欢迎光临
我们一直在努力
当前位置:云搜网 聚合分类 正文

Nginx配置https,反向代理多实例tomcat的操作记录

2023-06-27 分类:聚合分类

本站教程收集整理的这篇文章主要介绍了Nginx配置https,反向代理多实例tomcat的操作记录,本站教程本站觉得挺不错的,现在分享给大家,也给大家做个参考。

?

案例说明:
前面一层Nginx+Keepalived部署的LB,后端两台web服务器部署了多实例的tomcat,通过https方式部署Nginx反向代理tomcat请求。配置一如下:

1)LB层的Nginx配置

访问http强制转到https
[root@external-lb01?~]#?cat?/data/Nginx/conf/vhosts/80-www.kevin.com.conf?
server?{
@R_450_5179@?listen@R_450_5179@80;
@R_450_5179@?server_name??kevin.com?www.kevin.com;

@R_450_5179@?access_log??/data/Nginx/logs/www.kevin.com-access.log?main;
@R_450_5179@?error_log??/data/Nginx/logs/www.kevin.com-error.log;

@R_450_5179@?error_page???500?502?503?504??/50x.html;
@R_450_5179@?LOCATIOn?=?/50x.html?{
@R_450_5179@?????root???html;
@R_450_5179@?}

@R_450_5179@?return??????301?https://$server_name$request_uri;?
}

https反向代理的配置
[root@external-lb01?~]#?cat?/data/Nginx/conf/vhosts/443-www.kevin.com.conf
upstream?scf_cluster?{
????ip_hash;
????server?192.168.10.20:9020;
????server?192.168.10.21:9020;
????}
upstream?portal_cluster?{
????ip_hash;
????server?192.168.10.20:9040;
????server?192.168.10.21:9040;
????}
upstream?file_cluster{
????ip_hash;
????server?192.168.10.20:9020;
????}
upstream?workflow_cluster{
????ip_hash;
????server?192.168.10.20:9020;
????server?192.168.10.21:9020;
????}
upstream?batch_cluster{
????server?192.168.10.20:9020;
????server?192.168.10.21:9020;
????}

server?{
@R_450_5179@?listen@R_450_5179@443;
@R_450_5179@?server_name??www.kevin.com;

@R_450_5179@?ssl?on;
@R_450_5179@?ssl_certificate?/data/Nginx/conf/ssl/kevin.cer;
@R_450_5179@?ssl_certificate_key?/data/Nginx/conf/ssl/kevin.key;
@R_450_5179@?ssl_protocols?TLSv1?TLSv1.1?TLSv1.2;
@R_450_5179@?ssl_session_cache????shared:SSL:1R_484_11845@;
@R_450_5179@?ssl_session_timeout??5m;
@R_450_5179@?ssl_ciphers??ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
@R_450_5179@?ssl_prefer_server_ciphers??on;

@R_450_5179@?access_log??/data/Nginx/logs/www.kevin.com-access.log?main;
@R_450_5179@?error_log??/data/Nginx/logs/www.kevin.com-error.log;

@R_450_5179@?error_page???500?502?503?504??/50x.html;
@R_450_5179@?LOCATIOn?=?/50x.html?{
@R_450_5179@?????root???html;
@R_450_5179@?}

@R_450_5179@rewrite?/portal-pc?https://www.kevin.com?break;

@R_450_5179@LOCATIOn?/?{
@R_450_5179@?????proxy_pass?http://portal_cluster/portal-pc/;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_set_header?Host?$host;?
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-Proto?http;?
@R_450_5179@?????proxy_redirect?off;?

@R_450_5179@?}

@R_450_5179@?????LOCATIOn?/scf?{
@R_450_5179@?????proxy_pass?http://scf_cluster/scf;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_set_header?Host?$host;?
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-Proto?http;?
@R_450_5179@?????proxy_redirect?off;?

@R_450_5179@?}

@R_450_5179@?LOCATIOn?/msdp-file?{
@R_450_5179@?????proxy_pass?http://file_cluster/msdp-file;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_set_header?Host?$host;?
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-Proto?http;?
@R_450_5179@?????proxy_redirect?off;?

@R_450_5179@?}
@R_450_5179@?
????LOCATIOn?/upload?{
@R_450_5179@?????proxy_pass?http://file_cluster/upload;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_set_header?Host?$host;?
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-Proto?http;?
@R_450_5179@?????proxy_redirect?off;?

@R_450_5179@?}
@R_450_5179@?
@R_450_5179@?LOCATIOn?/activiti-workflow-console?{
@R_450_5179@?????proxy_pass?http://workflow_cluster/activiti-workflow-console;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_set_header?Host?$host;?
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-Proto?http;?
@R_450_5179@?????proxy_redirect?off;?

@R_450_5179@?}

????LOCATIOn?/batch-framework-web?{
@R_450_5179@?????proxy_pass?http://batch_cluster/batch-framework-web;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_set_header?Host?$host;?
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-Proto?http;?
@R_450_5179@?????proxy_redirect?off;?
@R_450_5179@?}??
}

以上配置中,需要注意:
访问https://www.kevin.com?要求和访问http://192.168.10.20:9040/portal-pc/?结果一致
访问https://www.kevin.com/portal-pc?要求和访问https://www.kevin.com?结果一致

2)后端两台机器192.168.10.20和192.168.10.21的tomcat配置。两台配置一致,这里以192.168.10.20配置为例:
[root@bl2-app01?~]#?cat?/data/release/projects/tomcat_app_9020/conf/server.xml
......
????<Connector?port="9020"?protocol="http/1.1"?
@R_450_5179@@R_450_5179@?connectionTimeout="20000"?
@R_450_5179@@R_450_5179@?redirectPort="8443"?URIEncoding="UTF-8"/>
......
????<Connector?port="9029"?protocol="AJP/1.3"?redirectPort="8443"?/>

[root@bl2-app01?~]#?cat?/data/release/projects/tomcat_portal_9040/conf/server.xml
......
<Connector?port="9040"?protocol="http/1.1"?
@R_450_5179@@R_450_5179@?connectionTimeout="20000"?
@R_450_5179@@R_450_5179@?redirectPort="4443"?URIEncoding="UTF-8"/>
......
????<Connector?port="9049"?protocol="AJP/1.3"?redirectPort="4443"?/>
.....

===============================================================================
配置二:也可以采用如下proxy_redirect配置(指定修改被代理服务器返回的响应头中的LOCATIOn头域跟refresh头域数值)(注意下面proxy_redirect里由http -> 香港vps https的代理返回设置)

[root@external-lb01?~]#?cat?/data/Nginx/conf/vhosts/443-www.kevin.com.conf
upstream?scf_cluster?{
????ip_hash;
????server?192.168.10.20:9020;
????server?192.168.10.21:9020;
????}
upstream?portal_cluster?{
????ip_hash;
????server?192.168.10.20:9040;
????server?192.168.10.21:9040;
????}
upstream?file_cluster{
????ip_hash;
????server?192.168.10.20:9020;
????}
upstream?workflow_cluster{
????ip_hash;
????server?192.168.10.20:9020;
????server?192.168.10.21:9020;
????}
upstream?batch_cluster{
????server?192.168.10.20:9020;
????server?192.168.10.21:9020;
????}
??
server?{
@R_450_5179@?listen@R_450_5179@443;
@R_450_5179@?server_name??www.kevin.com;
??
@R_450_5179@?ssl?on;
@R_450_5179@?ssl_certificate?/data/Nginx/conf/ssl/bigtree.cer;
@R_450_5179@?ssl_certificate_key?/data/Nginx/conf/ssl/bigtree.key;
@R_450_5179@?ssl_protocols?TLSv1?TLSv1.1?TLSv1.2;
@R_450_5179@?ssl_session_cache????shared:SSL:1R_484_11845@;
@R_450_5179@?ssl_session_timeout??5m;
@R_450_5179@?ssl_ciphers??ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
@R_450_5179@?ssl_prefer_server_ciphers??on;
??
@R_450_5179@?access_log??/data/Nginx/logs/www.kevin.com-access.log?main;
@R_450_5179@?error_log??/data/Nginx/logs/www.kevin.com-error.log;
??
@R_450_5179@?error_page???500?502?503?504??/50x.html;
@R_450_5179@?LOCATIOn?=?/50x.html?{
@R_450_5179@?????root???html;
@R_450_5179@?}
??
@R_450_5179@?LOCATIOn?/scf?{
@R_450_5179@?????proxy_pass?http://scf_cluster/scf;
@R_450_5179@?????proxy_redirect??http://scf_cluster/scf?https://www.kevin.com/scf;
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;
@R_450_5179@?????proxy_connect_timeout?300;
@R_450_5179@?????proxy_send_timeout?300;
@R_450_5179@?????proxy_read_timeout?600;
@R_450_5179@?????proxy_buffer_size?256k;
@R_450_5179@?????proxy_buffers?4?256k;
@R_450_5179@?????proxy_busy_buffers_size?256k;
@R_450_5179@?????proxy_temp_file_write_size?256k;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_max_temp_file_size?128m;
@R_450_5179@?}
??
@R_450_5179@?LOCATIOn?/?{
@R_450_5179@?????proxy_pass?http://portal_cluster/portal-pc/;
@R_450_5179@?????proxy_redirect??http://portal_cluster/portal-pc/?https://www.kevin.com/;
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;
@R_450_5179@?????proxy_connect_timeout?300;
@R_450_5179@?????proxy_send_timeout?300;
@R_450_5179@?????proxy_read_timeout?600;
@R_450_5179@?????proxy_buffer_size?256k;
@R_450_5179@?????proxy_buffers?4?256k;
@R_450_5179@?????proxy_busy_buffers_size?256k;
@R_450_5179@?????proxy_temp_file_write_size?256k;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_max_temp_file_size?128m;
@R_450_5179@?}
??
@R_450_5179@?LOCATIOn?/msdp-file?{
@R_450_5179@?????proxy_pass?http://file_cluster/msdp-file;
@R_450_5179@?????proxy_redirect??http://file_cluster/msdp-file?https://www.kevin.com/msdp-file;
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;
@R_450_5179@?????proxy_connect_timeout?300;
@R_450_5179@?????proxy_send_timeout?300;
@R_450_5179@?????proxy_read_timeout?600;
@R_450_5179@?????proxy_buffer_size?256k;
@R_450_5179@?????proxy_buffers?4?256k;
@R_450_5179@?????proxy_busy_buffers_size?256k;
@R_450_5179@?????proxy_temp_file_write_size?256k;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_max_temp_file_size?128m;
@R_450_5179@?}
@R_450_5179@???
@R_450_5179@?LOCATIOn?/upload?{
@R_450_5179@?????proxy_pass?http://file_cluster/upload;
@R_450_5179@?????proxy_redirect??http://file_cluster/upload?https://www.kevin.com/upload;
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;
@R_450_5179@?????proxy_connect_timeout?300;
@R_450_5179@?????proxy_send_timeout?300;
@R_450_5179@?????proxy_read_timeout?600;
@R_450_5179@?????proxy_buffer_size?256k;
@R_450_5179@?????proxy_buffers?4?256k;
@R_450_5179@?????proxy_busy_buffers_size?256k;
@R_450_5179@?????proxy_temp_file_write_size?256k;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_max_temp_file_size?128m;
@R_450_5179@?}
@R_450_5179@???
@R_450_5179@?LOCATIOn?/activiti-workflow-console?{
@R_450_5179@?????proxy_pass?http://workflow_cluster/activiti-workflow-console;
@R_450_5179@?????proxy_redirect??http://workflow_cluster/activiti-workflow-console?https://www.kevin.com/activiti-workflow-console;
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;
@R_450_5179@?????proxy_connect_timeout?300;
@R_450_5179@?????proxy_send_timeout?300;
@R_450_5179@?????proxy_read_timeout?600;
@R_450_5179@?????proxy_buffer_size?256k;
@R_450_5179@?????proxy_buffers?4?256k;
@R_450_5179@?????proxy_busy_buffers_size?256k;
@R_450_5179@?????proxy_temp_file_write_size?256k;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_max_temp_file_size?128m;
@R_450_5179@?}
??
@R_450_5179@?LOCATIOn?/batch-framework-web?{
@R_450_5179@?????proxy_pass?http://batch_cluster/batch-framework-web;
@R_450_5179@?????proxy_redirect??http://batch_cluster/batch-framework-web?https://www.kevin.com/batch-framework-web;
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;
@R_450_5179@?????proxy_connect_timeout?300;
@R_450_5179@?????proxy_send_timeout?300;
@R_450_5179@?????proxy_read_timeout?600;
@R_450_5179@?????proxy_buffer_size?256k;
@R_450_5179@?????proxy_buffers?4?256k;
@R_450_5179@?????proxy_busy_buffers_size?256k;
@R_450_5179@?????proxy_temp_file_write_size?256k;
@R_450_5179@?????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
@R_450_5179@?????proxy_max_temp_file_size?128m;
@R_450_5179@?}
}

======================温馨提示========================
上面启用了proxy_redirect配置(http->https),配置中就不需要"proxy_set_header?Host?$host;",即不需要"添加发往后端服务器的请求头"的配置了

================================================================================
如上,配置了80端口的http访问强制跳转为443端口的https访问方式:
1)如果域名配置为https的访问方式,则上面配置一和配置二都可以。
2)如果域名配置为http的访问方式,则如上配置一后,访问的结果都只会跳转到https的首页,故这种情况下需如上配置二。

如下,访问http://bpm.kevin.com的结果只会在强制跳转为https://www.kevin.com
[root@external-lb01?~]#?cat?/data/Nginx/conf/vhosts/bpm.kevin.com.conf
upstream?os-8080?{
??????#ip_hash;
??????server?192.168.10.20:8080?max_fails=3?fail_timeout=15s;
??????server?192.168.10.21:8080?max_fails=3?fail_timeout=15s;
}
@R_450_5179@?????
server?{
??????listen??????80;
??????server_name?bpm.kevin.com;
??????
??????access_log??/data/Nginx/logs/bpm.kevin.com-access.log?main;
??????error_log??/data/Nginx/logs/bpm.kevin.com-error.log;
??????
LOCATIOn?/?{
??????proxy_pass?http://os-8080;
??????proxy_redirect?off?;
??????proxy_set_header?Host?$host;
??????proxy_set_header?X-Real-IP?$remote_addr;
??????proxy_set_header?rEMOTE-HOST?$remote_addr;
??????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;
??????proxy_connect_timeout?300;
??????proxy_send_timeout?300;
??????proxy_read_timeout?600;
??????proxy_buffer_size?256k;
??????proxy_buffers?4?256k;
??????proxy_busy_buffers_size?256k;
??????proxy_temp_file_write_size?256k;
??????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
??????proxy_max_temp_file_size?128m;
??????#proxy_cache?mycache;@R_450_5179@@R_450_5179@@R_450_5179@@R_450_5179@??
??????#proxy_cache_valid?200?302?1h;
??????#proxy_cache_valid?301?1d;
??????#proxy_cache_valid?any?1m;
????}
??????
????error_page???500?502?503?504??/50x.html;
????LOCATIOn?=?/50x.html?{
@R_450_5179@?root???html;
????}
}
??
??
如果想要访问http://bpm.kevin.com的结果不强制跳转为https://www.kevin.com,则需要启用proxy_redirect的配置:
[root@external-lb01?~]#?cat?/data/Nginx/conf/vhosts/bpm.kevin.com.conf
upstream?os-8080?{
??????#ip_hash;
??????server?192.168.10.20:8080?max_fails=3?fail_timeout=15s;
??????server?192.168.10.21:8080?max_fails=3?fail_timeout=15s;
}
@R_450_5179@?????
??server?{
??????listen??????80;
??????server_name?bpm.kevin.com;
??????
??????access_log??/data/Nginx/logs/bpm.kevin.com-access.log?main;
??????error_log??/data/Nginx/logs/bpm.kevin.com-error.log;
??????
?LOCATIOn?/?{
??????proxy_pass?http://os-8080;
??????proxy_set_header?Host?$host;????//注意这个是http请求,没有http->https转发需求,必须要加上这个proxy_set_header设置,否则代理转发返回的头信息会有误!
??????proxy_redirect??http://os-8080/?http://bpm.kevin.com/;
??????proxy_set_header?X-Real-IP?$remote_addr;
??????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;
??????proxy_next_upstream?error?timeout?invalid_header?http_500?http_502?http_503?http_504?http_404;
????}
??
????error_page???500?502?503?504??/50x.html;
????LOCATIOn?=?/50x.html?{
????root???html;
????}
}

===============================================================================
Nginx做前端代理分发,tomcat处理请求。Nginx反代tomcat实现https有二个方法

一、Nginx配置https,tomcat也配置https
1)Nginx配置https
upstream?https_tomcat_web?{??
@R_450_5179@?server?127.0.0.1:8443;??
}??
??
server?{??
@R_450_5179@?listen@R_450_5179@443;??
@R_450_5179@?server_name??www.test.com;??
@R_450_5179@?index?index.html;??
@R_450_5179@?root???/var/www/html/test;??
??
@R_450_5179@?ssl?on;??
@R_450_5179@?ssl_certificate?/etc/Nginx/go.pem;??
@R_450_5179@?ssl_certificate_key?/etc/Nginx/go.key;??
@R_450_5179@?ssl_session_timeout?5m;??
@R_450_5179@?ssl_protocols?SSLv2?SSLv3?TLSv1.2;??
#@R_450_5179@?ssl_ciphers?ALL:!ADH:!EXPORT56:rC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;??
@R_450_5179@?ssl_ciphers?ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;??
@R_450_5179@?ssl_prefer_server_ciphers?on;??
??
@R_450_5179@?LOCATIOn?~?^/admin?{??
@R_450_5179@?????proxy_pass?https://https_tomcat_web;??//是https的??
@R_450_5179@?????proxy_redirect@R_450_5179@@R_450_5179@@R_450_5179@?off;??
@R_450_5179@?????proxy_set_header???Host@R_450_5179@??????$host;??
@R_450_5179@?????proxy_set_header???X-Real-IP@R_450_5179@?$remote_addr;??
@R_450_5179@?????proxy_set_header???X-ForWARDed-For??$proxy_add_x_forWARDed_for;??
@R_450_5179@?????client_max_body_size@R_450_5179@100m;??
@R_450_5179@?????clienT_Body_buffer_size????256k;??
@R_450_5179@?????proxy_connect_timeout??????60;??
@R_450_5179@?????proxy_send_timeout@R_450_5179@??30;??
@R_450_5179@?????proxy_read_timeout@R_450_5179@??30;??
@R_450_5179@?????proxy_buffer_size@R_450_5179@???8k;??
@R_450_5179@?????proxy_buffers@R_450_5179@@R_450_5179@8?64k;??
@R_450_5179@?????proxy_busy_buffers_size????64k;??
@R_450_5179@?????proxy_temp_file_write_size?64k;??
@R_450_5179@?}??
??
@R_450_5179@?error_page?404?/404.html;??
@R_450_5179@?LOCATIOn?=?/40x.html?{??
@R_450_5179@?}??
??
@R_450_5179@?error_page?500?502?503?504?/50x.html;??
??
@R_450_5179@?LOCATIOn?=?/50x.html?{??
@R_450_5179@?}??
??
}??

2)tomcat的httpS配置,配置文件server.xml
<service?NAME="Catalina">??
?<Connector?port="8001"?protocol="http/1.1"??
?connectionTimeout="20000"??
?redirectPort="8443"?/>??
??
?<Connector?port="8091"??
?protocol="AJP/1.3"??
?redirectPort="8443"?/>??
??
//添加以下内容??
?<Connector?port="8443"??
?protocol="http/1.1"??
?SSLEnabled="true"??
?scheR_484_11845@e="https"??
?secure="false"??
?keystoreFile="cert/gotom.pfx"??
?keystoreType="PKCS12"??
?keystorePass="214261272770418"??
?clientAuth="false"??
?SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"??
?ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"?/>??
??
?..................省略....................??
?</service>??

?配置好后重新启动Nginx,tomcat,就可以https访问了,这也是现在比较常见采用的配置方式?。

二、Nginx采用https,tomcat采用http
1)Nginx配置https
upstream?https_tomcat_web?{??
@R_450_5179@?server?127.0.0.1:8001;??
}??
??
server?{??
@R_450_5179@?listen@R_450_5179@443;??
@R_450_5179@?server_name??www.test.com;??
@R_450_5179@?index?index.html;??
@R_450_5179@?root???/var/www/html/test;??
??
@R_450_5179@?ssl?on;??
@R_450_5179@?ssl_certificate?/etc/Nginx/go.pem;??
@R_450_5179@?ssl_certificate_key?/etc/Nginx/go.key;??
@R_450_5179@?ssl_session_timeout?5m;??
@R_450_5179@?ssl_protocols?SSLv2?SSLv3?TLSv1.2;??
#@R_450_5179@?ssl_ciphers?ALL:!ADH:!EXPORT56:rC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;??
@R_450_5179@?ssl_ciphers?ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;??
@R_450_5179@?ssl_prefer_server_ciphers?on;??
??
@R_450_5179@?LOCATIOn?~?^/admin?{??
@R_450_5179@?????proxy_pass?http://https_tomcat_web;??//是http的??
@R_450_5179@?????proxy_redirect@R_450_5179@@R_450_5179@@R_450_5179@?off;??
@R_450_5179@?????proxy_set_header???Host@R_450_5179@??????$host;??
@R_450_5179@?????proxy_set_header???X-Real-IP@R_450_5179@?$remote_addr;??
@R_450_5179@?????proxy_set_header???X-ForWARDed-For??$proxy_add_x_forWARDed_for;??
@R_450_5179@?????client_max_body_size@R_450_5179@100m;??
@R_450_5179@?????clienT_Body_buffer_size????256k;??
@R_450_5179@?????proxy_connect_timeout??????60;??
@R_450_5179@?????proxy_send_timeout@R_450_5179@??30;??
@R_450_5179@?????proxy_read_timeout@R_450_5179@??30;??
@R_450_5179@?????proxy_buffer_size@R_450_5179@???8k;??
@R_450_5179@?????proxy_buffers@R_450_5179@@R_450_5179@8?64k;??
@R_450_5179@?????proxy_busy_buffers_size????64k;??
@R_450_5179@?????proxy_temp_file_write_size?64k;??
@R_450_5179@?}??
??
@R_450_5179@?error_page?404?/404.html;??
@R_450_5179@?LOCATIOn?=?/40x.html?{??
@R_450_5179@?}??
??
@R_450_5179@?error_page?500?502?503?504?/50x.html;??
??
@R_450_5179@?LOCATIOn?=?/50x.html?{??
@R_450_5179@?}??
??
}??

2)tomcat的http配置,配置文件server.xml
<service?NAME="Catalina">??
?<Connector?port="8001"?protocol="http/1.1"??
?connectionTimeout="20000"??
?redirectPort="443"?/>????//在这里重新定向到了443端口??
??
?<Connector?port="8091"??
?protocol="AJP/1.3"??
?redirectPort="443"?/>??
??
?..................省略....................??
?</service>??
重启Nginx,tomcat,https就配置好了。

=====================Nginx非80端口代理转发配置=======================
注意:Nginx使用非80端口转发时,proxy_set_header配置中的$host后面一定要跟端口!如下篇配置(proxy_set_header Host $host:8080; )。否则访问会有问题!(当https访问时,已配置了http强转https,则$host后面不需加443端口)。

[root@ng-lb01?vhosts]#?cat?fax.kevin.com.conf?
upstream?fax?{
??????server?192.168.10.34:8080;
}
@R_450_5179@???
??server?{
??????listen??????8080;
??????server_name?fax.kevin.com;
????
??????access_log??/data/Nginx/logs/fax.kevin.com-access.log?main;
??????error_log??/data/Nginx/logs/fax.kevin.com-error.log;

????LOCATIOn?/?{
@R_450_5179@?????proxy_pass?http://fax;
@R_450_5179@?????proxy_set_header?Host?$host:8080;?
@R_450_5179@?????proxy_set_header?X-Real-IP?$remote_addr;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-For?$proxy_add_x_forWARDed_for;?
@R_450_5179@?????proxy_set_header?X-ForWARDed-Proto?http;?
@R_450_5179@?????proxy_redirect?off;?

@R_450_5179@?}

@R_450_5179@?error_page???500?502?503?504??/50x.html;
@R_450_5179@?LOCATIOn?=?/50x.html?{
@R_450_5179@?????root???html;
@R_450_5179@?}
}

本站总结

以上是本站教程为你收集整理的Nginx配置https,反向代理多实例tomcat的操作记录全部内容,希望文章能够帮你解决Nginx配置https,反向代理多实例tomcat的操作记录所遇到的程序开发问题。

如果觉得本站教程网站内容还不错,欢迎将本站教程推荐给好友。

本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。

赞(0)
【声明】:本博客不参与任何交易,也非中介,仅记录个人感兴趣的主机测评结果和优惠活动,内容均不作直接、间接、法定、约定的保证。访问本博客请务必遵守有关互联网的相关法律、规定与规则。一旦您访问本博客,即表示您已经知晓并接受了此声明通告。
分享到

相关推荐

热门推荐

分类目录

香港VPS 欧洲VPS 日本VPS 印尼VPS 外贸VPS 美国VPS 迪拜VPS 德国VPS 韩国VPS 便宜VPS 英国VPS 荷兰VPS 南非VPS 印度VPS 越南VPS 法国VPS 埃及VPS 巴林VPS 波兰VPS 巴西VPS 台湾VPS 纽约VPS 高防VPS 西雅图VPS 圣何塞VPS 芝加哥VPS 达拉斯VPS 土耳其VPS 新加坡VPS 菲律宾VPS 俄罗斯VPS 柬埔寨VPS 搬瓦工VPS 大硬盘VPS 卢森堡VPS 孟加拉国VPS 澳大利亚VPS 保加利亚VPS 马来西亚VPS 印度尼西亚VPS 沙特阿拉伯VPS CDN 高防CDN 云服务器 香港服务器 日本服务器 欧洲服务器 美国服务器 德国服务器 韩国服务器 英国服务器 荷兰服务器 南非服务器 外贸服务器 印度服务器 非洲服务器 站群服务器 越南服务器 台湾服务器 高防服务器 新加坡服务器 菲律宾服务器 俄罗斯服务器