Nginx下配置https,nginx和tomcat之间走http,浏览器上使用https://域名实现访问,nginx的https端口为443,tomcat的端口是8081/8082/8083
配置如下
log_format ssl_wy '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" $request_time';
server {
listen 80;
server_name wy1.cn;
rewrite ^(.*) https://$server_name$1 permanent;
#return 301 https://wy1.cn$request_uri;
#rewrite ^ https://$server_name$request_uri? permanent;
}
#
server {
listen 80;
server_name wy2.cn;
rewrite ^(.*) https://$server_name$1 permanent;
#return 301 https://wy2.cn$request_uri;
#rewrite ^ https://$server_name$request_uri? permanent;
}
#
server {
listen 80;
server_name wy3.cn;
rewrite ^(.*) https://$server_name$1 permanent;
#return 301 https://wy3.cn$request_uri;
#rewrite ^ https://$server_name$request_uri? permanent;
}
#
server
{
listen 443;
server_name wy1.cn;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
#
ssl on;
ssl_certificate 1__.wy.crt;
ssl_certificate_key 2__wy.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
#
location / {
proxy_pass http://127.0.0.1:8081;
#Proxy Settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
#proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_max_temp_file_size 0;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
#
if ($http_user_agent ~* "spider|bot|Yahoo") {
return 403;
}
#
access_log /home/wwwlogs/https_wy1.cn.log ssl_wy;
}
server
{
listen 443;
server_name wy2.cn;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
#
ssl on;
ssl_certificate 1__.wy.crt;
ssl_certificate_key 2__wy.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
#
location / {
proxy_pass http://127.0.0.1:8082;
#Proxy Settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_max_temp_file_size 512k;
proxy_connect_timeout 180;
proxy_send_timeout 180;
proxy_read_timeout 180;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 512k;
}
#
if ($http_user_agent ~* "spider|bot|Yahoo") {
return 403;
}
#
access_log /home/wwwlogs/https_wy2.cn.log ssl_wy;
}
server
{
listen 443;
server_name wy3.cn;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
#
ssl on;
ssl_certificate 1__.wy.crt;
ssl_certificate_key 2__wy.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
#
location / {
proxy_pass http://127.0.0.1:8083;
#Proxy Settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_max_temp_file_size 0;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
#
if ($http_user_agent ~* "spider|bot|Yahoo") {
return 403;
}
#
access_log /home/wwwlogs/https_wy3.cn.log ssl_wy;
}
重启nginx
service nginx restart
重启nginx,这里三个tomcat下server.xml不用修改,测试OK
#注:测试环境使用的为正式申请的证书
Https配置检测:
https://www.ssllabs.com/ssltest/
https://www.geocerts.com/ssl_checker