Nginx + Tomcat+HTTP/HTTPS实现负载均衡实例

【1】Nginx基础配置文件

Nginx配置使用了模块化，即将基础配置写在nginx.conf中，其他具体端口监听配置写在具体配置文件中，然后引入到nginx.conf

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections  1024;
}


http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    // 注意这里，引入其他配置
}

---

【2】HTTP

外部请求发HTTP到Nginx，Nginx使用HTTP转发到Tomcat集群。

这里Nginx监听的Http端口是8083，Tomcat内网监听8085 8086端口，Tomcat和Nginx直接Http协议。

8083.conf :

upstream backend 
{
  server 127.0.0.1:8085  weight=1;
  server 127.0.0.1:8086  weight=1;
  #ip_hash;
}

server {
    listen       8083;//监听8083
    server_name  _;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;
    
    location ~^/* {
  proxy_pass http://backend;//所有请求都跳转到Tomcat集群
  proxy_set_header Host $host:$server_port; //非默认端口需要添加$server_port
  proxy_set_header X-Real-IP $remote_addr; 
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
    }

location ~* /web.config {
  deny all;
  return 403;
}

location ~* /.htaccess {
  deny all;
  return 403;
}

location ~ .*.(svn|git|cvs) {
    deny all;
    return 403;
}

}

---

Tomcat 需要在Engine里面添加配置如下：

<Valve className="org.apache.catalina.valves.RemoteIpValve"
                remoteIpHeader="x-forwarded-for"
                remoteIpProxiesHeader="x-forwarded-by"
                protocolHeader="x-forwarded-proto"
                httpServerPort="8083"
                httpsServerPort="8443"/>

---

【3】HTTPS

外部请求发HTTPS到Nginx，Nginx使用HTTP转发到Tomcat集群。

这里Nginx监听的Http端口是8443，Tomcat内网监听8085 8086端口，Tomcat和Nginx直接Http协议。

8443.conf :

upstream backends
{
  server 127.0.0.1:8085  weight=1;
  server 127.0.0.1:8086  weight=1;
  #ip_hash;
}

server {
    listen       8443;//监听8443
    ssl          on;//开启ssl
    ssl_certificate /etc/nginx/conf.d/www.XXXXx.crt;//证书
    ssl_certificate_key /etc/nginx/conf.d/www.XXXXx.key;//key
    server_name  _;

    location ~^/* {
    proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
    proxy_pass http://backends;//转发到Tomcat集群
    proxy_connect_timeout 60;
    proxy_send_timeout 18000;
    proxy_read_timeout 18000;
    }        

  location ~* /web.config {
    deny all;
    return 403;
  }
  
  location ~* /.htaccess {
    deny all;
    return 403;
  }
  
  location ~ .*.(svn|git|cvs) {
      deny all;
      return 403;
  }

}

Tomcat 需要在Engine里面添加配置如下：

<Valve className="org.apache.catalina.valves.RemoteIpValve"
                remoteIpHeader="x-forwarded-for"
                remoteIpProxiesHeader="x-forwarded-by"
                protocolHeader="x-forwarded-proto"
                httpServerPort="8083"
                httpsServerPort="8443"/>

---

Nginx 目录结构见下图：

---

【4】如果Nginx和Tomcat之间使用HTTPS呢？

两种情况，第一Tomcat配置HTTPS，安装证书；第二Tomcat做额外配置，支持HTTPS协议。

第一种：

Tomcat conf/server.xml修改如下图，同时在conf目录下放入证书。

---

第二种：

Tomcat conf/server.xml修改如下：

//这里修改
 <Connector port="8085" protocol="HTTP/1.1" URIEncoding="UTF-8"
               connectionTimeout="20000"
               redirectPort="8443" 
               proxyPort="8443"/>

 <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
           // 这里添加
         <Valve className="org.apache.catalina.valves.RemoteIpValve"
                remoteIpHeader="x-forwarded-for"
                remoteIpProxiesHeader="x-forwarded-by"
                protocolHeader="x-forwarded-proto"
                protocolHeaderHttpsValue="https"/>
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t "%r" %s %b" />
 
      </Host>
    </Engine>

---

如果端口不是默认的80或者443，Engine需要添加如下：

<Valve className="org.apache.catalina.valves.RemoteIpValve"
        remoteIpHeader="x-forwarded-for"
        remoteIpProxiesHeader="x-forwarded-by"
        protocolHeader="x-forwarded-proto"
        protocolHeaderHttpsValue="https"
        httpsServerPort="8443"/>

---

同时，8443.conf修改如下：

upstream backends{
        # ip_hash;//这里使用默认算法 
        server 127.0.0.1:8085 weight=2;
        server 127.0.0.1:8086 weight=1;//权重越高表示被分配到的几率越大
    }

    server {
        listen       8443;
        ssl          on;
        ssl_certificate /etc/nginx/conf.d/www.heheyun.com.cn_bundle.crt;
        ssl_certificate_key /etc/nginx/conf.d/www.heheyun.com.cn.key;
        server_name  _;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

  location / {
       proxy_pass https://backends;//将请求转发到集群
       proxy_set_header Host $host:$server_port;
       proxy_set_header X-Real-IP $remote_addr; 
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    
     proxy_set_header X-Forwarded-Proto https;  
     proxy_redirect off;  
     proxy_connect_timeout      240;  
     proxy_send_timeout         240;  
     proxy_read_timeout         240;  
     # note, there is not SSL here! plain HTTP is used
        }  
    }

这两种方式暂未实践，如有实践的烦请回复是否正确，不胜感激！

---

【5】SSL 和 TLS

SSL（Socket Secure Layer 缩写）是一种通过 HTTP 提供安全连接的协议。

SSL 1.0 由 Netscape 开发，但由于严重的安全漏洞从未公开发布过。SSL 2.0 于 1995 年发布，它存在一些问题，导致了最终的 SSL 3.0 在 1996 年发布。

TLS（Transport Layer Security 缩写）的第一个版本是作为 SSL 3.0 的升级版而编写的。之后 TLS 1.1 和 1.2 出来了。现在，就在不久之后，TLS 1.3 即将推出（这确实值得期待），并且已经被一些浏览器所支持。

从技术上讲，SSL 和 TLS 是不同的（因为每个协议都描述了协议的不同版本），但其中使用的许多名称是可以互换的。

使用 HTTPS，在 TCP 之上需要增加 TLS 握手。这会增加此前实际数据传输的时间。