User-side and Nginx communication using Https,nginx and Tomcat can use HTTP only, simplifying certificate configuration.
Nginx Side Configuration nginx.conf
user nginx;worker_processes 2;error_log logs/error.log; #error_log logs/ error.log notice; #error_log logs/error.log info;pid /usr/local/nginx/ nginx.pid;events { worker_connections 1024;} http {charset utf-8;server_names_hash_bucket_size 128;client_header_buffer_size 4k; large_client_header_buffers 4 32k;client_max_body_size 300m;sendfile on;tcp_nopush on; keepalive_timeout 60; tcp_nodelay on; Client_body_buffer_size 512k; proxy_connect_timeout 5;proxy_read_ timeout 30;proxy_send_timeout 5;proxy_buffer_size 16k;proxy_buffers 4 64k;proxy_busy_buffers_size 128k;proxy_temp_file_write_size 128k; Gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.1; gzip_comp_level 2; gzip_types text/plain application/x-javascript text/css Application/xml; gzip_vary on;server_tokens off; log_format main ' $http _x_forwarded_for - $remote _user [$time _local] "$request" ' $status $body _bytes_sent "$http _referer" ' ' "$http _user_agent" "$ Upstream_cache_status " $remote _addr ';p roxy_cache_path /ngx_cache/proxy_cache/cache1 levels=1:2 keys_zone=cache1:20m inactive=3d max_size=500m; proxy_cache_path &nBsp;/ngx_cache/proxy_cache/cache2 levels=1:2 keys_zone=cache2:20m inactive=3d max_ size=500m; upstream 8090 { server 0.0.0.0:8090 max_fails=2 fail_timeout=30s;} server { listen 90; server_name www.ddzrh.com; Location / {return 301 https://203.195.144.57$request_uri;}} server { listen 443; server_name www.ddzrh.com;ssl on;ssl_certificate /usr/local/nginx/ssl/cunguan.crt;ssl_certificate_ Key /usr/local/nginx/ssl/cunguan.key; ssl_session_ Cache shared:ssl:1m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;        SSL_CIPHERS ECDHE-RSA-AES128-GCM-SHA256: Ecdhe-ecdsa-aes128-gcm-sha256:ecdhe-rsa-aes256-gcm-sha384:ecdhe-ecdsa-aes256-gcm-sha384:d HE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:KEDH+AESGCM:ECDHE-RSA-AES128-SHA256: ecdhe-ecdsa-aes128-sha256:ecdhe-rsa-aes128-sha:ecdhe-ecdsa-aes128-sha:ecdhe-rsa-aes256-sha384: Ecdhe-ecdsa-aes256-sha384:ecdhe-rsa-aes256-sha:ecdhe-ecdsa-aes256-sha:dhe-rsa-aes128-sha256:dhe-rsa-aes128-sha :D he-dss-aes128-sha256:dhe-rsa-aes256-sha256:dhe-dss-aes256-sha:dhe-rsa-aes256-sha:aes128-gcm-sha256: aes256-gcm-sha384:aes128-sha256:aes256-sha256:aes128-sha:aes256-sha:aes:camellia:des-cbc3-sha:!anull:!enull:! export:! Des:! rc4:! md5:! psk:!aecdh:! edh-dss-des-cbc3-sha:! edh-rsa-des-cbc3-sha:! Krb5-des-cbc3-sha; &nBsp; ssl_prefer_server_ciphers on;location ~ /purge (/. *) {allow all;proxy_cache_purge cache2 $host $1$is_args$args;} location ~ \.* (JPEG|JPG|PNG|CSS|JS) $ { proxy_pass http ://8090; proxy_ next_upstream http_502 http_504 error timeout invalid_header; proxy_set_header Host $host; proxy_ set_header x-real-ip $remote _addr; proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;add_header nginx-cache $upstream _cache_ status;proxy_cache cache2;proxy_cache_key $host $uri$is_args$args; #proxy_cache_valid 200 304 30m;expires 1d; } location / { proxy_pass http://8090; proxy_next_upstream http_ 502 http_504 error timeout invalid_header; proxy_set_header Host $http _host; proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;proxy_set_header x-forwarded-proto https; proxy_set_header X-Real-IP $remote _addr;proxy_ redirect off; } error_page 500 502 503 504 /50/50.html;      LOCATION ~ /50 (/.*) { root html; }}}
The most critical of these are the two configurations of Ssl_certificate and Ssl_certificate_key, while others are configured as normal. But one more proxy_set_header x-forwarded-proto https; Configuration.
Tomcat-side configuration Server.xml
<?xml version= ' 1.0 ' encoding= ' utf-8 '? ><server port= "8005" shutdown= "Shutdown" > <service name= "Catalina" > <connector port= "8090" Protocol= "http/1.1" connectiontimeout= "20000" redirectport= "443" proxyport= "443"/> <engine name= "Catalina" defaultHost= " localhost "> must haveproxyport= "443", this is the key to the whole article, of course redirectport must also be 443. Also<Value>the configuration of the nodes is also important, otherwise your application in Tomcat will not work with the read Getscheme () method and some of the security policies configured in Web. Xml.
Nginx+tomcat for HTTPS access (Tomcat does not have an SSL certificate)