nginx https反向代理tomcat的2种实现方法

反向代理

在计算机世界里,由于单个服务器的处理客户端(用户)请求能力有一个极限,当用户的接入请求蜂拥而入时,会造成服务器忙不过来的局面,可以使用多个服务器来共同分担成千上万的用户请求,这些服务器提供相同的服务,对于用户来说,根本感觉不到任何差别。

nginx做前端代理分发,tomcat处理请求。nginx反代tomcat实现https有二个方法。

一、nginx配置https,tomcat也配置https

1、nginx配置https

  upstream https_tomcat_web {     server 127.0.0.1:8443;   }   server {     listen  443;     server_name www.test.com;     index index.html;     root /var/www/html/test;     ssl on;     ssl_certificate /etc/nginx/go.pem;     ssl_certificate_key /etc/nginx/go.key;     ssl_session_timeout 5m;     ssl_protocols SSLv2 SSLv3 TLSv1.2;   #  ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;     ssl_prefer_server_ciphers on;     location ~ ^/admin {      proxy_pass https://https_tomcat_web; //是https的      proxy_redirect      off;      proxy_set_header Host    $host;      proxy_set_header X-Real-IP  $remote_addr;      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;      client_max_body_size  100m;      client_body_buffer_size 256k;      proxy_connect_timeout  60;      proxy_send_timeout   30;      proxy_read_timeout   30;      proxy_buffer_size   8k;      proxy_buffers    8 64k;      proxy_busy_buffers_size 64k;      proxy_temp_file_write_size 64k;     }     error_page 404 /404.html;     location = /40x.html {     }     error_page 500 502 503 504 /50x.html;     location = /50x.html {     }   } 

2、tomcat的https配置,配置文件server.xml

  <Service name="Catalina">    <Connector port="8001" protocol="HTTP/1.1"    connectionTimeout="20000"    redirectPort="8443" />    <Connector port="8091"    protocol="AJP/1.3"    redirectPort="8443" />   //添加以下内容    <Connector port="8443"    protocol="HTTP/1.1"    SSLEnabled="true"    scheme="https"    secure="false"    keystoreFile="cert/gotom.pfx"    keystoreType="PKCS12"    keystorePass="214261272770418"    clientAuth="false"    SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256" />       ..................省略....................    </Service> 

配置好后重新启动nginx,tomcat,就可以https访问了,这也是我现在采用的配置方式 。

二、nginx采用https,tomcat采用http

1、nginx配置https

  upstream https_tomcat_web {     server 127.0.0.1:8001;   }   server {     listen  443;     server_name www.test.com;     index index.html;     root /var/www/html/test;     ssl on;     ssl_certificate /etc/nginx/go.pem;     ssl_certificate_key /etc/nginx/go.key;     ssl_session_timeout 5m;     ssl_protocols SSLv2 SSLv3 TLSv1.2;   #  ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;     ssl_prefer_server_ciphers on;     location ~ ^/admin {      proxy_pass http://https_tomcat_web; //是http的      proxy_redirect      off;      proxy_set_header Host    $host;      proxy_set_header X-Real-IP  $remote_addr;      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;      client_max_body_size  100m;      client_body_buffer_size 256k;      proxy_connect_timeout  60;      proxy_send_timeout   30;      proxy_read_timeout   30;      proxy_buffer_size   8k;      proxy_buffers    8 64k;      proxy_busy_buffers_size 64k;      proxy_temp_file_write_size 64k;     }     error_page 404 /404.html;     location = /40x.html {     }     error_page 500 502 503 504 /50x.html;     location = /50x.html {     }   } 

2、tomcat的http配置,配置文件server.xml

  <Service name="Catalina">    <Connector port="8001" protocol="HTTP/1.1"    connectionTimeout="20000"    redirectPort="443" /> //在这里重新定向到了443端口       <Connector port="8091"    protocol="AJP/1.3"    redirectPort="443" />       ..................省略....................    </Service> 

重启nginx,tomcat,https就配置好了。

不管是第一种方法,还是第二种方法,如果通过http,直接访问8001端口,浏览器都会提示你不安全的访问,因为本身是http,确被重定向到了https。

总结

以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,如果有疑问大家可以留言交流,谢谢大家对脚本之家的支持。

参与评论