nginx https 反向代理 tomcat的二种方法

张映 发表于 2017-09-30

分类目录: apache/nginx

标签:, ,

nginx做前端代理分发,tomcat处理请求。nginx反代tomcat实现https有二个方法。

一,nginx配置https,tomcat也配置https

1,nginx配置https

upstream https_tomcat_web {
        server 127.0.0.1:8443;
}

server {
        listen       443;
        server_name  www.test.com;
        index index.html;
        root   /var/www/html/test;

        ssl on;
        ssl_certificate /etc/nginx/go.pem;
        ssl_certificate_key /etc/nginx/go.key;
        ssl_session_timeout 5m;
        ssl_protocols SSLv2 SSLv3 TLSv1.2;
#        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_prefer_server_ciphers on;

        location ~ ^/admin {
            proxy_pass https://https_tomcat_web;  //是https的
            proxy_redirect                      off;
            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            client_max_body_size       100m;
            client_body_buffer_size    256k;
            proxy_connect_timeout      60;
            proxy_send_timeout         30;
            proxy_read_timeout         30;
            proxy_buffer_size          8k;
            proxy_buffers              8 64k;
            proxy_busy_buffers_size    64k;
            proxy_temp_file_write_size 64k;
        }

        error_page 404 /404.html;
        location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;

        location = /50x.html {
        }

}

2,tomcat的https配置,配置文件server.xml

<Service name="Catalina">
 <Connector port="8001" protocol="HTTP/1.1"
 connectionTimeout="20000"
 redirectPort="8443" />

 <Connector port="8091"
 protocol="AJP/1.3"
 redirectPort="8443" />

//添加以下内容
 <Connector port="8443"
 protocol="HTTP/1.1"
 SSLEnabled="true"
 scheme="https"
 secure="false"
 keystoreFile="cert/gotom.pfx"
 keystoreType="PKCS12"
 keystorePass="214261272770418"
 clientAuth="false"
 SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
 ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256" />

 ..................省略....................
 </Service>

配置好后重新启动nginx,tomcat,就可以https访问了,这也是我现在采用的配置方式 。

二,nginx采用https,tomcat采用http

1,nginx配置https

upstream https_tomcat_web {
        server 127.0.0.1:8001;
}

server {
        listen       443;
        server_name  www.test.com;
        index index.html;
        root   /var/www/html/test;

        ssl on;
        ssl_certificate /etc/nginx/go.pem;
        ssl_certificate_key /etc/nginx/go.key;
        ssl_session_timeout 5m;
        ssl_protocols SSLv2 SSLv3 TLSv1.2;
#        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_prefer_server_ciphers on;

        location ~ ^/admin {
            proxy_pass http://https_tomcat_web;  //是http的
            proxy_redirect                      off;
            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            client_max_body_size       100m;
            client_body_buffer_size    256k;
            proxy_connect_timeout      60;
            proxy_send_timeout         30;
            proxy_read_timeout         30;
            proxy_buffer_size          8k;
            proxy_buffers              8 64k;
            proxy_busy_buffers_size    64k;
            proxy_temp_file_write_size 64k;
        }

        error_page 404 /404.html;
        location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;

        location = /50x.html {
        }

}

2,tomcat的http配置,配置文件server.xml

<Service name="Catalina">
 <Connector port="8001" protocol="HTTP/1.1"
 connectionTimeout="20000"
 redirectPort="443" />    //在这里重新定向到了443端口

 <Connector port="8091"
 protocol="AJP/1.3"
 redirectPort="443" />

 ..................省略....................
 </Service>

重启nginx,tomcat,https就配置好了。

不管是第一种方法,还是第二种方法,如果通过http,直接访问8001端口,浏览器都会提示你不安全的访问,因为本身是http,确被重定向到了https。



转载请注明
作者:海底苍鹰
地址:http://blog.51yip.com/apachenginx/1877.html

2 条评论

  1. OneTwoOne 留言

    great~

  2. 水表 留言

    请问能Nginx采用http 而tomcat采用https 这种配置吗? 看到能邮件回复下么?