登录腾讯云,点击云产品==》ssl证书
选默认的即可
查看证书详情
申请之后会在一个工作日内审核完成
下载证书,上传至服务器解压到指定目录(解压后有apache、nginx、tomcat、IIS类型的证书,选择自己需要的即可)
接下来搭建nginx,tomcat,jdk,这些服务搭建可以参考我的博客。这里不作解释了哈
新建目录cert,将Nginx目录下的证书文件复制到nginx的cert目录下
[root@tanbaobao Nginx]# ls 1_域名_bundle.crt 2_域名.key [root@tanbaobao Nginx]# pwd /usr/local/src/tourby.cn/Nginx [root@tanbaobao Nginx]# mkdir /usr/local/nginx/conf/cert [root@tanbaobao Nginx]# cp * /usr/local/nginx/conf/cert/
编辑nginxconf文件
[root@tanbaobao conf]# pwd /usr/local/nginx/conf [root@tanbaobao conf]# cat nginx.conf #user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; keepalive_timeout 65; upstream 本地ip { #设置分权,权重越高优先访问 server ip:8080; } # 连接外部conf文件 include /usr/local/nginx/conf/thy/*.conf; }
[root@tanbaobao conf]# cd thy/ [root@tanbaobao thy]# cat wssl.conf # 2020-01-07 配置https访问(ssl) server { listen 80 default_server; listen [::]:80 default_server; server_name 域名; # 将http强转为https 在这里(重复转发)就访问了https下面的server.所有里不需要location / {} 这里很重要,搞了我半天问的朋友才解决 rewrite ^(.*) https://$server_name$1 permanent; #location / { # proxy_pass http://upstream名称; # proxy_set_header Host $host; # proxy_set_header Cookie $http_cookie; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_connect_timeout 600; # proxy_read_timeout 600; # proxy_send_timeout 600; #} error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server { # SSL访问端口好443 listen 443 ssl; # 填写绑定证书的域名 server_name 域名; charset UTF-8; # 启用SSL功能 # ssl on; # 证书文件名称 ssl_certificate /usr/local/nginx/conf/cert/1_域名_bundle.crt; # 私钥文件名称 ssl_certificate_key /usr/local/nginx/conf/cert/2_域名.key; # ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; # 请按照以下套件配置,配置加密套件,写法遵循 openssl 标准 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; proxy_ssl_server_name on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; proxy_ssl_session_reuse off; # 默认 location / { root html; index index.html index.htm; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; proxy_connect_timeout 240; proxy_send_timeout 240; proxy_read_timeout 240; proxy_pass http://upstream名称/beian/; } }
PS:这里注意:加上ssl on在检查配置文件是否配置错误时会报错:the "ssl" directive is deprecated, use the "listen ... ssl"
将ssl on注释之后,问题解决
[root@tanbaobao thy]# nginx -c /usr/local/nginx/conf/nginx.conf [root@tanbaobao thy]# nginx -s reload
tomcat这里可以不做修改,通过nginx处理https请求,nginx和tomcat之间还是使用http请求。
将项目拷贝到tomcatwebapps目录下,启动tomcat服务,访问域名,即可访问到beian项目
[root@tanbaobao thy]# /usr/local/tomcat-9.0.29/bin/startup.sh
浏览器访问:https://域名,因为上面rewrite做了强转,所以访问http会自动转换为https
