• nginx 搭建https访问后端tomcat的http


    安装nginx

    yum install -y nginx
    systemctl enable nginx.service
    systemctl start nginx.service

    配置https访问nginx


    nginx ssl配置
    1.创建服务器证书密钥文件 server.key:
    openssl genrsa -des3 -out server.key 1024
    输入密码,确认密码,自己随便定义,但是要记住,后面会用到。
    2.创建服务器证书的申请文件 server.csr
    openssl req -new -key server.key -out server.csr
    4.备份一份服务器密钥文件
    cp server.key server.key.org
    5.去除文件口令
    openssl rsa -in server.key.org -out server.key
    6.生成证书文件server.crt
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

    nginx.conf配置如下

    	upstream test_tomcat{
    		ip_hash;        #根据用户访问ip进行hash分配到server,这样能完整保存session
    		server 10.99.201.64:80;
    		server 10.122.49.231:8081;
    		#server 10.122.49.231:8082;
    	}
    	server {
        		listen 80;
        		server_name dbss.lenovo.com;
     
      		#核心代码
        		rewrite ^(.*)$ https://${server_name}$1 permanent;
    	}
    	server {
    		listen       443 ssl http2 default_server;
    		server_name  localhost;
    	
    		ssl_certificate "/etc/pki/nginx/server.crt";
    		ssl_certificate_key "/etc/pki/nginx/server.key";
    		ssl_session_cache shared:SSL:1m;
    		ssl_session_timeout  10m;
    		ssl_ciphers HIGH:!aNULL:!MD5;
    		ssl_prefer_server_ciphers on;
    		# Load configuration files for the default server block.
    		include /etc/nginx/default.d/*.conf;
    	
    	
    		location /{
    			proxy_pass http://test_tomcat;
    		     # 后端的Web服务器可以通过X-Forwarded-For获取用户真实IP
    			proxy_set_header       Host $host;
    			proxy_set_header  X-Real-IP  $remote_addr;
    			proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
    			proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    			add_header Access-Control-Allow-Origin *;
    			proxy_set_header X-Forwarded-Proto https;     #此处是https访问的关键环节
    			proxy_redirect off;
    		}
    		#error_page 500 /500.json ;
    		#location ^~ /500 {
    		#root /usr/share/nginx/html ;
    		#}
    	
    		error_page 404 /404.html;
    			location = /404.html {
    		}
    	
    		error_page 500 502 503 504 /50x.html;
    			location = /50x.html {
    				root         /usr/share/nginx/html;
    		}
    	}
    

      tomcat中server.xml的关键配置

    	<!-- proxyPort一定要配置成443 -->
    
        <Connector port="80" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="443" proxyPort="443"/>
    	<Host name="localhost"  appBase=""
          unpackWARs="true" autoDeploy="true">
          <Valve className="org.apache.catalina.valves.RemoteIpValve"
          remoteIpHeader="x-forwarded-for"
          remoteIpProxiesHeader="x-forwarded-by"
          protocolHeader="x-forwarded-proto"
          />
    

      

    tomcat中jks文件转nginx的crt以及key文件
    keytool -importkeystore -srckeystore server.jks -srcalias server -destkeystore newkeystore.p12 -deststoretype PKCS12

    openssl pkcs12 -in newkeystore.p12 -nokeys -clcerts -out server-ssl.crt

    openssl pkcs12 -in newkeystore.p12 -nokeys -cacerts -out gs_intermediate_ca.crt

    合并crt文件
    cat server-ssl.crt gs_intermediate_ca.crt >server.crt

    openssl pkcs12 -nocerts -nodes -in newkeystore.p12 -out server.key

  • 相关阅读:
    笔记-JavaWeb学习之旅13
    笔记-JavaWeb学习之旅12
    笔记-JavaWeb学习之旅11
    笔记-JavaWeb学习之旅10
    EF Core CodeFirst
    C#泛型
    软件工程笔记(二)
    第一章 软件工程概述
    软件工程笔记(一)
    MySql笔记(二)
  • 原文地址:https://www.cnblogs.com/lujunfeng/p/11167940.html
Copyright © 2020-2023  润新知