nginx https tomcat http 同时存在同域名访问

前言:现在网络安全越来越重要,绝大部分的网站都已经全站https了,例如:微信小程序的开发中,就要去后台必须是https的,其他的微信接口也是建议使用https,但是在实际应用中,我们有时却没有办法完全舍弃http的请求。这个时候就需要一个服务http和https都可以访问,当然我也是建议全站https,http自动跳转https。

要求:有nginx和tomcat的配置经验

目标:1、全站https,http请求自动变成https(意味着不在提供http的访问,只提供https)

           2、兼容https、http(http不会转到https,还是http请求。https访问就是https)

适用范围:nginx做web服务器,tomcat做应用服务器,自己的服务用war包发布在tomcat中,系统是linux。域名是阿里的域名,证书是申请的阿里的免费域名(1年)

第一个目标的的实现:

1、先在阿里云申请证书,比如:我要申请 www.luckylxh.top 的证书,申请成功后,找到这个页面,下载pem和key,按照要求放入服务器

nginx https tomcat http 同时存在同域名访问_第1张图片

按照要求配置成:

server {
    listen 443;
    server_name www.luckylxh.top;
    ssl on;
    root html;
    index index.html index.htm;
    ssl_certificate   cert/1532005203290.pem;
    ssl_certificate_key  cert/1532005203290.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        root html;
        index index.html index.htm;
    }
}

2、实现全站https(其实就是做一个301跳转)

server{
  listen 80;
  server_name www.luckylxh.top;
  return 301 https://$server_name$request_uri;
}
server {
    listen 443;
    server_name www.luckylxh.top;
    ssl on;
    root html;
    index index.html index.htm;
    ssl_certificate   cert/1532005203290.pem;
    ssl_certificate_key  cert/1532005203290.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        root html;
        index index.html index.htm;
    }
}

所有的http请求自动跳到https的server上

3、配置tomcat

(1)Connector节点加入 redirectPort="443" proxyPort="443"

(2)Host节点中间添加             remoteIpHeader="x-forwarded-for"
            remoteIpProxiesHeader="x-forwarded-by"
            protocolHeader="x-forwarded-proto"/>   

4、最后的配置如下

(1)nginx.conf

server{
  listen 80;
  server_name www.luckylxh.top;
  return 301 https://$server_name$request_uri;
}

server {
    listen 443;
    server_name www.luckylxh.top;
    ssl on ;
    set $htdocs /usr/local/tomcat-12580-8080/webapps/12580; #
    root $htdocs;
    ssl_certificate   cert/214788276180473.pem;
    ssl_certificate_key  cert/214788276180473.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
	  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	  proxy_set_header Host $http_host;
	  proxy_set_header X-Forwarded-Proto https;
	  proxy_redirect off;
	  proxy_pass http://localhost:8080;
    }
}

(2)tomcat(server.xml)





						

上述的实现,就是浏览器与nginx是https的,nginx和tomcat还是http的,同时全站强制使用https

第二个目标的实现:

(1)修改nginx.conf配置

#监听80端口把服务转给tomcat的8089端口
server {
        listen     80;
        server_name  www.luckylxh.top;
	set $htdocs /usr/local/tomcat-12580-8080/webapps/12580; 
	root $htdocs;
        location / {
	     index index.html;
	     proxy_pass http://localhost:8089;
	     proxy_set_header Host $host;
	     proxy_set_header X-Real-IP $remote_addr;
	     proxy_set_header REMOTE-HOST $remote_addr;
	     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
       location ~ .*.(ico|gif|jpg|jpeg|png|bmp|swf|zip|rar|flv)$ {
	     expires 15d;
	}
	location ~^/(WEB-INF)/{
	     deny all;
	}
    }
#监听443端口,服务转给tomcat的8080端口
server {
    listen 443;
    server_name www.luckylxh.top;
    ssl on ;
    set $htdocs /usr/local/tomcat-12580-8080/webapps/12580; #姝ゅ瀹氫箟浜唄tdocs
    root $htdocs;
    ssl_certificate   cert/214788276180473.pem;
    ssl_certificate_key  cert/214788276180473.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
	  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	  proxy_set_header Host $http_host;
	  proxy_set_header X-Forwarded-Proto https;
	  proxy_redirect off;
	  proxy_pass http://localhost:8080;
    }
}

(2)修改tomcat的server.xml







						

这时就可以达到我们要的效果了,https和http都可以访问

效果:

你可能感兴趣的:(it,linux,nginx,tomcat)