Nginx+tomcat實現https訪問（tomcat不配ssl認證）

標籤：tomcat   https   nginx   ssl認證   

使用者端與Nginx通訊使用https，Nginx與tomcat通訊可以只使用http，簡化認證配置。

Nginx端配置nginx.conf

user nginx;worker_processes  2;error_log  logs/error.log;#error_log  logs/error.log  notice;#error_log  logs/error.log  info;pid /usr/local/nginx/nginx.pid;events {    worker_connections  1024;}http {charset  utf-8;server_names_hash_bucket_size 128;client_header_buffer_size 4k;large_client_header_buffers 4 32k;client_max_body_size 300m;sendfile on;tcp_nopush     on;   keepalive_timeout 60;   tcp_nodelay on;client_body_buffer_size  512k; proxy_connect_timeout    5;proxy_read_timeout       30;proxy_send_timeout       5;proxy_buffer_size        16k;proxy_buffers            4 64k;proxy_busy_buffers_size 128k;proxy_temp_file_write_size 128k;     gzip on;  gzip_min_length  1k;  gzip_buffers     4 16k;  gzip_http_version 1.1;  gzip_comp_level 2;  gzip_types       text/plain application/x-javascript text/css application/xml;  gzip_vary on;server_tokens off;  log_format  main  ‘$http_x_forwarded_for - $remote_user [$time_local] "$request" ‘  ‘$status $body_bytes_sent "$http_referer" ‘  ‘"$http_user_agent" "$upstream_cache_status" $remote_addr‘;proxy_cache_path  /ngx_cache/proxy_cache/cache1  levels=1:2 keys_zone=cache1:20m inactive=3d max_size=500m;        proxy_cache_path  /ngx_cache/proxy_cache/cache2  levels=1:2 keys_zone=cache2:20m inactive=3d max_size=500m;        upstream 8090 { server 0.0.0.0:8090 max_fails=2 fail_timeout=30s;}    server {        listen      90;        server_name  www.ddzrh.com;location / {return 301 https://203.195.144.57$request_uri;}}    server {        listen      443;        server_name  www.ddzrh.com;ssl on;ssl_certificate      /usr/local/nginx/ssl/cunguan.crt;ssl_certificate_key  /usr/local/nginx/ssl/cunguan.key;        ssl_session_cache shared:SSL:1m;        ssl_session_timeout  10m;        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;        ssl_prefer_server_ciphers   on;location ~ /purge(/.*) {allow all;proxy_cache_purge cache2 $host$1$is_args$args;}        location ~ \.*(jpeg|jpg|png|css|js)$ {                proxy_pass http://8090;                proxy_next_upstream http_502 http_504 error timeout invalid_header;                proxy_set_header Host  $host;                proxy_set_header X-Real-IP $remote_addr;                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;add_header Nginx-Cache $upstream_cache_status;proxy_cache cache2;proxy_cache_key $host$uri$is_args$args;#proxy_cache_valid 200 304 30m;expires      1d;        }        location / {                proxy_pass http://8090;                proxy_next_upstream http_502 http_504 error timeout invalid_header;                proxy_set_header Host  $http_host;                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto https;                proxy_set_header X-Real-IP $remote_addr;proxy_redirect off;        }        error_page   500 502 503 504  /50/50.html;        location ~ /50(/.*) {        root   html;        }}}

其中最為關鍵的就是 ssl_certificate 和 ssl_certificate_key 這兩項配置，其他的按正常配置。不過多了一個 proxy_set_header X-Forwarded-Proto https; 配置。

tomcat端配置server.xml

<?xml version=‘1.0‘ encoding=‘utf-8‘?><Server port="8005" shutdown="SHUTDOWN">  <Service name="Catalina">    <Connector port="8090" protocol="HTTP/1.1"               connectionTimeout="20000"               redirectPort="443"               proxyPort="443"/>     <Engine name="Catalina" defaultHost="localhost">       <Host name="localhost"  appBase="webapps"            unpackWARs="true" autoDeploy="true">            <Valve className="org.apache.catalina.valves.RemoteIpValve"                  remoteIpHeader="x-forwarded-for"                  remoteIpProxiesHeader="x-forwarded-by"                  protocolHeader="x-forwarded-proto"            />            <Context path="" docBase="/oschina/webapp" reloadable="false"/>      </Host>    </Engine>  </Service></Server>

必須有 proxyPort="443"，這是整篇文章的關鍵，當然 redirectPort 也必須是 443。同時 <Value> 節點的配置也非常重要，否則你在 Tomcat 中的應用在讀取 getScheme() 方法以及在 web.xml 中配置的一些安全性原則會不起作用。

Nginx+tomcat實現https訪問（tomcat不配ssl認證）