nginx + tomcat + https configuration
Mode:
Client --- https -----> nginx ----- http ------ > tomcat
Browser and go the HTTPS communication between Nginx, Tomcat and Nginx to go through proxy_pass an ordinary HTTP connection.
Certificate Request:
Deployed to request a certificate on a server with the domain name of the program:
Remarks: python version than 2.6
1.
#mkdir ~/cert/
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
2, mkdir ~ / .pip
pip.conf configuration file:
[Global]
index = HTTPS-URL: //pypi.doubanio.com/simple/
[install]
trusted-host=pypi.doubanio.com
3, the certificate install request tool depend
CD ~ / CERT
#. / Auto-certbot
The installation process may take a long time, it can sometimes be a bad network connection Unsuccessful
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.lelaohui.com.cn
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.lelaohui.com.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.lelaohui.com.cn/privkey.pem
Your cert will expire on 2017-12-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew *all*
of your certificates, run "certbot-auto renew"
./certbot-auto certonly
4, the site certificate application
NOTE: Before you apply for 443 applications close
#./certbot-auto certonly --standalone -d piaoyu.online -d www.piaoyu.online
Successful applicants will be in the directory: /etc/letsencrypt/live/www.piaoyu.online/ save the certificate
#ls /etc/letsencrypt/live/www.piaoyu.online/
cert.pem chain.pem fullchain.pem privkey.pem
Certificate extension test:
./certbot-auto Renew the --dry-RUN
Automatic renewal certificate:
30 * /. 8 * / 80 * * the root / the root / CERT / Auto-Renew --quiet certbot
Note: Before the renewal application port 443 is closed
5, nginx configuration
[root@appserver88 conf.d]# cat default.conf
#
# The default server
#
server {
listen 80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://tomcat;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
###########################
[root@appserver88 conf.d]# cat ssl.conf
#
# HTTPS server configuration
#
server {
listen 443 ssl default_server;
server_name _;
root /usr/share/nginx/html;
#
ssl_certificate /etc/letsencrypt/live/www.piaoyu.online/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.piaoyu.online/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
proxy_pass http://tomcat;
}
#
error_page 404 /404.html;
location = /40x.html {
}
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
######################
[root@appserver88 conf.d]# cat upstream.conf
upstream tomcat {
#server 127.0.0.1:8080 fail_timeout=0;
server 10.28.11.117:8090;
}
########################
6, tomcat configuration
The main changes: server.xml file
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
proxyPort="443" />
添加:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />
Note that there must be proxyPort = "443", which is the key to the whole article, of course, must be redirectPort 443.
Configure <Value> node is also very important, otherwise your application in Tomcat in reading getScheme () method as well as some security policy configuration in web.xml will not work.
Then, on the same IP, how to configure multiple HTTPS hosts it?
nginx supports the TLS protocol extensions SNI (Server Name Indication, simply put the extension on the same IP makes possible a different certificate serv different domain name). However, SNI extension must also have client support, in addition to local OpenSSL must support it.
If SSL support is enabled, nginx will automatically recognize OpenSSL and enable SNI. Whether to enable SNI support, is compiled by the decision of the then ssl.h (SSL_CTRL_SET_TLSEXT_HOSTNAME), if used when compiling OpenSSL library supports SNI, the target system OpenSSL library as long as it can support the normal use of the SNI.
nginx default is TLS SNI support disabled.
2
# /usr/local/nginx/sbin/nginx -V
TLS SNI support enabled