nginx + tomcat配置https的兩種方法

# The frist method:

— Nginx and Tomcat using HTTPS:

1. nginx configuration:

    upstream test {

       server 172.16.7.30:8443 weight=1;

    }

    upstream master {

       server 172.16.7.31:8443 weight=1;

    }

server {

        listen 80;

        server_name test.hbc315.com master.hbc315.com;

        rewrite ^(.*)$ https://$host$1 permanent;             # Used together ports 80 and 443; Redirect request port from 80 to 443

    }

    server {

        listen 443 ssl;

        server_name test.mysite.com master.mysite.com;

ssl                  on; 

        ssl_certificate      server.pem; 

        ssl_certificate_key  server.key; 

        ssl_session_timeout  5m; 

        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

        #ssl_ciphers  HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM; 

        ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;

        ssl_prefer_server_ciphers   on;

        location / { 

                set $domain "";

                if ($http_host ~* "^(test)" ) {set $domain "test";}

                if ($http_host ~* "^(master)" ) {set $domain "master";}

                proxy_pass https://$domain;

                proxy_http_version 1.1;

                proxy_set_header Connection "";

                proxy_redirect          off;

                proxy_set_header        Host $host;

                proxy_set_header        X-Real-IP $remote_addr;

                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

  #proxy_set_header   X-Forwarded--Proto https;

                client_max_body_size    500m;

                client_body_buffer_size 1m;

                proxy_connect_timeout   600;

                proxy_send_timeout      600;

                proxy_read_timeout      600;

                proxy_buffer_size       400k;

                proxy_buffers           4 1m;

                proxy_busy_buffers_size 2m;

                proxy_temp_file_write_size 1m;

        }

    }

2. tomcat configuration:

1) Execute the following command:

# keytool -genkey -alias tomcat -keyalg RSA -keystore /root/tomcat/conf/ssl.keystore       # Generate certificate KEY

Enter keystore password:  

Re-enter new password: 

What is your first and last name?

    [Unknown]:  192.16.7.30 # domain or IP

What is the name of your organizational unit?

    [Unknown]:  hbc

What is the name of your organization?

    [Unknown]:  hbc

What is the name of your City or Locality?

    [Unknown]:  bj

What is the name of your State or Province?

    [Unknown]:  bj

What is the two-letter country code for this unit?

    [Unknown]:  cn # The default CN of china

Is CN=192.16.7.30, OU=hbc, O=hbc, L=bj, ST=bj, C=cn correct?

    [no]:  y

Enter key password for <tomcat>

(RETURN if same as keystore password):  

Re-enter new password:

2) Configure server.xml:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

               maxThreads="150"

SSLEnabled="true"

scheme="https"

secure="true"

               clientAuth="false" sslProtocol="TLS" 

      keystoreFile="/root/tomcat/conf/ssl.keystore"

      keystorePass="tomcat" /> # The above steps to set the password

=========================================

# The second method:

— Nginx using HTTPS; Nginx with Tomcat interaction using HTTP

1. nginx configuration:

    upstream test {

       server 172.16.7.30:8080 weight=1; # Here is different from above

    }

    upstream master {

       server 172.16.7.31:8080 weight=1; # Here is different from above

    }

server {

        listen 80;

        server_name test.hbc315.com master.hbc315.com;

        rewrite ^(.*)$ https://$host$1 permanent;             # Used together ports 80 and 443; Redirect request port from 80 to 443

    }

    server {

        listen 443 ssl;

        server_name test.mysite.com master.mysite.com;

ssl                  on; 

        ssl_certificate      server.pem; 

        ssl_certificate_key  server.key; 

        ssl_session_timeout  5m; 

        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

        #ssl_ciphers  HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM; 

        ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;

        ssl_prefer_server_ciphers   on;

        location / { 

                set $domain "";

                if ($http_host ~* "^(test)" ) {set $domain "test";}

                if ($http_host ~* "^(master)" ) {set $domain "master";}

                proxy_pass http://$domain;               # Here is different from above

                proxy_http_version 1.1;

                proxy_set_header Connection "";

                proxy_redirect          off;

                proxy_set_header        Host $host;

                proxy_set_header        X-Real-IP $remote_addr;

                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_set_header   X-Forwarded--Proto https;               # Here is different from above

                client_max_body_size    500m;

                client_body_buffer_size 1m;

                proxy_connect_timeout   600;

                proxy_send_timeout      600;

                proxy_read_timeout      600;

                proxy_buffer_size       400k;

                proxy_buffers           4 1m;

                proxy_busy_buffers_size 2m;

                proxy_temp_file_write_size 1m;

        }

    }

2. tomcat configuration:

Configure server.xml file(On the basis of the default configuration file):

1) Add port proxy forwarding:

<Connector port="8080" protocol="HTTP/1.1"

connectionTimeout="20000"

redirectPort="443" # Take 8443 to 443

proxyPort="443"/> # Add a line parameters

2) Add <host> tag value:

<Valve className="org.apache.catalina.valves.RemoteIpValve"

remoteIpHeader="x-forwarded-for"

                   remoteIpProxiesHeader="x-forwarded-by"

                   protocolHeader="x-forwarded-proto"/>