Go to Open Source Chinese Sweet Potato https://www.oschina.net/question/12_213459
Many articles searched on the Internet before describe that when Nginx + Tomcat enables HTTPS support, SSL support must be configured on both Nginx and Tomcat at the same time. But I have been thinking why can't I configure it in the following way? That is, HTTPS is enabled on Nginx, but the normal HTTP connection is between Nginx and Tomcat. However, there is no solution after searching a lot, and finally, the honest Nginx and Tomcat are configured with SSL support at the same time.
Recently, I bought a new certificate for OSChina that supports the *.oschina.net pan-domain name, and then I started to be lazy and wonder why Tomcat must be equipped with HTTPS? It doesn't make sense. Then painstaking search finally found a solution. It turned out to be so simple.
The final configuration scheme is the HTTPS communication between the browser and Nginx, and the normal HTTP connection between Nginx and Tomcat through proxy_pass.
The following is the detailed configuration (Nginx port 80/443, Tomcat port 8080):
The configuration on this side of Nginx is nothing special:
upstream tomcat {
server 127.0.0.1:8080 fail_timeout=0;
}
# HTTPS server
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /Users/winterlau/Desktop/SSL/oschina.bundle.crt;
ssl_certificate_key /Users/winterlau/Desktop/SSL/oschina.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
# note, there is not SSL here! plain HTTP is used
proxy_pass http://tomcat;
}
}
The most critical ones are the two configurations of ssl_certificate and ssl_certificate_key, and the others are configured as normal. But there is one more proxy_set_header X-Forwarded-Proto https; configuration.
The main configuration comes from Tomcat, here is the complete server.xml in my test environment:
<?xml version='1.0' encoding='utf-8'?>
<Serverport="8005"shutdown="SHUTDOWN">
<Servicename="Catalina">
<Connectorport="8080"protocol="HTTP/1.1"connectionTimeout="20000"redirectPort="443"proxyPort="443"/>
<Enginename="Catalina"defaultHost="localhost">
<Hostname="localhost"appBase="webapps"unpackWARs="true"autoDeploy="true">
<ValveclassName="org.apache.catalina.valves.RemoteIpValve"remoteIpHeader="x-forwarded-for"remoteIpProxiesHeader="x-forwarded-by"protocolHeader="x-forwarded-proto"
/>
<Contextpath=""docBase="/oschina/webapp"reloadable="false"/>
</Host>
</Engine>
</Service>
</Server>
There is nothing special in the above configuration, but the special attention is that there must be proxyPort="443" , which is the key of the whole article, of course, redirectPort must also be 443. At the same time, the configuration of the <Value> node is also very important, otherwise your application in Tomcat will not work when reading the getScheme() method and some security policies configured in web.xml.
How, so simple to a mess! ! !