搭建nginx https 反向代理 http tomcat服务实践。

已于 2024-07-20 09:20:18 修改
阅读量574 收藏 1
点赞数 3
文章标签: http nginx https tomcat
于 2024-07-12 17:55:10 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/yo_yolv/article/details/140384676
版权

Nginx安装

1、 配置conf,开启443端口,ssl

	其中最为关键的就是 ssl_certificate 和 ssl_certificate_key 这两项配置,其他的按正常配置。proxy_set_header X-Forwarded-Proto https 一定要配置好,不然重定向有问题,会重定向到http。
	
	多注意下面配置
	proxy_set_header Host $host:$server_port;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;
	sub_filter_once off;
	sub_filter_types *;

关键配置如下:

server {
      listen       443 ssl;
       server_name  localhost;
	 # 配置证书
       ssl_certificate      server.crt;
       ssl_certificate_key  server.key.unsecure;

       ssl_session_cache    shared:SSL:1m;
       ssl_session_timeout  5m;

       ssl_ciphers  HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers  on;
	# 代理配置,
	location /xxx/ {
		proxy_redirect off;
		proxy_set_header Host $host:$server_port;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto https;
		client_body_buffer_size 128k;
		proxy_buffer_size  4k;
		proxy_buffers 4 32k;
		proxy_busy_buffers_size 64k;
		proxy_temp_file_write_size 64k;
		proxy_connect_timeout 3;
		proxy_send_timeout 30;
		proxy_read_timeout 30;
		sub_filter_once off;
		sub_filter_types *;
		proxy_pass http://127.0.0.1:8080/xxx/;
	}

   }

Tomcat安装配置

配置支持https 关键配置,修改tomcat server.xml文件。

a: 添加重定向端口redirectPort="443" 和代理端口proxyPort="443";否则tomcat https请求重定向,代理有问题

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" 
			   proxyPort="443"
			   />

b:host中加value节点RemoteIpValve 属性如下。    否则你在 Tomcat 中的应用在读取 getScheme () 方法以及在 web.xml 中配置的一些安全策略会不起作用。

<Valve className="org.apache.catalina.valves.RemoteIpValve"
                  remoteIpHeader="x-forwarded-for"
                  remoteIpProxiesHeader="x-forwarded-by"
                  protocolHeader="x-forwarded-proto"
            />

在这里插入图片描述

个人测试完整配置如下

Nginx


#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
 	client_max_body_size 20m;
	client_header_buffer_size 40k;
	open_file_cache max=200 inactive=2h;
	open_file_cache_valid 3h;
	open_file_cache_min_uses 1;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 60;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include mime.types;

    #gzip  on;

	# http配置
    #include nginx_http.conf;


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

	upstream mastery_server {                                                         
		server 127.0.0.1:8081;                                                
		keepalive 2000;
	}
    # HTTPS server
    #
	
	server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      server.crt;
        ssl_certificate_key  server.key.unsecure;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
		
		location /Mastery/ {
			proxy_redirect off;
			proxy_set_header Host $host:$server_port;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto https;
			client_body_buffer_size 128k;
			proxy_buffer_size  4k;
			proxy_buffers 4 32k;
			proxy_busy_buffers_size 64k;
			proxy_temp_file_write_size 64k;
			proxy_connect_timeout 3;
			proxy_send_timeout 30;
			proxy_read_timeout 30;
			sub_filter_once off;
			sub_filter_types *;
			proxy_pass http://127.0.0.1:8080/Mastery/;
		}

    }

}

Tomcat配置

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <!-- A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   -->
  <Service name="Catalina">

    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <!--
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    -->


    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
    -->
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" 
			   proxyPort="443"
			   />
    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation. The default
         SSLImplementation will depend on the presence of the APR/native
         library and the useOpenSSL attribute of the
         AprLifecycleListener.
         Either JSSE or OpenSSL style configuration may be used regardless of
         the SSLImplementation selected. JSSE style configuration is used below.
    -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->
    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
         This connector uses the APR/native implementation which always uses
         OpenSSL for TLS.
         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
         configuration is used below.
    -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!--
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8443" />
    -->

    <!-- An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->

    <!-- You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    -->
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <!--<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />-->
		<Valve className="org.apache.catalina.valves.RemoteIpValve"
                  remoteIpHeader="x-forwarded-for"
                  remoteIpProxiesHeader="x-forwarded-by"
                  protocolHeader="x-forwarded-proto"
            />

      </Host>
    </Engine>
  </Service>
</Server>
yo_yolv
关注
详解NGINX访问https跳转到http的解决方法
01-20
问题:浏览器打开https://www.jb51.net/aaa.html,然后跳转到//www.jb51.net/aaa.html 网站架构:用户–https—>nginx代理http—->tomcat/nginx+php nginx待遇发给后端的请求是http协议,后端程序跳转获取到的协议是http,返回一个redirect(http header中带Location://www.jb51.net/aaa.html),浏览器收到location,跳转到了location指定的地方。 解决方法 解决方法1: 在nginx代理中增加一个header,标志用户请求是http还是https,后端
nginx实现Tomcat反向代理
x_976090041的博客
07-23 1297
nginx配置文件的路径在 /usr/local/nginx/conf/nginx.conf,nginx的配置文件主要包括全局块,events块,以及http块。全局块 (从配置文件开始到events块之间的内容,主要会设置一些英雄Nginx服务器整体运行的配置指令)# 这个值越大,可以支持的并发处理器也越多events块(主要影响nginx服务器与用户的网络连接)events {#表示nginx支持的最大连接数是多少。
nginx反向代理tomcat
chenkya的博客
05-21 501
一、实验说明: 实现nginx反代tomcat二、实验准备:nginxtomcat同一台主机,本次使用Centos7,IP地址为192.168.2.137三、安装tomcattomcat是基于java开发的程序,需要运行在jvm中,java是跨平台的语言,java的运行基于各种类库,java早先用于B/S架构上的是applet,在客户端运行,后期发展为servlet,在servlet端运行,但是...
Nginx HTTPS反向代理,开启SNI,proxy_ssl_server_name 和proxy_ssl_name介绍
最新发布
zzhongcy的专栏
07-24 866
Nginx作用反向代理与上游服务器使用HTTPS建连时,默认不启用SNI,使用参数启用;默认不验证上游服务器返回的证书,使用开启上游证书验证后Nginx会使用配置文件中指定的CA验证上游服务器返回证书的合法性,同时也会比对证书中的CommonName信息。
nginx的正向代理反向代理以及tomcat
m0_71178834的博客
07-06 1083
代理:客户端不再是直接访问服务端,通过代理服务器访问服务端。正向代理:面向客户端,我们通过代理服务器的IP地址访问目标范围端。服务端只知道代理服务器的地址,真正的客户端ip可以隐藏。科学上网。server {#设置dns解析地址,解析器的缓存时间300秒,每300秒重新解析一次,关闭ipv6#解析超时的时间3秒#读取代理服务器的超时时间,30s,默认是60s.#向服务端发送数据的超时时间是30s,默认是60s.#和服务器建立连接的超时时间,30s,默认也是60s​。
Nginx代理tomcat
FUYY'S BLOG
10-23 2989
为什么需要为tomcat配置nginx反向代理? 1.当服务器上同时拥有nginxtomcat时,tomcat修改8080端口为80会冲突 2.tomcat不更改监听端口8080即可使用nginx的80端口 3.Nginx对于静态的请求速度上要优于TomcatTomcat不擅长做高并发的静态文件请求处理 以上一篇文章搭建的个人博客网站为例,配置nginx代理tomcat 添加nginx虚拟主机...
如何实现Nginx+Tomcat反向代理与负载均衡
Liu_Fang_Hong的博客
07-03 3956
将工作任务或者访问请求进行平衡,然后分摊到多个单元、服务器或者组件上执行,解决高并发,高可用(单点故障)、扩展性(水平伸缩)的最高解决方案开发人员分别将前段和后端代码都存入自己的代码仓库,由分支进行分类(分支、主分支、分分支)分类储存后,打包上传服务器后端打包工具Maven(打包为War、jar包)前段打包工具Npm、nodejs一般前端打包后会放入/usr/local/nginx/html目录当中(nginx配置)后端的打包回放入在Tomcat服务里的Webapps中私有仓库 gitlab。
Nginx+Tomcat的7层代理和四层代理
DiKL_Y的博客
06-07 2417
Nginxtomcat 的七层代理和4层代理
Nginx代理Tomcat
F0217911的博客
08-22 3188
nginx代理tomcat
部署Nginx服务器,实现对Tomcat服务器的反向代理
chensay的博客
01-20 2501
搭建http网页——Nginx+Tomcat版 实验环境:centos7、搭好tomcat服务(可使用域名加端口号/ip加端口访问我们的tomcat页面)、防火墙关闭 实验目的:部署Nginx反向代理使用域名访问Tomcat的8080系统(不加端口可直接访问) 我们已经搭建Tomcat服务,浏览器也可以加端口访问我们的界面 安装Nginx 安装前我们可以使用whereis nginx查看服务器上是否已经安装了。 安装前准备:c++语言环境,以及openssl、pcre、zlib组件(这里已经安装成功)
使用TomcatNginx搭建视频服务
08-23
整篇文章通过具体的实践案例,详细说明了如何在不同的操作系统上使用TomcatNginx搭建视频服务器,并通过ffmpeg工具处理视频文件以支持HLS协议的视频点播服务。这是一个涉及Web服务器配置、音视频编码和网络安全等...
nginx负载均衡代理多个tomcat搭建实例过程
02-19
"Nginx负载均衡代理多个Tomcat搭建实例过程" 一、Nginx安装与配置 Nginx是一款轻量级的Web服务器,反向代理和负载均衡都是其特色功能。本节主要介绍Nginx的安装和基本配置。 1.1 安装Nginx Nginx提供免费版本,...
keepalived+Nginx+tomcat 搭建集群
08-26
Nginx 主要用于网站服务器,可以提供静态文件服务,同时作为反向代理和负载均衡器,将用户请求分发到多个后端服务器,如 Tomcat 应用服务器。此外,Nginx 还可以用于流媒体服务、邮件服务等。 1.4 Nginx 优缺点 ...
Nginx+keepalived+tomcat集群搭建过程.doc
07-02
Nginx+Keepalived+Tomcat集群搭建】是一个实现服务器高可用和负载均衡的常见方案,旨在解决单点故障问题,防止服务因一台服务器宕机而导致整个系统的崩溃,即所谓的雪崩效应。 首先,我们需要四台服务器,两台...
4. nginx代理单台tomcat服务
weixin_39563769的博客
09-26 2002
nginx代理tomcat
Nginx+Tomcat 实现反向代理
Ever~z 的博客!
06-24 5891
反向代理是指对于客户端而言代理服务器就是原始服务器,并且客户端不需要进行任何特别的设置
Nginx反向代理联动Tomcat实现多实例部署、动静分离、负载均衡
m0_74170357的博客
09-11 1096
动静分离、负载均衡。
nginx】配置将HTTPS请求转换成HTTP
热门推荐
资深全栈开发工程师
08-11 1万+
请注意,要确保后端的HTTP服务已经正常启动,并且能够处理来自Nginx的转发请求。此外,确保防火墙和安全组规则允许Nginx服务器和后端服务之间的通信。替换为你的后端HTTP服务的地址,可以是IP地址或域名。这样,Nginx会将收到的HTTPS请求转发到后端的HTTP服务。这样配置后,当有HTTPS请求访问Nginx时,Nginx会将请求转发到后端的HTTP服务,并将HTTP响应返回给客户端。打开Nginx的配置文件,通常位于。替换为你的SSL证书和私钥的路径。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值