nginx + tomcat + https配置
模式:
客户端 ---https -----> nginx ----- http ------> tomcat
浏览器和 Nginx 之间走的 HTTPS 通讯,而 Nginx 到 Tomcat 通过 proxy_pass 走的是普通 HTTP 连接。
证书申请:
在有域名的服务器上部署申请证书的程序:
备注:python 版本在2.6以上
1.
#mkdir ~/cert/
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
2、mkdir ~/.pip
pip.conf配置文件:
[global]
index-url=https://pypi.doubanio.com/simple/
[install]
trusted-host=pypi.doubanio.com
3、安装申请证书所依赖的工具
cd ~/cert
#./certbot-auto
安装过程可能需要比较长的时间,有时可能是网络连接不好执行不成功
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.lelaohui.com.cn
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.lelaohui.com.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.lelaohui.com.cn/privkey.pem
Your cert will expire on 2017-12-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew *all*
of your certificates, run "certbot-auto renew"
./certbot-auto certonly
4、网站申请证书
备注: 申请之前443端口应用关闭
#./certbot-auto certonly --standalone -d piaoyu.online -d www.piaoyu.online
申请成功后会在目录:/etc/letsencrypt/live/www.piaoyu.online/ 保存证书
#ls /etc/letsencrypt/live/www.piaoyu.online/
cert.pem chain.pem fullchain.pem privkey.pem
证书延期测试:
./certbot-auto renew --dry-run
自动续约证书:
30 */8 */80 * * root /root/cert/certbot-auto renew --quiet
备注: 续约之前443端口应用关闭
5、nginx 配置
[root@appserver88 conf.d]# cat default.conf
#
# The default server
#
server {
listen 80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://tomcat;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
###########################
[root@appserver88 conf.d]# cat ssl.conf
#
# HTTPS server configuration
#
server {
listen 443 ssl default_server;
server_name _;
root /usr/share/nginx/html;
#
ssl_certificate /etc/letsencrypt/live/www.piaoyu.online/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.piaoyu.online/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
proxy_pass http://tomcat;
}
#
error_page 404 /404.html;
location = /40x.html {
}
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
######################
[root@appserver88 conf.d]# cat upstream.conf
upstream tomcat {
#server 127.0.0.1:8080 fail_timeout=0;
server 10.28.11.117:8090;
}
########################
6、tomcat配置
主要修改:server.xml文件
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
proxyPort="443" />
添加:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />
注意的是必须有proxyPort=”443″,这是整篇文章的关键,当然 redirectPort 也必须是 443。
同时 <Value> 节点的配置也非常重要,否则你在 Tomcat 中的应用在读取 getScheme() 方法以及在 web.xml 中配置的一些安全策略会不起作用。
那么,在同一个IP上,如何配置多个HTTPS主机呢?
nginx支持TLS协议的SNI扩展(Server Name Indication,简单地说这个扩展使得在同一个IP上可以以不同的证书serv不同的域名)。不过,SNI扩展还必须有客户端的支持,另外本地的OpenSSL必须支持它。
如果启用了SSL支持,nginx便会自动识别OpenSSL并启用SNI。是否启用SNI支持,是在编译时由当时的 ssl.h 决定的(SSL_CTRL_SET_TLSEXT_HOSTNAME),如果编译时使用的OpenSSL库支持SNI,则目标系统的OpenSSL库只要支持它就可以正常使用SNI了。
nginx在默认情况下是TLS SNI support disabled。
2
# /usr/local/nginx/sbin/nginx -V
TLS SNI support enabled