前言:现在网络安全越来越重要,绝大部分的网站都已经全站https了,例如:微信小程序的开发中,就要去后台必须是https的,其他的微信接口也是建议使用https,但是在实际应用中,我们有时却没有办法完全舍弃http的请求。这个时候就需要一个服务http和https都可以访问,当然我也是建议全站https,http自动跳转https。
要求:有nginx和tomcat的配置经验
目标:
- 站https,http请求自动变成https(意味着不在提供http的访问,只提供https)
- 兼容https、http(http不会转到https,还是http请求。https访问就是https)
适用范围:nginx做web服务器,tomcat做应用服务器,自己的服务用war包发布在tomcat中,系统是linux。域名是阿里的域名,证书是申请的阿里的免费域名(1年)
第一个目标的的实现:
1、先在阿里云申请证书,比如:我要申请 www.luckylxh.top 的证书,申请成功后,找到这个页面,下载pem和key,按照要求放入服务器
按照要求配置成:
server {
listen 443;
server_name www.luckylxh.top;
ssl on;
root html;
index index.html index.htm;
ssl_certificate cert/1532005203290.pem;
ssl_certificate_key cert/1532005203290.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
2、实现全站https(其实就是做一个301跳转)
server{
listen 80;
server_name www.luckylxh.top;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name www.luckylxh.top;
ssl on;
root html;
index index.html index.htm;
ssl_certificate cert/1532005203290.pem;
ssl_certificate_key cert/1532005203290.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
所有的http请求自动跳到https的server上
3、配置tomcat
(1)Connector节点加入 redirectPort="443" proxyPort="443"
(2)Host节点中间添加<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/>
4、最后的配置如下
(1)nginx.conf
server{
listen 80;
server_name www.luckylxh.top;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name www.luckylxh.top;
ssl on ;
set $htdocs /usr/local/tomcat-12580-8080/webapps/12580; #
root $htdocs;
ssl_certificate cert/214788276180473.pem;
ssl_certificate_key cert/214788276180473.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://localhost:8080;
}
}
(2)tomcat(server.xml)
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" proxyPort="443" URIEncoding="UTF-8"/>
<Host name="www.luckylxh.com" appBase="/usr/local/tomcat-12580-8080/webapps/12580"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/>
</Host>
上述的实现,就是浏览器与nginx是https的,nginx和tomcat还是http的,同时全站强制使用https
第二个目标的实现:
(1)修改nginx.conf配置
监听80端口把服务转给tomcat的8089端口
server {
listen 80;
server_name www.luckylxh.top;
set $htdocs /usr/local/tomcat-12580-8080/webapps/12580;
root $htdocs;
location / {
index index.html;
proxy_pass http://localhost:8089;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ .*.(ico|gif|jpg|jpeg|png|bmp|swf|zip|rar|flv)$ {
expires 15d;
}
location ~^/(WEB-INF)/{
deny all;
}
}
监听443端口,服务转给tomcat的8080端口
server {
listen 443;
server_name www.luckylxh.top;
ssl on ;
set $htdocs /usr/local/tomcat-12580-8080/webapps/12580; #姝ゅ瀹氫箟浜唄tdocs
root $htdocs;
ssl_certificate cert/214788276180473.pem;
ssl_certificate_key cert/214788276180473.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://localhost:8080;
}
}
(2)修改tomcat的server.xml
<!-- 这里是8080端口,接受从https过来的请求-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" proxyPort="443" URIEncoding="UTF-8"/>
<!-- 这里是8089端口,接受从http过来的请求,这个与普通的tomcat的server.xml一致-->
<Connector port="8089" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8444" URIEncoding="UTF-8"/>
<Host name="www.luckylxh.top" appBase="/usr/local/tomcat-12580-8080/webapps/12580"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/>
</Host>
这时就可以达到我们要的效果了,https和http都可以访问
原文链接:https://blog.csdn.net/qq_38254467/article/details/82352083