作者:陈陈敏CHEN
目录
导语:在之前的文章中,我们推荐使用扩展模块 sub_filters 来为 iServer 开启 HTTPS。然而,sub_filters 模块需要额外安装才能使用,而多数客户因为项目原因不愿重新安装 Nginx。在这种情况下,我们该如何为 iServer 启用 HTTPS 呢?下面让我来为大家介绍如何配置吧!
1、环境介绍
- iServer:supermap-iserver-11.2.0-linux-x64
- Nginx:nginx/1.24.0
- 操作系统:CentOS-7-x86_64
2、确认 Nginx 配置
- 在返回结果中看到有 --with-http_ssl_module,说明支持 ssl
[root@iServer nginx-1.24.0]# /usr/local/webserver/nginx/sbin/nginx -V
nginx version: nginx/1.24.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/webserver/nginx --with-http_stub_status_module --with-http_ssl_module3、具体配置
- Nginx 的 HTTPS 具体配置(nginx.conf)
server {
# 在 8443 端口上监听 SSL 连接
listen 8443 ssl;
# 指定服务器名称为 localhost,根据机器的实际情况填写
server_name localhost;
# 指定 SSL 证书文件
ssl_certificate mynginx.pem;
# 指定 SSL 私钥文件
ssl_certificate_key mynginx.key;
# 设置共享的 SSL 会话缓存,大小为 1MB
ssl_session_cache shared:SSL:1m;
# SSL 会话超时时间设置为 5 分钟
ssl_session_timeout 5m;
# 支持的 SSL/TLS 协议版本
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# 支持的加密算法,指定了一些安全性较高的加密套件并禁用了弱加密算法
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
# ip/域名:端口,将主机名和端口转发到后端服务器
proxy_set_header Host $host:$server_port;
# 转发真实客户端 IP 地址
proxy_set_header X-Real-IP $remote_addr;
# 同样转发远程主机地址
proxy_set_header REMOTE-HOST $remote_addr;
# 转发经过代理的 IP 地址列表
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 指示原始协议为 HTTPS
proxy_set_header X-Forwarded-Proto https;
location / {
# 所有重定向的 HTTP 请求都改为 HTTPS
proxy_redirect http:// https://;
# 将请求转发到后端服务器的 8090 端口
proxy_pass http://172.16.13.234:8090;
}
# 针对静态文件配置请求处理
location ~ .*\.(js|css|jpg|png|json|svg)$ {
proxy_pass http://172.16.13.234:8090;
# 设置响应的过期时间为 30 分钟
expires 30m;
}
}- Tomcat 的配置(server.xml,在iServer 包中位于 /iServer/conf/server.xml)
<!--在 Server-Service-Engine-Host 下添加配置 Value-->
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https"
httpServerPort="X-Forwarded-Port"
httpsServerPort="8443" /># 关键参数说明:
- remoteIpHeader:定义请求中指定的远程客户端真实 IP 的 HTTP 头,此处设置为 X-Forwarded-For,这个头通常由反向代理或负载均衡器设置,用来转发真正的客户端 IP
- protocolHeader:定义用于获取请求协议(http 或 https)的头部,这里使用的是 X-Forwarded-Proto,这对于确定请求使用的协议非常重要,特别是在混合模式运行时(既有 HTTP 也有 HTTPS)
- protocolHeaderHttpsValue:指定当 protocolHeader 为 HTTPS 请求时所采用的值,这里为 https,这样 Tomcat 可正确识别出请求是通过安全通道发送的
- httpServerPort:该属性表示 HTTP 请求的端口,由 X-Forwarded-Port 头决定,通常这个头是由负载均衡器设置的
- httpsServerPort:该属性明确声明 HTTPS 请求的端口,设置为 8443,这是 Tomcat 默认使用的 HTTPS 端口之一,可根据需要进行修改
- <Value>配置放在<Host>内/外会产生不同的作用:放在 Host 内,该 Value 仅对特定的 Host 生效;若放在 Host 外将对当前 Engine 下的所有 Host 生效,推荐放在 Host 内
4、完整配置
- Nginx 的 nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server {
listen 8443 ssl;
server_name localhost;
ssl_certificate mynginx.pem;
ssl_certificate_key mynginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
#ip/域名:端口
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
location / {
proxy_redirect http:// https://;
proxy_pass http://172.16.13.234:8090;
}
location ~ .*\.(js|css|jpg|png|json|svg)$ {
proxy_pass http://172.16.13.234:8090;
expires 30m;
}
}
}- Tomcat 的 server.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8015" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="8090" protocol="HTTP/1.1"
relaxedQueryChars="[]|{}"
relaxedPathChars="[]|{}"
connectionTimeout="8000"
redirectPort="8453"
executor="tomcatThreadPool"
enableLookups="false"
URIEncoding="utf-8"
compression="on"
compressionMinSize="2048"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/javascript,application/xml,application/json,application/rjson"
/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- not display exception and server info-->
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<!-- Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" / -->
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https"
httpServerPort="X-Forwarded-Port"
httpsServerPort="8443" />
</Host>
</Engine>
</Service>
</Server>
5、验证配置
- 启动 iServer、Nginx,浏览器访问 https://ip:8443 验证配置成功
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
