Continue to create, accelerate growth! This is the second day of my participation in the "Nuggets Daily New Plan · June Update Challenge", click to view the details of the event
Say before:
Suddenly received such a task, the access of multiple domain names must use https forwarding access, in fact, the use of Nginx is very simple, and the documentation is also very complete (whether it is Tencent Cloud or Alibaba Cloud), the reason for entering the pit is the Nginx server. strangeness and detours.
1. Detour: Tomcat supports SSL
Tencent Cloud Tomcat server certificate configuration
Modify the server.xml
file
<Connector
port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="conf\ssl\生产的证书名称我使用相对路径.jks"
keystoreType="JKS"
keystorePass="证书对应的密码"
clientAuth="false"
sslProtocol="TLSv1+TLSv1.1+TLSv1.2"
maxThreads="150" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256">
</Connector>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8209" protocol="AJP/1.3" redirectPort="8443" secretRequired="" useBodyEncodingForURI="true" URIEncoding="UTF-8"/>
复制代码
keystoreType="JKS"
: Please note that this configuration is different from Alibaba Cloud, remember to modify it
<Engine defaultHost="我的域名" name="Catalina" jvmRoute="tomcat1" URIEncoding="UTF-8">
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
<Host name="我的域名" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
复制代码
I heard from colleagues that the configuration is good, and the place to enter the pit is also. After the server is started, port 443 is also occupied.
启动nginx 不成功bind() to 0.0.0.0:443 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions
2. Closer to home
2.1 Overview of Requirements
When deploying multiple services on one server (the IP address of Tencent Cloud's server), and different services need to be accessed through different domain names, domain name forwarding can be performed through Nginx proxy, and HTTPS access can also be achieved by configuring the SSL module. (My server uses the window system, if there is no SSL module that needs to be enabled by itself, it is supported by default)
Deploy 3 services at the same time on one server: service A, service B and service C. The services need to be configured with the following domain names:
- The domain name pangsir01.domain.com corresponds to service A;
- The domain name pangsir02.domain.com corresponds to service B;
- The domain name pangsir03.domain.com corresponds to service C;
The service is accessed via https, and http requests are redirected to https .
2.2 Service proxy settings
Configure Nginx to listen on port 443 (==I was stuck here for a long time because of the configuration of Tomcat, unsuccessful==), realize domain name forwarding and https access, the certificate used in this example is a crt format certificate
(1) Configuration of service A
server {
listen 443 ssl; #监听端口,Nginx1.5后推荐使用
server_name pangsir01.domain.com; #请求域名
ssl_certificate ssl/证书名称A.crt; #crt证书路径,存放位置Nginx的conf/ssl文件夹下,可以使用绝对路径
ssl_certificate_key ssl/证书名称A.key; #crt证书key路径
ssl_session_timeout 5m; #会话超时时间
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL协议
# 拦截所有请求
location / {
proxy_http_version 1.1; #代理使用的http协议
proxy_set_header Host $host; #header添加请求host信息
proxy_set_header X-Real-IP $remote_addr; # header增加请求来源IP信息
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 增加代理记录
proxy_pass http://127.0.0.1:8001; #服务A访问地址
}
}
复制代码
(2) Configuration of Service B
server {
listen 443 ssl; #监听端口,Nginx1.5后推荐使用
server_name pangsir02.domain.com; #请求域名
ssl_certificate ssl/证书名称B.crt; #crt证书路径,存放位置Nginx的conf/ssl文件夹下,可以使用绝对路径
ssl_certificate_key ssl/证书名称B.key; #crt证书key路径
ssl_session_timeout 5m; #会话超时时间
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL协议
# 拦截所有请求
location / {
proxy_http_version 1.1; #代理使用的http协议
proxy_set_header Host $host; #header添加请求host信息
proxy_set_header X-Real-IP $remote_addr; # header增加请求来源IP信息
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 增加代理记录
proxy_pass http://127.0.0.1:8002; #服务B访问地址
}
}
复制代码
(3) Configuration of service C
server {
listen 443 ssl; #监听端口,Nginx1.5后推荐使用
server_name pangsir03.domain.com; #请求域名
ssl_certificate ssl/证书名称C.crt; #crt证书路径,存放位置Nginx的conf/ssl文件夹下,可以使用绝对路径
ssl_certificate_key ssl/证书名称C.key; #crt证书key路径
ssl_session_timeout 5m; #会话超时时间
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL协议
# 拦截所有请求
location / {
proxy_http_version 1.1; #代理使用的http协议
proxy_set_header Host $host; #header添加请求host信息
proxy_set_header X-Real-IP $remote_addr; # header增加请求来源IP信息
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 增加代理记录
proxy_pass http://127.0.0.1:8003; #服务B访问地址
}
}
复制代码
2.3 Automatic forwarding of http requests
Add server configuration, listen on port 80, and perform https redirection for all domain names
server {
listen 80; #监听端口
server_name a.domain.com b.domain.com c.domain.com; #请求域名
return 301 https://$host$request_uri; #重定向至https访问。
}
复制代码
My needs are done here, the following content belongs to the extended content, record it
3. SSL configuration of WebSocket
If websocket is used in service A (the access interface is: /websocket
), the ws protocol needs to be replaced with the wss protocol, and a location configuration can be added to the server configuration of service A to intercept the websocket for a separate proxy.
The configuration of service A, after modification:
server {
listen 443 ssl; #监听端口
server_name pangsir01.domain.com; #请求域名
ssl_certificate ssl/证书名称A.crt; #crt证书路径
ssl_certificate_key ssl/证书名称A.key; #crt证书key路径
ssl_session_timeout 5m; #会话超时时间
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL协议
# 拦截所有请求
location / {
proxy_http_version 1.1; #代理使用的http协议
proxy_set_header Host $host; #header添加请求host信息
proxy_set_header X-Real-IP $remote_addr; # header增加请求来源IP信息
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 增加代理记录
proxy_pass http://127.0.0.1:8001; #服务A访问地址
}
# 拦截websocket请求
location /websocket {
proxy_pass http://127.0.0.1:8001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
复制代码