Practice of configuring SSL in NGINX without modifying tomcat and program configuration

Source: Internet
Author: User
: This article mainly introduces how to configure SSL in NGINX without modifying tomcat and program configuration. For more information about PHP tutorials, see. SSL solution:
1. NGINX performs an ssl handshake, and the HTTP protocol is still used between NGINX and TOMCAT (this can reduce the number of SSL handshakes when NGINX and TOMCAT are in the same secure intranet ). Proxy forwarding of NGINX (proxy_redirect: reverse replacement of proxy_pass or upstream, such as the URL returned by TOMCAT), from HTTP to HTTPS. Multiple proxy_redirect configurations are available. Note that the port number should be written if it needs to be replaced.
2. NGINX forcibly rewrites the received HTTP request to HTTPS
3. NGINX provides optimization solutions, including keepalive_timeout, enabling ssl session caching.
4. TOMCAT and project code and configuration files (currently) do not need to be changed.
5. Note that the data obtained by the program from the HTTP header is correct, including the HTTPS protocol, port number, and customer IP address. However, if the request. getScheme (); (HTTP or HTTPS) request. isSecure (); (secure or not, boolean) request. getRequestURL (). toString (); (URL, with protocol name) request. getRemoteAddr (); (customer IP address), etc. the request information is incorrect. nginx forwards the request information to tomcat without replacement. Therefore, nginx information is obtained, if necessary, on the tomcat server. set a valve in xml.
-------------------------
Nginx configuration:
(1) Place the custom configuration file in the/etc/nginx/conf. d folder, xxx. conf
(2) add the http module that imports the nginx/nginx. conf file to include/etc/nginx/conf. d/*. conf.
(3) perform ssl optimization configuration in the nginx. conf file, and add the http Module
Ssl_session_cache shared: SSL: 10 m;
Ssl_session_timeout 10 m;
(4) make the following configuration in the custom configuration file xxx. conf:
# HTTP serverserver {# listening port listen 80; # listening domain/IP server_name abc.e-lingcloud.com; # Request redirection, the meaning and usage of this function please search rewrite, this command can be added to the server, location, and if modules. # In this example, all 80 http requests need to be forwarded, so rewrite is placed under the server module and the location has been canceled. Rewrite ^ (. *) https: // $ host $1 permanent; # location/{# proxy_pass http://192.168.1.111:8080 ; # Proxy_set_header Host $ host; # proxy_redirect http://192.168.1.111:8080  http://abc.e-lingcloud.com : 59998; # proxy_set_header X-Real-Ip $ remote_addr; # proxy_set_header X-Forwarded-For $ scheme; # prepare X-Forwarded-Proto $ scheme; # proxy_set_header Upgrade $ http_upgrade; # proxy_set_header Connection "upgrade" ;#}# HTTPS serverserver {# listen to HTTPS default port 443 listen 443; # enable SSL ssl on; # listen to the domain name/IP server_name abc.e-lingcloud.com; # HTTPS (if it is not in the SSL module, this command defaults to the HTTP persistence duration. Search by yourself for specific usage. Keepalive_timeout 70; # SSL certificate (public key). for details about how to generate a certificate, refer to the instructions on the website for purchasing the certificate. In this example, the certificate is from Godaddy, which includes intermediate certificate and issued to your own certificate. Ssl_certificate/etc/ssl/private/e-lingcloud.crt; # SSL private key, which is usually generated before applying for a certificate. Remember to back up the file. Note that the private key is very important and cannot be disclosed. it must be stored in restricted files. of course, the nginx master process must have the permission to read the key. The private key and certificate can be stored in the same file. Ssl_certificate_key/etc/ssl/private/e-lingcloud.key; location/{proxy_pass http://192.168.1.111:8080 ; # Proxy redirection, used to replace the first parameter in the upstream server response link with the second parameter. It is important to note that if tomcat and the program do not have any specific configuration (for example, if tomcat adds valve to assign the http header information to the request), the upstream server (such as tomcat) will return the http protocol and its link, redirect https and the specified server domain name to return to the client. Proxy_redirect http://abc.e-lingcloud.com  https://abc.e-lingcloud.com ; Proxy_redirect https://192.168.1.111:8443  https://abc.e-lingcloud.com ; Proxy_redirect http://192.168.1.111:8080  https://abc.e-lingcloud.com ; # Add the data to the http header when nginx is forwarded to tomcat. Search for the specific parameter meanings and usage of variables. Proxy_set_header Host $ host: $ server_port; proxy_set_header X-Real-Ip $ remote_addr; proxy_set_header X-Forwarded-For $ scheme; proxy_set_header X-Forwarded-Proto $ scheme; # proxy_set_header Upgrade $ http_upgrade; # proxy_set_header Connection "upgrade ";}


-----------------------------------------
Link and description:
Some nginx configurations should be noted that there are errors.
Http://blog.csdn.net/na_tion/article/details/17334669
Http is transmitted between nginx and tomcat, and request is used. getScheme () still obtains http. Please note that we recommend that you do not use request in the program. getScheme is used to obtain the http header information. the solution provided in this article needs to intrude into tomcat for configuration.
Http://feitianbenyue.iteye.com/blog/2056357
In concert with article 2, the tomcat official website provides APIs for valve parameters. Tell you what the functions of the configuration are.
Http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
In concert with article 2, the inspiration for Article 2 is provided. Note the same as the second one.
Http://han.guokai.blog.163.com/blog/static/136718271201211631456811/

The above describes how to configure SSL in NGINX without modifying tomcat and program configuration, including some content, and hope to be helpful to friends who are interested in PHP tutorials.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.