刚开始只做了http和ws,由于做小程序必须要https和wss,无奈将服务器http进行https转换,ws做wss转换。
首先我们得申请https证书,请参考前面的博客。
第二全站https和wss化:
以下是我的配置(tomcat已经支持https端口8999,websocket由单独的tomcat提供端口为10000):
server
{
listen 80;
#listen [::]:80;
server_name xxx.com;
#ws代理
location /webtcpnode/
{
proxy_pass http://127.0.0.1:10000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
#http强制https的两种方式
#rewrite ^(.*)$ https://$host$1 permanent;①
location / {②
rewrite ^/(.*) https://$host/$1 redirect;
}
access_log /home/wwwlogs/xxx.log access;
}
server
{
listen 443;
#listen [::]:80;
server_name dev.smart-ism.com;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/xxx.com;
ssl on;
ssl_certificate cert/214214075370856.pem;
ssl_certificate_key cert/214214075370856.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location /
{
proxy_pass https://127.0.0.1:8999;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
#include proxy-totomcat.conf;
}
#wss代理
location /webtcpnode/
{
proxy_pass http://127.0.0.1:10000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forward-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
#rewrite /webtcpnode/(.*) /$1 break;
proxy_redirect off;
}
#location /
#{
# try_files $uri @apache;
#}
#location @apache
#{
# internal;
# proxy_pass http://127.0.0.1:88;
# include proxy.conf;
#}
#location ~ [^/]\.php(/|$)
#{
# proxy_pass http://127.0.0.1:88;
# include proxy.conf;
#}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#{
# expires 30d;
#}
#location ~ .*\.(js|css)?$
#{
# expires 12h;
#}
access_log /home/wwwlogs/xxx.com.log access;
}
第三修改tomcat获取代理前的客户端信息方式
具体文档:http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
配置:tomcat的server.xml
Nginx增加以下配置
proxy_set_header Host $host:$server_port; 非80端口 ,用80端口时 不需要$server_port
proxy_set_header X-Real-IP $remote_addr; 非必须,添加此项之后可以在代码中通过request.getHeader("X-Real-IP")获取ip
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
Tomcat server.xml配置 重点在这里!
<Engine name="Catalina" defaultHost="localhost">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https" httpsServerPort="7001"/> 非80端口时,必须增加httpsServerPort配置,不然request.getServerPort()方法返回 443.
</Engine>
参考:http://blog.csdn.net/vfush/article/details/51086274
http://blog.csdn.net/xiao__gui/article/details/73733797