Nginx安装
1、 配置conf,开启443端口,ssl
其中最为关键的就是 ssl_certificate 和 ssl_certificate_key 这两项配置,其他的按正常配置。proxy_set_header X-Forwarded-Proto https 一定要配置好,不然重定向有问题,会重定向到http。
多注意下面配置
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
sub_filter_once off;
sub_filter_types *;
关键配置如下:
server {
listen 443 ssl;
server_name localhost;
# 配置证书
ssl_certificate server.crt;
ssl_certificate_key server.key.unsecure;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# 代理配置,
location /xxx/ {
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_body_buffer_size 128k;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_connect_timeout 3;
proxy_send_timeout 30;
proxy_read_timeout 30;
sub_filter_once off;
sub_filter_types *;
proxy_pass http://127.0.0.1:8080/xxx/;
}
}
Tomcat安装配置
配置支持https 关键配置,修改tomcat server.xml文件。
a: 添加重定向端口redirectPort="443" 和代理端口proxyPort="443";否则tomcat https请求重定向,代理有问题
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
proxyPort="443"
/>
b:host中加value节点RemoteIpValve 属性如下。 否则你在 Tomcat 中的应用在读取 getScheme () 方法以及在 web.xml 中配置的一些安全策略会不起作用。
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>
个人测试完整配置如下
Nginx
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
client_max_body_size 20m;
client_header_buffer_size 40k;
open_file_cache max=200 inactive=2h;
open_file_cache_valid 3h;
open_file_cache_min_uses 1;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include mime.types;
#gzip on;
# http配置