nginx + tomcat配置https的两种方法

# The frist method:

— Nginx and Tomcat using HTTPS:

1. nginx configuration:

     upstream test {

        server 172.16.7.30:8443 weight=1;

     }

     upstream master {

        server 172.16.7.31:8443 weight=1;

     }

server {

         listen 80;

         server_name test.hbc315.com master.hbc315.com;

         rewrite ^(.*)$ https://$host$1 permanent;              # Used together ports 80 and 443; Redirect request port from 80 to 443

     }

     server {

         listen 443 ssl;

         server_name test.mysite.com master.mysite.com;

ssl                   on; 

         ssl_certificate       server.pem; 

         ssl_certificate_key   server.key; 

         ssl_session_timeout   5m; 

         ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;

         #ssl_ciphers   HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM; 

         ssl_ciphers  ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;

         ssl_prefer_server_ciphers    on;

         location / { 

                 set $domain "";

                 if ($http_host ~* "^(test)" ) {set $domain "test";}

                 if ($http_host ~* "^(master)" ) {set $domain "master";}

                 proxy_pass  https://$domain;

                 proxy_http_version  1.1;

                 proxy_set_header  Connection "";

                 proxy_redirect           off;

                 proxy_set_header         Host $host;

                 proxy_set_header         X-Real-IP $remote_addr;

                 proxy_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;

   #proxy_set_header     X-Forwarded--Proto https;

                 client_max_body_size     500m;

                 client_body_buffer_size  1m;

                 proxy_connect_timeout    600;

                 proxy_send_timeout       600;

                 proxy_read_timeout       600;

                 proxy_buffer_size        400k;

                 proxy_buffers            4 1m;

                 proxy_busy_buffers_size  2m;

                 proxy_temp_file_write_size  1m;

         }

     }

2. tomcat configuration:

1) Execute the following command:

# keytool -genkey -alias tomcat -keyalg RSA -keystore /root/tomcat/conf/ssl.keystore       # Generate certificate KEY

Enter keystore password:  

Re-enter new password: 

What is your first and last name?

     [Unknown]:  192.16.7.30 # domain or IP

What is the name of your organizational unit?

     [Unknown]:  hbc

What is the name of your organization?

     [Unknown]:  hbc

What is the name of your City or Locality?

     [Unknown]:  bj

What is the name of your State or Province?

     [Unknown]:  bj

What is the two-letter country code for this unit?

     [Unknown]:  cn # The default CN of china

Is CN=192.16.7.30, OU=hbc, O=hbc, L=bj, ST=bj, C=cn correct?

     [no]:  y

Enter key password for <tomcat>

(RETURN if same as keystore password):  

Re-enter new password:

2) Configure server.xml:

     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

                maxThreads="150"

SSLEnabled="true"

scheme="https"

secure="true"

                clientAuth="false" sslProtocol="TLS" 

        keystoreFile="/root/tomcat/conf/ssl.keystore"

        keystorePass="tomcat" /> # The above steps to set the password

=========================================

# The second method:

— Nginx using HTTPS; Nginx with Tomcat interaction using HTTP

1. nginx configuration:

     upstream test {

        server 172.16.7.30:8080 weight=1; # Here is different from above

     }

     upstream master {

        server 172.16.7.31:8080 weight=1; # Here is different from above

     }

server {

         listen 80;

         server_name test.hbc315.com master.hbc315.com;

         rewrite ^(.*)$ https://$host$1 permanent;              # Used together ports 80 and 443; Redirect request port from 80 to 443

     }

     server {

         listen 443 ssl;

         server_name test.mysite.com master.mysite.com;

ssl                   on; 

         ssl_certificate       server.pem; 

         ssl_certificate_key   server.key; 

         ssl_session_timeout   5m; 

         ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;

         #ssl_ciphers   HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM; 

         ssl_ciphers  ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;

         ssl_prefer_server_ciphers    on;

         location / { 

                 set $domain "";

                 if ($http_host ~* "^(test)" ) {set $domain "test";}

                 if ($http_host ~* "^(master)" ) {set $domain "master";}

                 proxy_pass  http://$domain;               # Here is different from above

                 proxy_http_version  1.1;

                 proxy_set_header  Connection "";

                 proxy_redirect           off;

                 proxy_set_header         Host $host;

                 proxy_set_header         X-Real-IP $remote_addr;

                 proxy_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;

   proxy_set_header     X-Forwarded--Proto https;               # Here is different from above

                 client_max_body_size     500m;

                 client_body_buffer_size  1m;

                 proxy_connect_timeout    600;

                 proxy_send_timeout       600;

                 proxy_read_timeout       600;

                 proxy_buffer_size        400k;

                 proxy_buffers            4 1m;

                 proxy_busy_buffers_size  2m;

                 proxy_temp_file_write_size  1m;

         }

     }

2. tomcat configuration:

Configure server.xml file(On the basis of the default configuration file):

1) Add port proxy forwarding:

<Connector port="8080" protocol="HTTP/1.1"

connectionTimeout="20000"

redirectPort="443" # Take 8443 to 443

proxyPort="443"/> # Add a line parameters

2) Add <host> tag value:

<Valve className="org.apache.catalina.valves.RemoteIpValve"

remoteIpHeader="x-forwarded-for"

                   remoteIpProxiesHeader="x-forwarded-by"

                   protocolHeader="x-forwarded-proto"/>