使用 Nginx 默认配置为 iServer 开启 HTTPS(不安装扩展模块 sub_filters)

于 2024-09-04 16:08:39 发布
阅读量770 收藏
点赞数
文章标签: nginx https SuperMap
原文链接:https://blog.csdn.net/mm1234556/article/details/136274630
版权

作者:陈陈敏CHEN

目录

1、环境介绍

2、确认 Nginx 配置

3、具体配置

4、完整配置

5、验证配置

导语:在之前的文章中,我们推荐使用扩展模块 sub_filters 来为 iServer 开启 HTTPS。然而,sub_filters 模块需要额外安装才能使用,而多数客户因为项目原因不愿重新安装 Nginx。在这种情况下,我们该如何为 iServer 启用 HTTPS 呢?下面让我来为大家介绍如何配置吧!

1、环境介绍

  • iServer:supermap-iserver-11.2.0-linux-x64
  • Nginx:nginx/1.24.0
  • 操作系统:CentOS-7-x86_64

2、确认 Nginx 配置

  • 在返回结果中看到有 --with-http_ssl_module,说明支持 ssl
[root@iServer nginx-1.24.0]# /usr/local/webserver/nginx/sbin/nginx -V
nginx version: nginx/1.24.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/webserver/nginx --with-http_stub_status_module --with-http_ssl_module

3、具体配置

  • Nginx 的 HTTPS 具体配置(nginx.conf)
server {
      # 在 8443 端口上监听 SSL 连接
      listen       8443  ssl;
      # 指定服务器名称为 localhost,根据机器的实际情况填写
      server_name  localhost;
      # 指定 SSL 证书文件
      ssl_certificate      mynginx.pem;
      # 指定 SSL 私钥文件
      ssl_certificate_key  mynginx.key;
      # 设置共享的 SSL 会话缓存,大小为 1MB
      ssl_session_cache    shared:SSL:1m;
      # SSL 会话超时时间设置为 5 分钟
      ssl_session_timeout  5m;
      # 支持的 SSL/TLS 协议版本
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
      # 支持的加密算法,指定了一些安全性较高的加密套件并禁用了弱加密算法
      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
      
	  # ip/域名:端口,将主机名和端口转发到后端服务器
	  proxy_set_header Host $host:$server_port; 
      # 转发真实客户端 IP 地址     
	  proxy_set_header X-Real-IP $remote_addr;
      # 同样转发远程主机地址
	  proxy_set_header REMOTE-HOST $remote_addr;
      # 转发经过代理的 IP 地址列表
	  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      # 指示原始协议为 HTTPS
	  proxy_set_header X-Forwarded-Proto https; 
       
	  location  / {
          # 所有重定向的 HTTP 请求都改为 HTTPS
		  proxy_redirect http:// https://;
          # 将请求转发到后端服务器的 8090 端口
		  proxy_pass http://172.16.13.234:8090;
	  }
      # 针对静态文件配置请求处理
	  location ~ .*\.(js|css|jpg|png|json|svg)$ {
		  proxy_pass http://172.16.13.234:8090;
          # 设置响应的过期时间为 30 分钟
		  expires 30m;
	  }
}
  • Tomcat 的配置(server.xml,在iServer 包中位于 /iServer/conf/server.xml)
<!--在 Server-Service-Engine-Host 下添加配置 Value-->
<Valve className="org.apache.catalina.valves.RemoteIpValve" 
		remoteIpHeader="X-Forwarded-For" 		   
		protocolHeader="X-Forwarded-Proto"  
		protocolHeaderHttpsValue="https" 
		httpServerPort="X-Forwarded-Port" 
		httpsServerPort="8443" />

# 关键参数说明:

  • remoteIpHeader:定义请求中指定的远程客户端真实 IP 的 HTTP 头,此处设置为 X-Forwarded-For,这个头通常由反向代理或负载均衡器设置,用来转发真正的客户端 IP
  • protocolHeader:定义用于获取请求协议(http 或 https)的头部,这里使用的是 X-Forwarded-Proto,这对于确定请求使用的协议非常重要,特别是在混合模式运行时(既有 HTTP 也有 HTTPS)
  • protocolHeaderHttpsValue:指定当 protocolHeader 为 HTTPS 请求时所采用的值,这里为 https,这样 Tomcat 可正确识别出请求是通过安全通道发送的
  • httpServerPort:该属性表示 HTTP 请求的端口,由 X-Forwarded-Port 头决定,通常这个头是由负载均衡器设置的
  • httpsServerPort:该属性明确声明 HTTPS 请求的端口,设置为 8443,这是 Tomcat 默认使用的 HTTPS 端口之一,可根据需要进行修改
  • <Value>配置放在<Host>内/外会产生不同的作用:放在 Host 内,该 Value 仅对特定的 Host 生效;若放在 Host 外将对当前 Engine 下的所有 Host 生效,推荐放在 Host 内

4、完整配置

  • Nginx nginx.conf
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

	server {
        listen       8443  ssl;
        server_name  localhost;
        ssl_certificate      mynginx.pem;
        ssl_certificate_key  mynginx.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
		ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
		
		#ip/域名:端口
		proxy_set_header Host $host:$server_port;      
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header REMOTE-HOST $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto https; 
		
		location  / {
			proxy_redirect http:// https://;
			proxy_pass http://172.16.13.234:8090;
			
		}
		
		location ~ .*\.(js|css|jpg|png|json|svg)$ {
			proxy_pass http://172.16.13.234:8090;
			expires 30m;
		}
 
    }
}
  • Tomcat server.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
<Server port="8015" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <!-- A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   -->
  <Service name="Catalina">

    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <!--
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    -->


    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
    -->
    <Connector port="8090" protocol="HTTP/1.1"
               relaxedQueryChars="[]|{}"
               relaxedPathChars="[]|{}"
               connectionTimeout="8000"
               redirectPort="8453"
               executor="tomcatThreadPool"
               enableLookups="false" 
               URIEncoding="utf-8"
               compression="on"
               compressionMinSize="2048"
               compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/javascript,application/xml,application/json,application/rjson"
               />
    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation. The default
         SSLImplementation will depend on the presence of the APR/native
         library and the useOpenSSL attribute of the
         AprLifecycleListener.
         Either JSSE or OpenSSL style configuration may be used regardless of
         the SSLImplementation selected. JSSE style configuration is used below.
    -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->
    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
         This connector uses the APR/native implementation which always uses
         OpenSSL for TLS.
         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
         configuration is used below.
    -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!--
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8443" />
    -->

    <!-- An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->

    <!-- You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    -->
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
		<!-- not display exception and server info-->
		<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <!-- Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" / -->
		<Valve className="org.apache.catalina.valves.RemoteIpValve" 
			   remoteIpHeader="X-Forwarded-For" 		   
			   protocolHeader="X-Forwarded-Proto"  
			   protocolHeaderHttpsValue="https" 
			   httpServerPort="X-Forwarded-Port" 
			   httpsServerPort="8443" />

      </Host>
    </Engine>
  </Service>
</Server>

5、验证配置

  • 启动 iServer、Nginx,浏览器访问 https://ip:8443 验证配置成功

supermapsupport
关注
nginx的返回值替换模块sub_filter
飞龙在天
10-01 2408
nginx的返回值替换模块sub_filter
nginx模块sub_status安装使用
古语静水流深
04-20 1787
近期开始对nginx模块和很多知识进行梳理。也算是给自己一个总结。这里主要讲述的是sub_status模块。这个属于nginx自身的模块。只要我们在编译的时候,加上这个选项就行。那么nginx都有哪些模块呢。如下:可以通过configure信息来查看一下。 1. 查看有哪些模块 [root@nginx1 nginx-1.14.2]# ./configure --help --hel...
nginx配置+https
12-10
nginx配置+https
nginx开通https
热门推荐
齐较瘦的博客
06-12 4万+
nginx开通https 简述 为大家提供一个https配置流程吧,供大家参考。 1、下载SSL证书 2、两个证书放在cert目录上然后放到nginxnginx.conf同目录下 3、去nginx解压目录下执行 ./configure --with-http_ssl_module 如果报错 ./configure: error: SSL modules require the OpenSSL library. 则执行 yum -y install openssl openssl-devel ./c
nginx开启https功能
guo_3472428370的博客
05-20 2728
http:80 https:443 下边这种协议比http要安全,因为数据传输是经过加密的 当访问http://www.baidu.com的时候,访问的url会跳转到https://www.baidu.com 一.https简介 1.https其实是由两部分组成的:HTTP+SSL/ TLS,也就是在HTTP上有加了一层加密处理信息的模块。服务端和客户端信息传输都会通过TLS进行加密,所以传输的数据都是加密。具体时间如何进行加密,解密,验证的,且看下图 搭建https网站: 1.先安装
nginx开启https
w2909526的博客
04-20 638
ssl on; ssl_certificate /usr/local/nginx/conf/ssl/213986422830320.pem; ssl_certificate_key /usr/local/nginx/conf/ssl/213986422830320.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.
Nginx开启https访问
火星人专栏
07-29 2102
创建ssl证书#进入你想创建证书和私钥的目录 cd /home/conf #创建服务器私钥 openssl genrsa -des3 -out server.key 1024 #创建签名请求的证书(CSR) openssl req -new -key server.key -out server.csr #在加载SSL支持的Nginx使用上述私钥时除去必须的口令 cp server.key ser
nginx启用https
qq_38352483的博客
05-15 620
**现在项目基本上都是使用https来进行访问,保障一定的安全性能。而以前的方式都是在tomcat上面配置ssl,但是现在流量上去了,一台服务器已经不满足使用了,需要使用多个服务来分流访问。我们这里就来聊聊nginx分发并启用https访问的相关内容。 先简单了说说nginx安装。** 1、安装nginx依赖包 yum -y install gcc gcc-c++ autoconf automake make yum -y install zlib zlib-devel openssl openss.
Nginx为已安装nginx动态添加模块
01-20
nginx模块是需要重新编译nginx,而不是像apache一样配置文件引用.so 1. 下载第三方扩展模块ngx_http_google_filter_module # cd /data/software/ # git clone ...
Nginx之为已安装nginx动态添加模块的方法
01-10
nginx模块是需要重新编译nginx,而不是像apache一样配置文件引用.so 1. 下载第三方扩展模块ngx_http_google_filter_module # cd /data/software/ # git clone ...
Nginx服务器安装配置文件与使用详解
01-20
Nginx 在工作中已经有好几个环境在使用了,每次都是重新去网上找博客,各种编译配置,今天自己也整理一份安装文档和 nginx.conf 配置选项的说明,留作以后参考。 1. 安装nginx 1.1 选择稳定版本 我们编译安装nginx来...
Nginx内容过滤器-subs_filter
yangguang3004的博客
03-11 4922
找到了线索,自己总想也实践一把,于是下班回家后,我登录到我的阿里云服务器,决定来折腾一把,毕竟搞技术的,不去真正实践一把那永远也只是停留在理论之上,我们要实论结合实践才能真的算是掌握,尽管折腾的过程也是有一点费时,但还是值得的。今天在工作中偶然发现一个有意思的现象,我们的开发环境和演练环境都是同样的代码,同样的环境。当时就想,这是怎么出来的呢,直觉告诉我这一定不是代码层追加上来的,因为两个环境的代码都是一毛一样的。ok,废话不说,我把实践的过程来一个从头到尾的回放,但愿对感兴趣的你有所帮助。
nginx 配置启用https
08-16 308
server { listen 80; listen 443 ssl; server_name pay.example.com; index index.php index.html index.htm default.php default.htm default.html; root /www/wwwroot/pay.example.com; #SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则 #error_p.
Nginx内网环境开启https双协议
最新发布
Mr_Wanter
05-13 1778
nginx内网环境配置https
centos8 nginx 开启 ssl(https)- 阿里云申请 SSL 证书
linzi19900517的博客
12-19 1532
域名开启 ssl(https)证书,以阿里云为例。
nginx中如何开启https访问功能
weixin_43401380的博客
09-27 3195
前端部署项目需要https支持,将原有的http访问方式进行升级,参考过其他同学的博客记录,记录一下自己遇到的坑,希望对有同样需求的同学有所帮助,少采坑,提升效率!
网站使用nginx部署ssl证书开启https开启http2)
haixtx的博客
04-06 2253
文章介绍了在项目部署阶段通过nginx配置项目的https以及http2,完整介绍了申请ssl证书到成功部署https的流程
nginx配置https
敲风奏雨的博客
07-06 167
参考https://www.cnblogs.com/zhoudawei/p/9257276.html
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值