一、环境使用的是oneinstack的Version 1.6.1
软件版本详细:(使用手册)
- Nginx1.12.0
- Tomcat7.0.77或8.0.43
- JDK1.8.0_121、1.7.0_80、1.6.0_45
- MySQL5.6.36
- Redis3.2.8
- Memcached1.4.36
- Jemalloc4.5.0
- Pure-FTPd1.0.45
二、思路:tomcat不用配置SSL,只配置Nginx
三、具体方法
1.使用阿里云免费版DVSSL,申请方法省略,申请成功后切换
2.在Nginx的安装目录下创建cert目录,并且将下载的全部文件拷贝到cert目录中。
3.配置:
server {
listen 443;
server_name localhost;
ssl on;
access_log /data/wwwlogs/access_nginx.log combined;
root /data/wwwroot/default;
index index.html index.htm index.jsp;
ssl_certificate /usr/local/nginx/conf/cert/214179206610093.pem;
ssl_certificate_key /usr/local/nginx/conf/cert/214179206610093.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
error_page 404 /404.html;
error_page 502 /502.html;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ {
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
location ~ /\.ht {
deny all;
}
}
4.重启nginx
附proxy.conf 内容:
proxy_connect_timeout 300s;
proxy_send_timeout 900;
proxy_read_timeout 900;
proxy_buffer_size 32k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_redirect off;
proxy_hide_header Vary;
proxy_set_header Accept-Encoding '';
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
注意:务必先确保开放了433端口
证书到期后更新证书替换证书文件:/usr/local/nginx/conf/cert