本文说描述的方式是用nginx的443重定向到tomcat的8443,nginx的80端口重定到tomcat的8080;
乱入:个人标记:caicongyang
可以参考我前面的文章: Linux tar包安装Nginx ;http://blog.csdn.net/caicongyang/article/details/46388845
不过这篇文章中,我们编译的时候没有带ssl模块,因此需要重新编译安装
需要在安装时带上ssl模块的选项
完成命令如下:
#./configure --with-http_ssl_module
#./configure --help
# cd /opt/nginx/sslkey/ # openssl genrsa -des3 -out server.key 1024 # openssl req -new -key server.key -out server.csr # cp server.key server.key.org # openssl rsa -in server.key.org -out server.key # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="${user.home}/. keystore" keystorePass="123456"/>
#keytool -v -genkey -alias tomcat -keyalg RSA -keystore .keystore -validity 36500当然你也可以指定目录
#keytool -v -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat/sslkey/server.keystore -validity 36500
当然你也可以在项目的web.xml中配置某个重要模块强制使用https,其他的模块正常走http
web.xml
<security-constraint> <web-resource-collection> <web-resource-name>services</web-resource-name> <url-pattern>/login/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
#user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; gzip on; upstream tomcat8080 { server localhost:8080 weight=10; } upstream tomcat8443 { server localhost:8443 weight=10; } server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://tomcat8080; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server server { listen 443; server_name localhost; ssl on; ssl_certificate /opt/nginx/sslkey/server.crt; ssl_certificate_key /opt/nginx/sslkey/server.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass https://tomcat8443; proxy_set_header Host $host:443; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } }
不懂运维的程序员,不是好的工程师!
我的个人网站:http://www.caicongyang.com
我的CSDN博客地址: http://blog.csdn.net/caicongyang