nginx tomcat ssl
一、生成证书(如已有证书,可略过)
1. 通过keytool 生成密钥库 【注意 CN 为服务端访问域名地址或者IP地址或者主机名 比如 config.ebnew.com】(密钥库密码 为:bidconfig)
keytool-genkey-aliasconfigserver-keystoreconfigstore.jks-keypassbidconfig-storepassbidconfig-keyalgRSA -validity 7300 -v -dname "CN =config.ebnew.com,O = BID,DC = Server Https,DC = BID,OU = Firefly Technology And Operation"
2. 通过keytool将密钥库导出为P12 (密钥库密码为:bidconfig, p12 密钥库密码为:bidconfig)
keytool -importkeystore -srckeystore configstore.jks -destkeystore config.p12 -srcstoretype JKS -deststoretype PKCS12 - srcstorepass bidconfig -deststorepass bidconfig -srcalias configserver -destalias configserver -srckeypass bidconfig - destkeypass bidconfig -noprompt
3.根据pkcs12 (config.p12) 生成证书请求 config.pem (密码都为 bidconfig. 根据自己需要定义out密码) openssl pkcs12 -in config.p12 -out config.pem -passin pass:bidconfig -passout pass:bidconfig
4. 根据p12 密钥库分别导出 服务端私钥,与服务端证书以及客服端证书(双向认证时使用)。 openssl pkcs12 -in config.p12 -nodes -nocerts -out server.key
openssl pkcs12 -in config.p12 -nodes -nokeys -clcerts -out server.crt
openssl pkcs12 -in config.p12 -nodes -nokeys -cacerts -out client.crt
5.通过keytool 将服务端证书导入到客服端(java) 密钥库。密钥库密码设置为 liu999,方便java客服端使用 keytool -import -alias configTrustServer -file server.crt -keystore configclient.jks -storepass liu999
6. 如果是浏览器访问跳过安全检查
keytool -import -file ./server.crt -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -alias config -trustcacerts
二、 nginx (192.168.0.182在这个主机上安装nginx)
1.安装
安装文件nginx-1.8.0.tar.gz
解压到 /home/ci/nginx-1.8.0
yum -y install pcre-devel
yum -y install make gcc gcc-c++ ncurses-devel yum -y install zlib zlib-devel
yum -y install openssl openssl-devel
安装目录:/home/ci/nginx
./configure --prefix=/home/ci/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module
make
make install
查看文件是否正确
sudo /home/ci/nginx/sbin/nginx -t 启动服务
sudo /home/ci/nginx/sbin/nginx
停止服务
sudo /home/ci/nginx/sbin/nginx -s stop sudo pkill -9 nginx
加载配置文件
sudo /home/ci/nginx/sbin/nginx -s reload 查看进程
ps -ef|grep nginx
2. 修改配置 /home/ci/nginx/conf/nginx.conf
http {
include mime.types;
default_type application/octet-stream;
sendfile on; keepalive_timeout 65;
server {
listen 80;
server_name localhost;
rewrite^(.*)$https://$host$1permanent; //自动将http请求,转到https
#location / {
#root html;
#index index.html index.htm;
#proxy_pass http://192.168.0.182:7080/maven-web-demo/;
#}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html #
error_page 500502503504 /50x.html;
location = /50x.html {
root html; }
}
# HTTPS server #
server {
listen 443 ssl; server_name localhost;
ssl_certificate /home/ci/server.crt; 证书 ssl_certificate_key /home/ci/server.key; 秘钥
ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;
# #
ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;
location / { root html;
index index.html index.htm;
proxy_pass http://192.168.0.182:7080/maven-web-demo/;
} }
9. tomcat 配置
<Connector port="7080" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443" proxyPort="443"/>
三、测试 浏览器访问地址 http://192.168.0.182 https://192.168.0.182
四、生产环境 若是生产环境注意域名解析后指定的机器映射配置
[~]$ sudo yum -y install pcre-devel
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=6&arch=x86_64&repo=os error was 14: PYCURL ERROR 6 - "Couldn't resolve host 'mirrorlist.centos.org'"
Error: Cannot find a valid baseurl for repo: base
如果配置的DHCP动态网络,则在/etc/resolv.conf文件中添加 nameserver 8.8.8.8
参考网址:
NGINX配置HTTPS加密访问–自签CA » 月飞博客 (生成证书)
Nginx开发从入门到精通 — Nginx开发从入门到精通 (最全的,可以当本书来看)
nginx + tomcat + java SSL客服端 - 市井之思维,不适于高远之欲。 - 开源中国社区
Linux+Nginx/Apache/Tomcat新增SSL证书,开启https访问教程 | 张戈博客
ngx_http_ssl_module Nginx配置文件nginx.conf中文详解 - - ITeye技术网站
转载:nginx proxy_pass 里的”/” - 那年那月 - 博客园 (重点,必看)
Nginx学习笔记 - mcj8089 - ITeye技术网站 (可看)