Nginx + Tomat https ssl 部署方案

之前就玩过这个https的部署方案，挺简单的，但是好久没搞，又有点忘了，果然好记性不如烂笔头

再重新温习一下....

1，准备证书

2，下载nginx

3，准备tomcat

4，配置nginx.conf，如示例

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] '$request' '
    #                  '$status $body_bytes_sent '$http_referer' '
    #                  ''$http_user_agent' '$http_x_forwarded_for'';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    
    upstream xxyrpc {
        server 127.0.0.1:8007 ;
        #server 192.168.7.97:8080 ;
    }
    
    upstream xxyweb {
        server 127.0.0.1:8007 ;
        #server 127.0.0.1:8081 ;
    }
    
    ###############-------test--示例-------#####################################
    server {
        listen       80;
        server_name  xxy.jss.com.cn;
        # root       /usr/share/nginx/html;
        location / {
            rewrite ^(.*)$ https://$host$1 permanent;
        }
    }
    
    server {
        listen       443 ssl;                             #指定ssl监听端口
        server_name  xxy.jss.com.cn;                    #域名
        ssl on;                                           #开启ssl支持
        access_log logs/aisino_access55.log;                #访问日志

        ssl_certificate      E:/nginx-1.11.12/newkey/server.cer;      #指定服务器证书路徿
        ssl_certificate_key  E:/nginx-1.11.12/newkey/server.key;     #指定私钥证书路径
        
        #ssl_session_cache    shared:SSL:1m;
        #ssl_session_timeout  5m;                         #SSL会话超时闿分钟
        
        ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;  #指定SSL服务器端支持的协议版朿
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;    #指定加密算法
        ssl_prefer_server_ciphers   on;                   #在使用SSLv3和TLS协议时指定服务器的加密算法要优先于客户端的加密算泿
        charset utf-8;
        
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
        
        #兼容用户可能收藏的页面
        location = /pc.do {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_connect_timeout      15s;
            proxy_send_timeout         15s;
            proxy_read_timeout         15s;
            proxy_pass   http://xxyrpc/xxy_rpc/pc.do;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        }
        
        location = /app.do {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_connect_timeout      15s;
            proxy_send_timeout         15s;
            proxy_read_timeout         15s;
            proxy_pass   http://xxyrpc/xxy_rpc/app.do;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        }
        
        location = /nuoyan.do {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_connect_timeout      15s;
            proxy_send_timeout         15s;
            proxy_read_timeout         15s;
            proxy_pass   http://xxyrpc/xxy_rpc/nuoyan.do;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        }

        location /xxy_rpc {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_connect_timeout      15s;
            proxy_send_timeout         15s;
            proxy_read_timeout         15s;
            proxy_pass   http://xxyrpc/xxy_rpc;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        }
        
        location / {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_connect_timeout      15s;
            proxy_send_timeout         15s;
            proxy_read_timeout         15s;
            proxy_pass   http://xxyweb/xxy_web;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
            access_log logs/aisino_access2.log; 
        }
        
        #兼容用户可能收藏的页面
        location = /welcome.do {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_connect_timeout      15s;
            proxy_send_timeout         15s;
            proxy_read_timeout         15s;
            proxy_pass   http://xxyweb/xxy_web/welcome.do;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
            access_log logs/aisino_access2.log; 
        }
        
        
        location = /main/query.do {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_connect_timeout      15s;
            proxy_send_timeout         15s;
            proxy_read_timeout         15s;
            proxy_pass   http://xxyweb/xxy_web/main/query.do;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
            access_log logs/aisino_access2.log; 
        }
        
        location /xxy_web {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_connect_timeout      60s;
            proxy_send_timeout         60s;
            proxy_read_timeout         60s;
            proxy_pass   http://xxyrpc/xxy_web;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        }
    }
    
    ###############-------test--示例-------#####################################
    
}

5，修改tomcat下server.xml配置

Host 节点下增加一行（nginx 代理https后，应用redirect https变成http，即https请求，tomcat 输出的确实http 问题）：

<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" remoteIpHeader="X-Forwarded-For"/>

<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->
        <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" remoteIpHeader="X-Forwarded-For"/>
        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

      <!--<Context path="/images" docBase="E:/workspace/out/artifacts/images" debug="0" reloadable="true"/>-->
 </Host>

6，部署项目，start nginx ，输入域名访问。