Directory:
1. Certificate application Let's Encrypt
2. Nginx supports multi-domain ssl certificates
3. Nginx enforces https access (http to https)
4. Configure Tomcat
SSL For Free Free SSL Certificate ApplicationLet's Encrypt
What is Let's Encrypt
You can take a look at this article on the short book which is written in more detail "Let's Encrypt SSL Certificate Configuration"
The article details how to generate an SSL certificate manually. But I personally think it is still quite troublesome. Let me introduce a simple solution to generate an SSL certificate.
Generate Let's Encrypt certificate using sslforfree
After configuring Nginx, click the link in step 5 to see if you can access it. If the access is normal, you can click Download SSL Certificatethe button to download the certificate.
The main Nginx configuration nginx.confis as follows:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
server_tokens off;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
include conf.d/*.conf;
}Nginx web configuration web.confis as follows:
upstream tomcat {
server 127.0.0.1:8080;
}
server {
listen 80;
server_name localhost;
#charset koi8-r;
access_log /home/dev/logs/nginx/web.access.log main;
# error_page 500 502 503 504 /service/tomcat/nginx/504/504.html;
location /static/{
alias /home/dev/www/;
}
location ~/.well-known/{
add_header Content-Type text/plain;
allow all;
root /home/dev/www/;
}
location / {
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
client_max_body_size 20m;
client_body_buffer_size 128k;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 900;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass http://tomcat;
}
}
Summary
1. Compared with the script deployment method obtained from the command line in the server, it is much simpler. At least here, it can be operated graphically, so that ordinary users do not have to worry about whether it will affect the security and stability of the server.
2. Through the obtained Let's Encrypt SSL certificate, we can deploy it to virtual hosts, VPS, and servers, and deploy it according to various required WEB environments.
3. Because the Let's Encrypt certificate is valid for 90 days, we have registered an account with SSL FOR FREE, so we will be reminded before expiration, we need to renew the contract and replace the certificate deployment according to the prompts.
Nginx supports multi-domain ssl certificates
For nginx to support multiple certificates, nginx must support TLS SNI. You can use the following command to view
./sbin/nginx -V 或者 /usr/local/nginx/sbin/nginx -V
If it is displayed TLS SNI support disabled, you can refer to this article for configuration
Nginx enforces the use of https access (http jumps to https)
SSL FOR FREEThe downloaded certificate zipcontains the following contents:
Here we're going to combine ca_bundle.crtand certificate.crtinto one file cert_chain.crt.
cat certificate.crt ca_bundle.crt >> cert_chain.crtTo integrate into a file, you need to manually deal with the newline, otherwise there will be a "PEM_read_bio: bad end line" problem when starting Nginx
Nginx configures SSL https.confas follows:
1. Specify the domain name and port 80 to force the use of https
2. Configure https monitoring
[root@localhost conf]# cat conf.d/https.conf
upstream tomcats {
server 127.0.0.1:8088;
}
server
{
listen 80;
#listen [::]:80;
server_name ngrok.javen205.1mfy.cn static.javen205.1mfy.cn frp.javen205.1mfy.cn ijpay.javen205.1mfy.cn;
return 301 https://$host$request_uri;
#rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443;
server_name ngrok.javen205.1mfy.cn static.javen205.1mfy.cn frp.javen205.1mfy.cn ijpay.javen205.1mfy.cn;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/cert_chain.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/private.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
access_log /home/dev/logs/nginx/https.access.log main;
# error_page 500 502 503 504 /service/tomcat/nginx/504/504.html;
location /static/{
alias /home/dev/www/;
}
location ~/.well-known/{
add_header Content-Type text/plain;
allow all;
root /home/dev/www/;
}
location / {
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
client_max_body_size 20m;
client_body_buffer_size 128k;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 900;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass http://tomcats;
}
}
[root@localhost conf]#Configure Tomcat
Configure a Valve under the Engine module of the Tomcat server.xml:
<Engine name="Catalina" defaultHost="localhost">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https" httpsServerPort="8088"/> #非80端口时,必须增加httpsServerPort配置,不然request.getServerPort()方法返回 443.
</Engine>Add the test in the Tomcat webapps/ROOTdirectory test.htmlas shown below:
ReferencesInstalling
a certificate on Nginx
Nginx supports multi-domain ssl certificates
to solve the "PEM_read_bio: bad end line" problem when configuring SSL certificatesNginx
+Tomcat+HTTPS configuration does not need to enable SSL support on Tomcat