Nginx部署多台tomcat,并配置SSL证书
申请证书步骤省略,启动多台tomcat省略
配置nginx
1.配置访问http时重定向为https请求
server {
#监听端口为80
listen 80;
#域名
server_name 10.79.10.77;
#即访问http时重定向为https
rewrite ^(.*)$ https://${server_name}$1 permanent;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
2.配置https
# HTTPS server
server {
#监听443端口
listen 443 ssl;
#域名 因为我的tomcat部署跟nginx同一台linux,所以此处填localhos,具体根据个人配置
server_name localhost;
#SSL证书
ssl_certificate /usr/local/nginx/ssl/server.cer;
#证书钥匙
ssl_certificate_key /usr/local/nginx/ssl/private.key;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_verify_client off;
location / {
#转发到upstream tomcat下面的ip
proxy_pass http://tomcat;
# 后端的Web服务器可以通过X-Forwarded-For获取用户真实IP
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
add_header Access-Control-Allow-Origin *;
proxy_set_header X-Forwarded-Proto $scheme;
#此处是https访问的关键环节
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
}
}
3.配置多台tomcat
upstream tomcat{
ip_hash; #根据用户访问ip进行hash分配到server,这样能完整保存session
server 127.0.0.1:8081; #tomcat1的ip
server 127.0.0.1:8083; #tomcat2的ip
}
4.在tomcat的server.xml配置添加以下内容
在Connector里添加proxyPort="443"
<Connector connectionTimeout="20000" port="8081" protocol="HTTP/1.1" redirectPort="8443" proxyPort="443" URIEncoding="UTF-8"/>
在下面补充添加一个RemoteIpValve
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
protocolHeaderHttpsValue="https" />
nginx完整配置
user root;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
upstream tomcat{
ip_hash; #根据用户访问ip进行hash分配到server,这样能完整保存session
server 127.0.0.1:8081; #tomcat1的ip
server 127.0.0.1:8083; #tomcat2的ip
}
server {
listen 80;
#域名
server_name 10.79.10.77;
#即访问http时重定向为https
rewrite ^(.*)$ https://${server_name}$1 permanent;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# HTTPS server
server {
#监听443端口
listen 443 ssl;
#域名 因为我的tomcat部署跟nginx同一台linux,所以此处填localhos,具体根据个人配置
server_name localhost;
#SSL证书
ssl_certificate /usr/local/nginx/ssl/server.cer;
#证书钥匙
ssl_certificate_key /usr/local/nginx/ssl/private.key;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_verify_client off;
location / {
#转发
proxy_pass http://tomcat;
# 后端的Web服务器可以通过X-Forwarded-For获取用户真实IP
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
add_header Access-Control-Allow-Origin *;
proxy_set_header X-Forwarded-Proto $scheme;
#此处是https访问的关键环节
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
}
}
}
问题:加载js,css,图片报net::ERR_CONTENT_LENGTH_MISMATCH错误
首先看nginx错误日志,看看是否有这样的错误
*60 open() "/usr/local/nginx3/proxy_temp/2/00/0000000002" failed (13: Permission denied) while reading upstream, client: xx.xxx.xx.xx, server: localhost, request: "GET /resource/js/jquery.easyui.min.js HTTP/1.1", upstream: "http://127.0.0.1:8083/resource/js/jquery.easyui.min.js", host: "xx.xx.xx.xx", referrer: "https://xx.xx.xx.xx/"
可以看到有(13: Permission denied) ,min.js等信息,这是因为nginx没有proxy_temp文件夹的权限
接下来我们给proxy_temp添加权限(我以root为例)
- 首先停止nginx
/usr/local/nginx/sbin/nginx -s stop
2.修改nginx.config
user root;
3.赋予proxy_temp权限
chown -R root:root proxy_temp/
4.重启nginx