Nginx+tomcat for HTTPS access (Tomcat does not have an SSL certificate)

User-side and Nginx communication using Https,nginx and Tomcat can use HTTP only, simplifying certificate configuration.

Nginx Side Configuration nginx.conf

user nginx;worker_processes  2;error_log  logs/error.log; #error_log   logs/ error.log  notice; #error_log   logs/error.log  info;pid /usr/local/nginx/ nginx.pid;events {    worker_connections  1024;} http {charset  utf-8;server_names_hash_bucket_size 128;client_header_buffer_size 4k; large_client_header_buffers 4 32k;client_max_body_size 300m;sendfile on;tcp_nopush      on;   keepalive_timeout 60;   tcp_nodelay on; Client_body_buffer_size  512k; proxy_connect_timeout    5;proxy_read_ timeout       30;proxy_send_timeout        5;proxy_buffer_size        16k;proxy_buffers             4 64k;proxy_busy_buffers_size 128k;proxy_temp_file_write_size 128k;      Gzip on;  gzip_min_length  1k;  gzip_buffers     4  16k;  gzip_http_version 1.1;  gzip_comp_level 2;  gzip_types        text/plain application/x-javascript text/css  Application/xml;  gzip_vary on;server_tokens off;  log_format  main    ' $http _x_forwarded_for -  $remote _user [$time _local]  "$request"       ' $status   $body _bytes_sent  "$http _referer"   '    ' "$http _user_agent"   "$ Upstream_cache_status "  $remote _addr ';p roxy_cache_path  /ngx_cache/proxy_cache/cache1   levels=1:2 keys_zone=cache1:20m inactive=3d max_size=500m;         proxy_cache_path &nBsp;/ngx_cache/proxy_cache/cache2  levels=1:2 keys_zone=cache2:20m inactive=3d max_ size=500m;        upstream 8090 { server  0.0.0.0:8090 max_fails=2 fail_timeout=30s;}     server {        listen       90;        server_name  www.ddzrh.com; Location / {return 301 https://203.195.144.57$request_uri;}}     server {        listen       443;        server_name  www.ddzrh.com;ssl  on;ssl_certificate      /usr/local/nginx/ssl/cunguan.crt;ssl_certificate_ Key  /usr/local/nginx/ssl/cunguan.key;        ssl_session_ Cache shared:ssl:1m;        ssl_session_timeout  10m;         ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;         SSL_CIPHERS ECDHE-RSA-AES128-GCM-SHA256: Ecdhe-ecdsa-aes128-gcm-sha256:ecdhe-rsa-aes256-gcm-sha384:ecdhe-ecdsa-aes256-gcm-sha384:d HE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:KEDH+AESGCM:ECDHE-RSA-AES128-SHA256: ecdhe-ecdsa-aes128-sha256:ecdhe-rsa-aes128-sha:ecdhe-ecdsa-aes128-sha:ecdhe-rsa-aes256-sha384: Ecdhe-ecdsa-aes256-sha384:ecdhe-rsa-aes256-sha:ecdhe-ecdsa-aes256-sha:dhe-rsa-aes128-sha256:dhe-rsa-aes128-sha :D he-dss-aes128-sha256:dhe-rsa-aes256-sha256:dhe-dss-aes256-sha:dhe-rsa-aes256-sha:aes128-gcm-sha256: aes256-gcm-sha384:aes128-sha256:aes256-sha256:aes128-sha:aes256-sha:aes:camellia:des-cbc3-sha:!anull:!enull:! export:! Des:! rc4:! md5:! psk:!aecdh:! edh-dss-des-cbc3-sha:! edh-rsa-des-cbc3-sha:! Krb5-des-cbc3-sha;  &nBsp;     ssl_prefer_server_ciphers   on;location ~ /purge (/. *)  {allow all;proxy_cache_purge cache2  $host $1$is_args$args;}         location ~ \.* (JPEG|JPG|PNG|CSS|JS) $ {                 proxy_pass http ://8090;                proxy_ next_upstream http_502 http_504 error timeout invalid_header;                 proxy_set_header Host   $host;                 proxy_ set_header x-real-ip  $remote _addr;                 proxy_set_header x-forwarded-for  $proxy _add_x_forwarded_for;add_header nginx-cache  $upstream _cache_ status;proxy_cache cache2;proxy_cache_key  $host $uri$is_args$args; #proxy_cache_valid  200  304 30m;expires      1d;        }         location / {                 proxy_pass http://8090;                 proxy_next_upstream http_ 502 http_504 error timeout invalid_header;                 proxy_set_header Host   $http _host;                 proxy_set_header  x-forwarded-for  $proxy _add_x_forwarded_for;proxy_set_header x-forwarded-proto https;                 proxy_set_header X-Real-IP  $remote _addr;proxy_ redirect off;        }         error_page   500 502 503 504  /50/50.html;         LOCATION ~ /50 (/.*)  {         root   html;        }}}

The most critical of these are the two configurations of Ssl_certificate and Ssl_certificate_key, while others are configured as normal. But one more proxy_set_header x-forwarded-proto https; Configuration.

Tomcat-side configuration Server.xml

<?xml version= ' 1.0 '  encoding= ' utf-8 '? ><server port= "8005"  shutdown= "Shutdown" >   <service name= "Catalina" >    <connector port= "8090"   Protocol= "http/1.1"                 connectiontimeout= "20000"                 redirectport= "443"                 proxyport= "443"/>     <engine name= "Catalina"  defaultHost= " localhost ">       
must haveproxyport= "443", this is the key to the whole article, of course redirectport must also be 443. Also<Value>the configuration of the nodes is also important, otherwise your application in Tomcat will not work with the read Getscheme () method and some of the security policies configured in Web. Xml. 
Nginx+tomcat for HTTPS access (Tomcat does not have an SSL certificate)