Source:SSL Certificate and HTTPS application Deployment summary
In fact, large-scale Web sites have many Web servers and application servers, the user's request may be through varnish, haproxy, nginx before the application server, the middle of several layers. A typical deployment of small and medium sized deployments is the Nginx+tomcat two-tier configuration, while Tomcat has more than one, Nginx as static file handling and load balancing.
If Nginx acts as a front-end agent, then Tomcat does not need to handle HTTPS at all, it's all nginx processing. The user first establishes a connection with the Nginx, completes the SSL handshake, and then nginx the request to Tomcat as the proxy, and nginx the Tomcat output back to the user via SSL encryption, which is transparent, and Tomcat is just processing http Request only. Therefore, you do not need to configure Tomcat SSL in this case, just configure Nginx SSL and Proxy.
in Agent mode, how Tomcat identifies a user's direct request (URL, IP, HTTPS, or HTTP). Under a transparent proxy, if you do not make any configuration Tomcat thinks all requests are Nginx, this can result in the following error results: Request.getscheme ()//always HTTP, not actual HTTP or HTTPS Request.issecure ()//Always False (because always http) request.getremoteaddr ()//always nginx the requested IP, not the user's IP request.getrequesturl ()//Always Nginx the requested URL instead of the user's actual requested URL response.sendredirect (relative URL)//Always redirected to HTTP (because the current HTTP request is considered)
If the program to do this when the actual user requests to do processing is a problem. The solution is simple, just configure Nginx and Tomcat separately, instead of changing the program. To configure forwarding options for Nginx:
Proxy_set_header Host $host; Proxy_set_header X-real-ip $remote _addr; Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for; Proxy_set_header X-forwarded-proto $scheme;
Configure a Value: <valve classname= "Org.apache.catalina.valves.RemoteIpValve" by configuring the Tomcat Server.xml Engine module Remoteipheader= "X-forwarded-for" protocolheader= "X-forwarded-proto" protocolheaderhttpsvalue= "https"/>
Configure both sides of the X-forwarded-proto is to correctly identify the actual user issued the protocol is HTTP or HTTPS. X-forwarded-for is to obtain the actual user's IP. All 5 of these tests will become the correct result, just as the user accesses Tomcat directly.
Article reference: load Balancing configuration
# nginx Partial Configuration Reference server {server_name www.zhangblog.com;
Listen 443;
Index index.jsp;
SSL on;
SSL_CERTIFICATE/MNT/RELEASECERT/SERVERBUNDLE.CRT;
Ssl_certificate_key/mnt/releasecert/serverbundle.key;
if ($request _uri ~* "\.html$") {rewrite ^/(. *) $ http://$host/$1 redirect; } location/{Proxy_pass http://10.171.27.25:9002;
# intranet IP Proxy_set_header HOST $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Proxy_set_header X-forwarded-proto $scheme;
}} server{server_name www.zhangblog.com;
Listen 80;
Index index.jsp; if ($request _Uri ~* "/pmcs/$") {rewrite ^/(. *) $ https://$host/$1 redirect; } if ($request _uri ~* "/pmcs/login.jsp$") {rewrite ^/(. *) $ https://$host/$1 redire
Ct
} location/{Proxy_pass http://10.171.27.25:9002;
Proxy_set_header HOST $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Proxy_set_header X-forwarded-proto $scheme; }
}
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
