1.申请https证书
https的证书在阿里云现在可以免费申请,最多一个服务器可以申请15个。
申请下来后可以在阿里云的后台,下载到 215080384110964.key 215080384110964.pem
2.配置nginx
#user nobody;
worker_processes 1;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
client_max_body_size 20m;
#access_log logs/access.log main;
sendfile on;
#gzip on;
server{
listen 80;
listen 443 default ssl;
root /www/server/apache-tomcat-8.5.32/webapps/ROOT/;
location ~ .*.(ico|png|gif|jpg|jpeg|png|bmp|swf|css|js|html)$ {
expires 30d;
}
ssl_certificate ssl_tb/215080384110964.pem;
ssl_certificate_key ssl_tb/215080384110964.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
server_name app.guanzistory.com;
location =/
{
rewrite / /i;
}
location / {
root html;
index index.html index.htm;
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
}
3.完成
listen 80;
2.listen 443 default ssl;
nginx可以监听两个端口,同时监听80和443
ssl_certificate ssl_tb/215080384110964.pem;
ssl_certificate_key ssl_tb/215080384110964.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl的配置,主要是以上部分
1.proxy_set_header X-Forwarded-Proto https;
以上配置,实现了在nginx端的https解密,到了tomcat端,就不用处理了。