Nginx做前端代理分发,tomcat处理请求。Nginx反代tomcat实现https有二个方法。
一,Nginx配置https,tomcat也配置https
1,Nginx配置https
upstream https_tomcat_web { server 127.0.0.1:8443; } server { listen 443; server_name www.test.com; index index.html; root /var/www/html/test; ssl on; ssl_certificate /etc/Nginx/go.pem; ssl_certificate_key /etc/Nginx/go.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1.2; # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_prefer_server_ciphers on; location ~ ^/admin { proxy_pass https://https_tomcat_web; //是https的 proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 100m; client_body_buffer_size 256k; proxy_connect_timeout 60; proxy_send_timeout 30; proxy_read_timeout 30; proxy_buffer_size 8k; proxy_buffers 8 64k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
2,tomcat的https配置,配置文件server.xml
添加以下内容 配置好后重新启动Nginx,tomcat,就可以https访问了,这也是我现在采用的配置方式 。
二,Nginx采用https,tomcat采用http
1,Nginx配置https
upstream https_tomcat_web { server 127.0.0.1:8001; } server { listen 443; server_name www.test.com; index index.html; root /var/www/html/test; ssl on; ssl_certificate /etc/Nginx/go.pem; ssl_certificate_key /etc/Nginx/go.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1.2; # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_prefer_server_ciphers on; location ~ ^/admin { proxy_pass http://https_tomcat_web; //是http的 proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 100m; client_body_buffer_size 256k; proxy_connect_timeout 60; proxy_send_timeout 30; proxy_read_timeout 30; proxy_buffer_size 8k; proxy_buffers 8 64k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }2,tomcat的http配置,配置文件server.xml
重启Nginx,tomcat,https就配置好了。
不管是第一种方法,还是第二种方法,如果通过http,直接访问8001端口,浏览器都会提示你不安全的访问,因为本身是http,确被重定向到了https。