一、申请SSL证书
阿里云申请证书 图文教程:http://www.chinaz.com/web/2017/0105/639110.shtml
腾讯云申请证书
二、Nginx 配置SSL
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate cert/xxx.pem;
ssl_certificate_key cert/xxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
其他配置可以参考nginx官网
80端口重定向到 443 端口配置如下:
server {
listen 80;
server_name localhost;
rewrite ^(.*)$ https://$host$1 permanent;
}
可能的问题:
1. Nginx 没有启用SSL模块:
报错:
./configure: error: the HTTP cache module requires md5 functions
from OpenSSL library. You can either disable the module by using
--without-http-cache option, or install the OpenSSL library into the system,
or build the OpenSSL library statically from the source with nginx by using
--with-http_ssl_module --with-openssl=<path> options.
解决办法:
1. 安装openssl 和 openssl-devel
yum -y install openssl openssl-devel
2. 如果已经安装了,但还是报错,则可以使用参数指定openssl源码路径
./configure --with-http_v2_module --with-http_ssl_module--with-openssl=/work/openssl-1.0.2n
3. Nginx升级可以使用如下方式:
nginx:[emerg]unknown directive "ssl" 解决方法:http://blog.csdn.net/u014227715/article/details/77649156
4. 如果之前安装的Nginx没有SSL模块可以参考下面连接升级:
http://blog.csdn.net/u014227715/article/details/77649156
5. 升级完成之后一定要重启Nginx 注意,不是重新加载配置文件 !!!
这样Nginx基本就配置完了
三、Tomcat 8 配置SSL openSSL
注意:tomcat 8 配置ssl 有两种配置方式,一种是apr 另外一种是JSSE。
两种配置方式不一样。具体配置方案可见:https://stackoverflow.com/questions/6306314/tomcat-7-ssl-failed
四、配置说明
1. 使用 阿里云负载均衡(https) + Nginx(http) + Tomcat(http),阿里云负载均衡通过http 协议与后端通信
a.阿里云负载均衡 启用 https 并配置证书,并在高级配置中启用 X-Forwarded-Proto
b.Nginx 不需要配置,但需要启用 Http 监听即可
c.Tomcat 在 server.xml 中的Host标签下配置(主要用于记录客户端请求的是http还是https):
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https"/>
2. Nginx(https) + Tomcat(http),客户端 ->(Https) Nginx ->(http) Tomcat
a. Nginx 启用SSL配置如下:
user nobody;
worker_processes auto;
pid logs/nginx.pid;
events {
use epoll;
worker_connections 65535;
}
http {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 设置到Http请求头中,标识用户请求方式是http还是https
proxy_set_header X-Forwarded-Proto $scheme;
upstream backend {
server 127.0.0.1:8080;
}
server {
listen 443;
server_name 127.0.0.1;
ssl on;
ssl_certificate cert/214404386550201.pem;
ssl_certificate_key cert/214404386550201.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location ~*/* {
proxy_pass http://backend;
}
}
}
b. Tomcat 配置需要从请求头中获取客户端请求协议类型:
T
omcat 在 server.xml 中的Host标签下配置(主要用于记录客户端请求的是http还是https):
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https"/>
参考资料:
1. Tomcat 9 官网SSL配置属性:https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig
2. Nginx SSL+tomcat集群 Nginx tomcat no 不用https http://blog.csdn.net/vfush/article/details/51086274
3. nginx:[emerg]unknown directive "ssl" http://blog.csdn.net/u014227715/article/details/77649156
4. Tomcat 配置SSL两种方式:https://stackoverflow.com/questions/6306314/tomcat-7-ssl-failed
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)