nginx+tomcat+https的配置解析

在该配置上nginx上启用了https,而nginx和tomcat之间走的是普通的http.我们需要在浏览器上使用https://ip或域名/test,实现访问

nginx+tomcat+https的配置解析_第1张图片

上图是基本的原理图,查过许多资料,都在tomcat和nginx上都做了ssl,其实直接在nginx做ssl即可。


nginx端的解析,nginx的端口是80/443,tomcat的端口是8080,

我们就以test为列,说明以下的配置,以nginx代理两台tomcat机器,

upstream test{
        server 192.168.1.1:8080 weight=1 max_fails=2 fail_timeout=10s;
        server 192.168.1.2:8080 weight=1 max_fails=2 fail_timeout=10s;
        sticky;
}

server{
        listen 192.168.1.3:80;
        location /test/ {
                proxy_next_upstream http_502 http_504 error timeout invalid_header;
                proxy_pass http://test;
                proxy_redirect off;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                client_max_body_size 10m;
                client_body_buffer_size 128k;
        }

}

server{
        listen 192.168.1.3:443 ssl;
          ssl on;
          ssl_certificate  /data/test.com.crt;
          ssl_certificate_key  /data/test.com.key;

        location /test/ {
                proxy_next_upstream http_502 http_504 error timeout invalid_header;
                proxy_pass http://test;
                proxy_redirect off;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;

                proxy_set_header X-Forwarded-Proto https;

                client_max_body_size 10m;
                client_body_buffer_size 128k;

                fastcgi_param HTTPS $https if_not_empty;

        }

}

fastcgi_param HTTPS $https if_not_empty;有https协议是才自动使用https on,否则忽略fastcgi_param HTTPS 这个参数。

重新启动nginx

其次就是tomcat的配置,打开server.xml

在connect处修改配置,

 <Connector port="8080" address="" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" proxyPort="443"/>

在配置的末端,找到valve块,将其注释掉,添加新的配置。

<Valve className="org.apache.catalina.valves.RemoteIpValve"

            remoteIpHeader="x-forwarded-for"

            remoteIpProxiesHeader="x-forwarded-by"

            protocolHeader="x-forwarded-proto" />

重新启动tomcat,配置实现。注:我这里用到的是正式的安全证书。


你可能感兴趣的:(tomcat,nginx,https)