Nginx和Tomcat配置SSL实现https访问

  • A+
所属分类:linux技术
摘要

环境:CentOS 7Nginx版本: nginx/1.18.0详细步骤可以参考如下官网:http://nginx.org/en/linux_packages.html#RHEL-CentOS

环境:CentOS 7

Nginx版本: nginx/1.18.0

1. 安装nginx

详细步骤可以参考如下官网:http://nginx.org/en/linux_packages.html#RHEL-CentOS

下面是一些大致的步骤:

  • 安装yum工具
yum install yum-utils

  • 创建yum文件/etc/yum.repos.d/nginx.repo,添加如下内容

 

[nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true  [nginx-mainline] name=nginx mainline repo baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ gpgcheck=1 enabled=0 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true
  • 重新加载yum缓存 
yum clean all yum makecache

 

  •  执行安装
yum install nginx

 

 安装完成后,通过下面的命令,可以产看安装的版本等信息,注意看到有--with-http_ssl_module 模块,才表明nginx可以配置ssl,支持https协议

 nginx -V

 

  • 准备ssl证书

详细可参考地址:https://www.cnblogs.com/caidingyu/p/11904277.html

2. nginx配置

  •   停止nginx服务
# systemctl stop nginx.service

 

  • 确认配置文件的路径
# rpm -qc nginx

 

默认配置文件的路径为:/etc/nginx/nginx.conf

  • 编辑nginx配置文件:
 vim /etc/nginx/nginx.conf

 

在http{}中添加类似内容如下:

server {
  listen 443 ssl;
  server_name  域名; #例如 www.baidu.com
  ssl on;

  #证书地址
  ssl_certificate  ssl/域名.crt;
  ssl_certificate_key ssl/域名.key;

  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 5m;

  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;

  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_redirect off;
    proxy_connect_timeout 360;
    proxy_send_timeout 240;
    proxy_read_timeout 240;
    # note, there is not SSL here! plain HTTP is used
    proxy_pass http://127.0.0.1:8080;
    }
  location /webSocket/ {
    #webSocket在https下的配置
    proxy_pass http://127.0.0.1:8080;
    proxy_http_version 1.1;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    }
  }

 

 

3.tomcat的安装

详细可以参考另外一篇博文:https://www.cnblogs.com/diantong/p/11106697.html

 

4.tomcat的配置

  • 停tomcat服务

在安装目录的/bin文件夹下,有一个shutdown.sh脚本,执行该脚本进行停止,停止后,可以通过如下命令确认停止完成:

ps -ef | grep tomcat

  • 找到对应server.xml配置文件,进行编辑:特别注意红色字体标记的内容

<Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol"
  connectionTimeout="5000"
  redirectPort="443"
  proxyPort="443"
  acceptCount="600"
  maxThreads="500"
  maxSpareThreads="100"
  minSpareThreads="20"
  maxIdleTime="5000"
  keepAliveTimeout = "500"
  maxKeepAliveRequests="100" URIEncoding="utf-8" maxPostsize='52428800'
/>

 

<Host name="localhost" appBase="webapps"
   unpackWARs="true" autoDeploy="true">

  <!-- SingleSignOn valve, share authentication between web applications
    Documentation at: /docs/config/valve.html -->
  <!--
  <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
  -->

  <!-- Access log processes all example.
    Documentation at: /docs/config/valve.html
    Note: The pattern used is equivalent to using pattern="common" -->
  <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
    prefix="localhost_access_log." suffix=".txt"
    pattern="%h %l %u %t &quot;%r&quot; %s %b" />

  <Valve className="org.apache.catalina.valves.RemoteIpValve"
    remoteIpHeader="x-forwarded-for"
    remoteIpProxiesHeader="x-forwarded-by"
    protocolHeader="x-forwarded-proto" />
</Host>

 

5. 启动nginx和tomcat服务

  •  启动nginx服务
# systemctl start nginx.service

 

  •  启动tomcat

可以在安装目录的/bin文件下,执行startup.sh脚本

6. 常见问题处理方法

  • 网络端口无法访问,尝试关闭防火墙是否可以解决
# systemctl stop firewalld.service

 

  •    关闭sulinux访问限制(如果没有运行,可能产生502 bad gateway的错误)
setsebool -P httpd_can_network_connect 1

 

  •  测试端口是否故障
 telnet 127.0.0.1 8080

 

 

以上,可访问了。