過http 協議與後端通訊
a.阿里雲負載均衡 啟用 https 並配置證書,並在高階配置中啟用 X-Forwarded-Proto
b.Nginx 不需要配置,但需要啟用 Http 監聽即可
c.Tomcat 在 server.xml 中的Host標籤下配置(主要用於記錄客戶端請求的是http還是https):
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https"/>
2. Nginx(https) + Tomcat(http),客戶端 ->(Https) Nginx ->(http) Tomcat
a. Nginx 啟用SSL配置如下:
user nobody;
worker_processes auto;
pid logs/nginx.pid;
events {
use epoll;
worker_connections 65535;
}
http {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 設定到Http請求頭中,標識使用者請求方式是http還是https
proxy_set_header X-Forwarded-Proto $scheme;
upstream backend {
server 127.0.0.1:8080;
}
server {
listen 443;
server_name 127.0.0.1;
ssl on;
ssl_certificate cert/214404386550201.pem;
ssl_certificate_key cert/214404386550201.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location ~*/* {
proxy_pass http://backend;
}
}
}
b. Tomcat 配置需要從請求頭中獲取客戶端請求協議型別:Tomcat
在 server.xml 中的Host標籤下配置(主要用於記錄客戶端請求的是http還是https):
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https"/>
參考資料: