在该配置上nginx上启用了https,而nginx和tomcat之间走的是普通的http.我们需要在浏览器上使用https://ip或域名/test,实现访问
上图是基本的原理图,查过许多资料,都在tomcat和nginx上都做了ssl,其实直接在nginx做ssl即可。
nginx端的解析,nginx的端口是80/443,tomcat的端口是8080,
我们就以test为列,说明以下的配置,以nginx代理两台tomcat机器,
upstream test{
server 192.168.1.1:8080 weight=1 max_fails=2 fail_timeout=10s;
server 192.168.1.2:8080 weight=1 max_fails=2 fail_timeout=10s;
sticky;
}
server{
listen 192.168.1.3:80;
location /test/ {
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_pass http://test;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
client_max_body_size 10m;
client_body_buffer_size 128k;
}
}
server{
listen 192.168.1.3:443 ssl;
ssl on;
ssl_certificate /data/test.com.crt;
ssl_certificate_key /data/test.com.key;
location /test/ {
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_pass http://test;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 10m;
client_body_buffer_size 128k;
fastcgi_param HTTPS $https if_not_empty;
}
}
fastcgi_param HTTPS $https if_not_empty;有https协议是才自动使用https on,否则忽略fastcgi_param HTTPS 这个参数。
重新启动nginx
其次就是tomcat的配置,打开server.xml
在connect处修改配置,
<Connector port="8080" address="" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" proxyPort="443"/>
在配置的末端,找到valve块,将其注释掉,添加新的配置。
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />
重新启动tomcat,配置实现。注:我这里用到的是正式的安全证书。