I. Configuring TOMCAT
Generate private key
OpenSSL genrsa-out Tomcatkey.pem
2. Self-signed certificate with private key
OpenSSL Req-new-x509-key tomcatkey.pem-out tomcatca.pem-days 1095
3. Configure Tomcat's HTTPS connector, modify the Server.xml file, here is the configured Apr mode
<connector port= "8443" sslenabled= "true" protocol= "Org.apache.coyote.http11.Http11AprProtocol"
sslcertificatefile= "/home/hxtest/tomcat6/conf/ssl/tomcatca.pem" sslcertificatekeyfile= "/home/hxtest/tomcat6/conf/ssl/tomcatkey.pem" maxthreads= "$" scheme= "https" Secure= "true" sslprotocol= "tlsv1+tlsv1.1+tlsv1.2" sslverifyclient= "optional"/>
Two. Configure Nginx
1. Generating the private key
OpenSSL genrsa-des3-out Ssl.key 1024
2. Create a Certificate signing request (CSR)
OpenSSL Req-new-key ssl.key-out SSL.CSR
3. When you clear the SSL boot Nginx prompt must enter the key
CP Ssl.key ssl.key.org
OpenSSL rsa-in ssl.key.org-out Ssl.key
4. Signing the certificate with the private key and the CSR that you just generated
OpenSSL x509-req-days 365-in ssl.csr-signkey ssl.key-out ssl.crt
5. Add the private key and certificate to the nginx.conf configuration file
SSL_CERTIFICATE/ETC/NGINX/SSL/SSL.CRT;
Ssl_certificate_key/etc/nginx/ssl/ssl.key;
Three. Configure Nginx to proxy tomcat using the HTTPS protocol.
# HTTPS Server
#
server {
Listen 443;
server_name 192.168.100.2;# The IP address of the native Nginx
SSL on;
# # # SSL log Files # # #
Access_log/var/log/nginx/ssl-access.log;
Error_log/var/log/nginx/ssl-error.log;
# # # SSL cert Files # # #
SSL_CERTIFICATE/ETC/NGINX/SSL/SSL.CRT;
Ssl_certificate_key/etc/nginx/ssl/ssl.key;
# # # limiting ciphers ########################
Ssl_session_cache shared:ssl:10m;
Ssl_session_timeout 5m;
# Intermediate configuration. Tweak to your needs.
# ssl_protocols TLSv1.1 TLSv1.2;
Ssl_ciphers ecdhe-ecdsa-aes256-gcm-sha384:ecdhe-rsa-aes256-gcm-sha384:ecdhe-ecdsa-aes256-sha384: ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256: ecdhe-rsa-aes128-sha256:ecdhe-ecdsa-rc4-sha:! ecdhe-rsa-rc4-sha:ecdh-ecdsa-rc4-sha:ecdh-rsa-rc4-sha:ecdhe-rsa-aes256-sha:! rc4-sha:high:!anull:!enull:! low:!3des:! md5:! Exp:! Cbc:! edh:!kedh:! Psk:! SRP:!KECDH;
Ssl_prefer_server_ciphers on;
# Ssl_ecdh_curve SECP384R1;
# ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
# SSL_DHPARAM/USR/LOCAL/NGINX/CONF/SSL/DHPARAM.PEM;
Add_header strict-transport-security max-age=31536000;
Add_header x-frame-options DENY;
Add_header x-content-type-options Nonsniff;
##############################################
# # We want full access to SSL via backend # # #
Location/{
Proxy_passhttps://192.168.100.2:8443; #代理的tomcat的IP地址
# root HTML;
Index index.html index.htm index.php;
# Proxy_next_upstream Error timeout Invalid_header http_500 http_502 http_503 http_504;
Proxy_set_header Host $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
# Proxy_set_header X-forwarded-proto $scheme;
# Add_header Front-end-https on;
# proxy_redirect off;
}
This article is from the Server Ops blog, so be sure to keep this source http://shamereedwine.blog.51cto.com/5476890/1790398
Nginx proxy tomcat using SSL method