HTTPS证书申请
- 生成证书请求文件CSR,将私钥文件保存到本地,如/data/web/crt/server.key
- 提交CSR,申请证书
- 获取服务器证书,将Email中的SSL证书文本段和中级证书文本段依次粘贴到服务器证书文件,如/data/web/crt/server.cer中
配置Nginx,使其支持HTTPS
- 编辑希望使其支持HTTPS的虚拟主机配置文件,如nginx/conf/vhosts/mydomain.conf
添加/修改以下配置段:
server {
listen 80;
server_name admin.mobile.upay360.cn;
rewrite ^(.*) https:
}
server {
#listen 80;
listen 443 ssl;
server_name admin.mobile.upay360.cn;
index index.jsp;
ssl on;
ssl_certificate /home/server.cer;
ssl_certificate_key /home/server.key;
#ssl_session timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_next_upstream timeout;
proxy_connect_timeout 300;
}
access_log /data/web/nginx/logs/access.log my;
}
- 使用nginx/sbin/nginx -s reload 重启nginx
- 此时https已同时对nginx和tomcat生效
配置Tomcat,禁止Tomcat直接响应非本机HTTP请求
- 修改tomcat/conf/server.xml,在前添加下面行
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1" deny=""/>
- 修改后,Tomcat仅允许来自本机nginx的反向代理请求