Nginx+tomcat实现https访问（tomcat不配ssl证书）

原创

liaofeng2 2016-11-02 18:51:49 ©著作权

文章标签 tomcat https nginx 文章分类 Nginx 服务器

©著作权归作者所有：来自51CTO博客作者liaofeng2的原创作品，请联系作者获取转载授权，否则将追究法律责任

用户端与Nginx通讯使用https，Nginx与tomcat通讯可以只使用http，简化证书配置。

Nginx端配置nginx.conf

user nginx;
worker_processes  2;

error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

pid /usr/local/nginx/nginx.pid;

events {
    worker_connections  1024;
}

http {
	charset  utf-8;
	server_names_hash_bucket_size 128;
	client_header_buffer_size 4k;
	large_client_header_buffers 4 32k;
	client_max_body_size 300m;
	sendfile on;
	tcp_nopush     on;
	   
	keepalive_timeout 60;
	   
	tcp_nodelay on;
	client_body_buffer_size  512k;
	 
	proxy_connect_timeout    5;
	proxy_read_timeout       30;
	proxy_send_timeout       5;
	proxy_buffer_size        16k;
	proxy_buffers            4 64k;
	proxy_busy_buffers_size 128k;
	proxy_temp_file_write_size 128k;
	   
	  gzip on;
	  gzip_min_length  1k;
	  gzip_buffers     4 16k;
	  gzip_http_version 1.1;
	  gzip_comp_level 2;
	  gzip_types       text/plain application/x-javascript text/css application/xml;
	  gzip_vary on;

	server_tokens off;	  

	log_format  main  '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
			  '$status $body_bytes_sent "$http_referer" '
			  '"$http_user_agent" "$upstream_cache_status" $remote_addr';
	proxy_cache_path  /ngx_cache/proxy_cache/cache1  levels=1:2 keys_zone=cache1:20m inactive=3d max_size=500m;		        
	proxy_cache_path  /ngx_cache/proxy_cache/cache2  levels=1:2 keys_zone=cache2:20m inactive=3d max_size=500m;		        
	
	upstream 8090 
		{
	 	server 0.0.0.0:8090 max_fails=2 fail_timeout=30s;
		}
    server {
        listen      90;
        server_name  www.ddzrh.com;
	location / {
		return 301 https://203.195.144.57$request_uri;
		}
	}
	
    server {
        listen      443;
        server_name  www.ddzrh.com;

		ssl on;
		ssl_certificate      /usr/local/nginx/ssl/cunguan.crt;
		ssl_certificate_key  /usr/local/nginx/ssl/cunguan.key;
        	ssl_session_cache shared:SSL:1m;
        	ssl_session_timeout  10m;

        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; 
       	ssl_prefer_server_ciphers   on;	

	location ~ /purge(/.*) {
		allow all;
		proxy_cache_purge cache2 $host$1$is_args$args;
		}
        location ~ \.*(jpeg|jpg|png|css|js)$ {
                proxy_pass http://8090;
                proxy_next_upstream http_502 http_504 error timeout invalid_header;
                proxy_set_header Host  $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

		add_header Nginx-Cache $upstream_cache_status;
		proxy_cache cache2;
		proxy_cache_key $host$uri$is_args$args;
		#proxy_cache_valid 200 304 30m;
		expires      1d;
	        	}
        location / {
                proxy_pass http://8090;
                proxy_next_upstream http_502 http_504 error timeout invalid_header;
                proxy_set_header Host  $http_host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto https;
                proxy_set_header X-Real-IP $remote_addr;
		proxy_redirect off;
        	}
        error_page   500 502 503 504  /50/50.html;
        location ~ /50(/.*) {
        	root   html;
        	}
	}
}

其中最为关键的就是 ssl_certificate 和 ssl_certificate_key 这两项配置，其他的按正常配置。不过多了一个 proxy_set_header X-Forwarded-Proto https; 配置。

tomcat端配置server.xml

<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
  <Service name="Catalina">
    <Connector port="8090" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443"
               proxyPort="443"/>
 
    <Engine name="Catalina" defaultHost="localhost">
 
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
            <Valve className="org.apache.catalina.valves.RemoteIpValve"
                  remoteIpHeader="x-forwarded-for"
                  remoteIpProxiesHeader="x-forwarded-by"
                  protocolHeader="x-forwarded-proto"
            />
            <Context path="" docBase="/oschina/webapp" reloadable="false"/>
      </Host>
    </Engine>
  </Service>
</Server>

必须有 proxyPort="443"，这是整篇文章的关键，当然 redirectPort 也必须是 443。同时 <Value> 节点的配置也非常重要，否则你在 Tomcat 中的应用在读取 getScheme() 方法以及在 web.xml 中配置的一些安全策略会不起作用。