Nginx configuration-SSL
Prepare ssl certificate
You can apply for free certificates directly from the Alibaba Cloud console (20 per year, each with a one-year validity period),
or you can use self-signed certificates. Nginx solves the problem of accessing Https through openssl self-signed certificates and reporting insecure alarms
Configuration example
upstream tomcatserver {
server 127.0.0.1:8801 max_fails=3 fail_timeout=3s;
server 127.0.0.1:8802 max_fails=3 fail_timeout=3s;
}
server {
listen 8888 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/ssl/nginx.pem;
ssl_certificate_key /usr/local/nginx/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://tomcatserver/;
client_max_body_size 500m;
proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http:// https://;
}
}
Configure mandatory http access to also go https
After configuration, normal access through https, http access error is as follows:
400 Bad Request
The plain HTTP request was sent to HTTPS port
This is caused by a 497 error. Add a configuration as follows to force http access to https, and
error_page 497 301 https://$http_host$request_uri;
redirect 497, 301 and other error codes to https
upstream tomcatserver {
server 127.0.0.1:8801 max_fails=3 fail_timeout=3s;
server 127.0.0.1:8802 max_fails=3 fail_timeout=3s;
}
server {
listen 8888 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/ssl/nginx.pem;
ssl_certificate_key /usr/local/nginx/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
error_page 497 301 https://$http_host$request_uri;
location / {
proxy_pass http://tomcatserver/;
client_max_body_size 500m;
proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http:// https://;
}
}