Nginx+Tomcat+HTTPS

一般情况下可以直接在Nginx和Tomcat都配置SSL支持.

不过可以考虑这种方式:

浏览器和 Nginx 之间走的 HTTPS 通讯,而 Nginx 到 Tomcat 通过 proxy_pass 走的是普通 HTTP 连接。如下图:

123942K8o

Nginx配置SSL如下:

upstream tomcat {
    server 127.0.0.1:8080 fail_timeout=0;
}

server {
                listen [::]:443 ssl spdy_detect spdy;
                listen  443 ssl spdy_detect spdy;

                ssl_certificate /usr/local/nginx/conf/ca/www.lijun.me.crt;
                ssl_certificate_key /usr/local/nginx/conf/ca/www.lijun.me.key;
                ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers RC4:HIGH:!aNULL:!MD5;
                ssl_prefer_server_ciphers on;

location / {
        proxy_set_header X-Forwarded-For proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_redirect off;
        proxy_connect_timeout      240;
        proxy_send_timeout         240;
        proxy_read_timeout         240;
        # note, there is not SSL here! plain HTTP is used
        proxy_pass http://tomcat;
    }

}

关键配置在Tomcat

  1. 必须配置proxyPort和redirectPort端口号为443
  2. 配置<Value>节点,否则Tomcat在应用中读取getScheme()方法以及在web.xml配置的安全策略不起作用.

    <Valve className=”org.apache.catalina.valves.RemoteIpValve”
                      remoteIpHeader=”x-forwarded-for”
                      remoteIpProxiesHeader=”x-forwarded-by”
                      protocolHeader=”x-forwarded-proto”
                />

完整配置SSL满足需求如下:

<?xml version=’1.0′ encoding=’utf-8′?>
<Server port=”8005″ shutdown=”SHUTDOWN”>
  <Service name=”Catalina”>
    <Connector port=”8080″ protocol=”HTTP/1.1″
               connectionTimeout=”20000″
               redirectPort=”443″
               proxyPort=”443″/>
    <Engine name=”Catalina” defaultHost=”localhost”>
      <Host name=”localhost”  appBase=”webapps”
            unpackWARs=”true” autoDeploy=”true”>
            <Valve className=”org.apache.catalina.valves.RemoteIpValve”
                  remoteIpHeader=”x-forwarded-for”
                  remoteIpProxiesHeader=”x-forwarded-by”
                  protocolHeader=”x-forwarded-proto”
            />
            <Context path=”” docBase=”/path/webapp” reloadable=”false”/>
      </Host>
    </Engine>
  </Service>
</Server>

此条目发表在Nginx, Tomcat分类目录,贴了, , 标签。将固定链接加入收藏夹。

发表评论

电子邮件地址不会被公开。 必填项已用*标注