Windows环境前后端分离项目https部署(Nginx和Tomcat)
1. 生成服务端证书(Key)和客户端证书(CRT)
采用OpenSSL生成自签名证书,优点:免费,缺点:浏览器会拦截和提示,不介意上述情况可以使用
-
windows环境安装OpenSSL
-
通过OpenSSL生成key和证书
- 生成服务端key按照提示分别设置密码和证书信息
openssl // 打开OpenSSL
genrsa -des3 -out server.key 2048
- server.key 生成的key名称 可自定义
D:\usr>openssl OpenSSL> genrsa -des3 -out server.key 2048 Generating RSA private key, ......................+++++ ..+++++ e is 65537 (0x010001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:
- 生成CSR文件并录入证书信息(地区、组织机构等,可随意录入)
req -new -key server.key -out mycert.csr
- server.key 第一步生成的key
- mycert.csr 生成的csr文件名称 可自定义
OpenSSL> req -new -key server.key -out romscert.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:cn Locality Name (eg, city) []:cn Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn Organizational Unit Name (eg, section) []:cn Common Name (e.g. server FQDN or YOUR name) []:cn Email Address []:cn Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:****** An optional company name []:****2048 bit long modulus (2 primes)
- 删除Key(server.key)私有密码,若不删除 则nginx每次启动都需输入key的密码
rsa -in server.key -out server_no_passwd.key
- server.key 第一步生成的key文件
- server_no_passwd.key 名称可自定义 ,删除密码时需要验Key的密码
OpenSSL> rsa -in mycert.key -out server_no_passwd.key Enter pass phrase for server.key: writing RSA key
- 生成CRT证书
x509 -req -days 365 -in mycert.csr -signkey server_no_passwd.key -out mycert.crt
- 365 有效天数,自行设定
- mycert.csr 第二步生成的CSR文件
- server_no_passwd.key 第三步生成的无密码key
- mycert.crt 生成的证书名称 可自定义
OpenSSL> x509 -req -days 1095 -in mycert.csr -signkey server_no_passwd.key -out mycert.crt Signature ok subject=C = cn, ST = cn, L = cn, O = cn, OU = cn, CN = cn, emailAddress = cn Getting Private key
- 查看生成的文件
在文件夹中可以看到四个文件,其中 mycert.crt 和 server_no_passwd.key是我们后续步骤所需要的
2. nginx配置
打开 nginx的 conf/nginx.conf文件,进行如下配置
server {
listen 80 ssl; # 监听的端口 + ssl
server_name localhost;
ssl_certificate ../ssl/mycert.crt; # 证书文件路径,根据实际存放位置进行指定(绝对或相对路径),若启动报错可根据log自行定位
ssl_certificate_key ../ssl/server_no_passwd.key; # key文件路径,同上
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 15m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
error_page 497 https://$host:$server_port$uri; # http转https
location / {
root html;
index index.html index.htm;
}
# 后端服务拦截
location /MyServer {
root html;
proxy_pass https://ip:prot/MyServer; # 转发到后端地址
proxy_set_header Cookie $http_cookie;
proxy_set_header Remote_Addr $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 100m;
index index.html index.htm;
}
}
3. Tomcat配置
打开Tomcat的conf/server.xml文件,进行如下配置
- SSLEnabled=“true”
- scheme=“https”
- certificateFile =“ssl/roms.crt” 在Tomcat中新建ssl文件夹 将mycert.crt和server_no_passwd.key文件放入
- certificateKeyFile=“ssl/server_no_passwd.key” 同上
- type="RSA
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" SSLEnabled="true" scheme="https">
<SSLHostConfig>
<Certificate certificateFile="ssl/mycert.crt" certificateKeyFile="ssl/server_no_passwd.key" type="RSA"/>
</SSLHostConfig>
</Connector>
4. 启动nginx和Tomcat
启动服务,若有报错可查看对应的服务的错误日志进行定位