SSL证书文件的生成
1.使用免费的SSL证书
可使用https://gethttpsforfree.com/
免费生成3个月的证书,使用脚本定期更新证书,这些可上网查找。缺点是域名的认真必须使用服务端的80端口,但在国内个人用户此端口通常是被封的。
2.使用自签的SSL证书
以下是参考其他人的文章,生成过程如下:
$ mkdir ssl
$ cd ssl
$ openssl genrsa -des3 -out domain.key 1024
$ openssl req -new -subj /C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=domain -key domain.key -out domain.csr
$ mv domain.key domain.origin.key
$ openssl rsa -in domain.origin.key -out domain.key
$ rm -rf domain.origin.key
$ openssl x509 -req -days 3650 -in domain.csr -signkey domain.key -out domain.crt
其中ssl文件夹中的domain.key及domain.crt是nginx要使用的证书文件,将ssl文件夹放在nginx的conf目录下。
配置方式一:Nginx与Tomcat在同一台机器上的配置
1.nginx的配置
配置文件如下:
upstream webapp {
server localhost:8080;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate ssl/domain.crt;
ssl_certificate_key ssl/domain.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
proxy_redirect http:// $scheme://;
port_in_redirect on;
location / {
proxy_pass http://webapp;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
2.Tomcat的配置
server.xml中的Engine模块中添加一个Value,如下:
<Engine defaultHost="localhost" name="Catalina">
<!-- For nginx proxy of https -->
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto"/>
配置方式二:Nginx与Tomcat在不同机器上的配置
1.nginx的配置
配置文件如下:
upstream webapp {
server 192.168.1.180:8443;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate ssl/domain.crt;
ssl_certificate_key ssl/domain.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
proxy_redirect http:// $scheme://;
port_in_redirect on;
location / {
proxy_pass http://webapp;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
2.Tomcat的配置
server.xml中添加一个8443的Connector,并把scheme中指定为https,在Engine中添加一个Value,配置如下:
<!-- For nginx proxy of https -->
<Connector port="8443" protocol="HTTP/1.1" scheme="https"/>
<Engine defaultHost="localhost" name="Catalina">
<!-- For nginx proxy of https -->
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto"/>