nginx反向代理tomcat的ssl(https)實現

tomcat的server.xml
<?xml vesion='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <GlobalNamingResources>

    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <Service name="Catalina">


    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" 
               proxyPort="443"/>

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    <Engine name="Catalina" defaultHost="localhost">


      <Realm className="org.apache.catalina.realm.LockOutRealm">

        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">


        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t "%r" %s %b" />

        <!-- 這裏非常重要 -->
        <Valve className="org.apache.catalina.valves.RemoteIpValve"
                  remoteIpHeader="x-forwarded-for"
                  remoteIpProxiesHeader="x-forwarded-by"
                  protocolHeader="x-forwarded-proto"/>

      </Host>
    </Engine>
  </Service>
</Server>
下面是nginx下conf.d文件裏面的*.conf文件
server {
#    listen                     80;
    ssl                         on;
    listen                      443 ssl;
    server_name                 localhost;
    ssl_certificate             /etc/nginx/conf.d/idealn_ca/fullchain.pem;
    ssl_certificate_key         /etc/nginx/conf.d/idealn_ca/privkey.pem;
    ssl_trusted_certificate     /etc/nginx/conf.d/idealn_ca/chain.pem;


    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    error_page  404              /404.html;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

     location ~* \.(jpg|jpeg|png|gif|ico|obj|mtl|mp4|txt|doc|excel|pdf|bmp|rar|zip|gz|tar|tgz|svg)$ {
        access_log off;
        add_header Cache-Control "public";
        proxy_cache cache_one;
        proxy_cache_valid 200 304 302 5d;
        proxy_cache_valid any 5d;
        proxy_cache_key '$host:$server_port$request_uri';
        add_header X-Cache '$upstream_cache_status from $host';
        root /opt/tomcat/webapps/ROOT;
        expires 15d;
     }

     location ~* \.(html|js|css)$ {
        proxy_cache cache_one;
        proxy_cache_valid 200 304 302 5d;
        proxy_cache_valid any 5d;
        proxy_cache_key '$host:$server_port$request_uri';
        add_header X-Cache '$upstream_cache_status from $host';
        root /opt/tomcat/webapps/ROOT;
        expires 5d;
     }

     location ~ .*$ {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-SSL-Protocol $ssl_protocol;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-HTTPS-Protocol $ssl_protocol;
        #對應tomcat的server.xml的設置
        proxy_set_header X-FORWARDED-PROTO $scheme;
        expires -1;
     }

}

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章