前言:现在网络安全越来越重要,绝大部分的网站都已经全站https了,例如:微信小程序的开发中,就要去后台必须是https的,其他的微信接口也是建议使用https,但是在实际应用中,我们有时却没有办法完全舍弃http的请求。这个时候就需要一个服务http和https都可以访问,当然我也是建议全站https,http自动跳转https。

要求:有nginx和tomcat的配置经验

目标:

  1. 站https,http请求自动变成https(意味着不在提供http的访问,只提供https)
  2. 兼容https、http(http不会转到https,还是http请求。https访问就是https)

适用范围:nginx做web服务器,tomcat做应用服务器,自己的服务用war包发布在tomcat中,系统是linux。域名是阿里的域名,证书是申请的阿里的免费域名(1年)

第一个目标的的实现:

1、先在阿里云申请证书,比如:我要申请 www.luckylxh.top 的证书,申请成功后,找到这个页面,下载pem和key,按照要求放入服务器

按照要求配置成:

server {
    listen 443;
    server_name www.luckylxh.top;
    ssl on;
    root html;
    index index.html index.htm;
    ssl_certificate   cert/1532005203290.pem;
    ssl_certificate_key  cert/1532005203290.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        root html;
        index index.html index.htm;
    }
}

2、实现全站https(其实就是做一个301跳转)

server{
  listen 80;
  server_name www.luckylxh.top;
  return 301 https://$server_name$request_uri;
}
server {
    listen 443;
    server_name www.luckylxh.top;
    ssl on;
    root html;
    index index.html index.htm;
    ssl_certificate   cert/1532005203290.pem;
    ssl_certificate_key  cert/1532005203290.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        root html;
        index index.html index.htm;
    }
}

所有的http请求自动跳到https的server上

3、配置tomcat

(1)Connector节点加入 redirectPort="443" proxyPort="443"
(2)Host节点中间添加<Valve className="org.apache.catalina.valves.RemoteIpValve"

        remoteIpHeader="x-forwarded-for"
        remoteIpProxiesHeader="x-forwarded-by"
        protocolHeader="x-forwarded-proto"/>   

4、最后的配置如下

(1)nginx.conf

server{
  listen 80;
  server_name www.luckylxh.top;
  return 301 https://$server_name$request_uri;
}
 
server {
    listen 443;
    server_name www.luckylxh.top;
    ssl on ;
    set $htdocs /usr/local/tomcat-12580-8080/webapps/12580; #
    root $htdocs;
    ssl_certificate   cert/214788276180473.pem;
    ssl_certificate_key  cert/214788276180473.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
      proxy_pass http://localhost:8080;
    }
}

(2)tomcat(server.xml)

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" proxyPort="443" URIEncoding="UTF-8"/>
 
 
<Host name="www.luckylxh.com" appBase="/usr/local/tomcat-12580-8080/webapps/12580"
            unpackWARs="true" autoDeploy="true">
            <Valve className="org.apache.catalina.valves.RemoteIpValve"
            remoteIpHeader="x-forwarded-for"
            remoteIpProxiesHeader="x-forwarded-by"
            protocolHeader="x-forwarded-proto"/>            
</Host>

上述的实现,就是浏览器与nginx是https的,nginx和tomcat还是http的,同时全站强制使用https

第二个目标的实现:

(1)修改nginx.conf配置

监听80端口把服务转给tomcat的8089端口

server {
        listen     80;
        server_name  www.luckylxh.top;
    set $htdocs /usr/local/tomcat-12580-8080/webapps/12580; 
    root $htdocs;
        location / {
         index index.html;
         proxy_pass http://localhost:8089;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header REMOTE-HOST $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
       location ~ .*.(ico|gif|jpg|jpeg|png|bmp|swf|zip|rar|flv)$ {
         expires 15d;
    }
    location ~^/(WEB-INF)/{
         deny all;
    }
    }

监听443端口,服务转给tomcat的8080端口

server {
    listen 443;
    server_name www.luckylxh.top;
    ssl on ;
    set $htdocs /usr/local/tomcat-12580-8080/webapps/12580; #姝ゅ瀹氫箟浜唄tdocs
    root $htdocs;
    ssl_certificate   cert/214788276180473.pem;
    ssl_certificate_key  cert/214788276180473.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
      proxy_pass http://localhost:8080;
    }
}

(2)修改tomcat的server.xml

<!-- 这里是8080端口,接受从https过来的请求-->
<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" proxyPort="443" URIEncoding="UTF-8"/>
<!-- 这里是8089端口,接受从http过来的请求,这个与普通的tomcat的server.xml一致-->
<Connector port="8089" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8444" URIEncoding="UTF-8"/>
 
<Host name="www.luckylxh.top" appBase="/usr/local/tomcat-12580-8080/webapps/12580"
            unpackWARs="true" autoDeploy="true">
            <Valve className="org.apache.catalina.valves.RemoteIpValve"
            remoteIpHeader="x-forwarded-for"
            remoteIpProxiesHeader="x-forwarded-by"
            protocolHeader="x-forwarded-proto"/>            
</Host>

这时就可以达到我们要的效果了,https和http都可以访问

原文链接:https://blog.csdn.net/qq_38254467/article/details/82352083

Last modification:October 29th, 2021 at 03:21 pm