采用nginx加https域名认证方式,解决shiro端口不一致导致的跨域问题

跨域

非跨域
http://www.ddd.cn/index.html 调用 http://www.ddd.cn/server.php 
跨域,主域不同
http://**www.eeeddd.cn**/index.html 调用  http://**www.eee.cn**/server.php  
跨域,子域名不同
http://**abc**.eee.cn/index.html 调用  http://**def**.eee.cn/server.php
跨域,端口不同  
http://www.eee.cn:**8080**/index.html 调用  http://www.eee.cn/server.php 
跨域,协议不同 
**https**://www.eee.cn/index.html 调用  **http**://www.eee.cn/server.php

HTTP和HTTPS区别

http协议的缺点

通信使用明文,内容可能被窃听(重要密码泄露)
不验证通信方身份,有可能遭遇伪装(跨站点请求伪造)
无法证明报文的完整性,有可能已遭篡改(运营商劫持)

https能解决这些问题么?

https是在http协议基础上加入加密处理认证机制以及完整性保护,即http+加密+认证+完整性保护=https
https并非应用层的一种新协议,只是http通信接口部分ssl/tls协议代替而已。通常http直接和tcp通信,

当使用ssl时则演变成先和ssl通信由ssl和tcp通信。
所谓https,其实就是身披ssl协议这层外壳的http

问题

由于前段后端都在同一个物理机上,端口不同,故在部署的情况下,产生跨域的问题,故采用nginx代理及域名解析方式解决!

nginx配置

cat /etc/nginx/nginx.conf
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/https.conf;

         #设定请求缓冲
    client_header_buffer_size    128k;
    large_client_header_buffers  4 128k;
} 

关键点在于include /etc/nginx/conf.d/https.conf;

https.conf配置

cat /etc/nginx/conf.d/https.conf
server {
    listen 80;
    listen       443 ssl;
    server_name  debugIT.cn;

    ssl_certificate /etc/nginx/ssl/debugIT-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/debugIT.cn.key;
    ssl_prefer_server_ciphers on;

    ssl_protocols TLSv1.2 TLSv1.1;

    #auto rewrite http requests to https
    if ($server_port = 80 ) {
         return 301 https://$host$request_uri;
    }
    #if host is not valid hostname, then auto rewrite to the valid hostname.
    if ($host != 'debugIT.cn' ) {
       return 403;
       rewrite ^/(.*)$ https://debugIT.cn/$1 permanent;
    }
    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        #rewrite ^(.*)$ https://$host$1 permanent;
#valid_referers none blocked debugIT.cn *.debugIT.cn;
#   if ($invalid_referer) {
#    return 403;
#   }
    }
    
    location /* {
# valid_referers none blocked debugIT.cn *.debugIT.cn;
#   if ($invalid_referer) {
#    return 403;
#   }
}
    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

        #后端代码
    location /traffic {       
     proxy_pass  http://192.23.13.102:28266;
     proxy_set_header   Host             $host;
     proxy_set_header   X-Real-IP        $remote_addr;
     proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
     proxy_set_header Via    "nginx";

#valid_referers   debugIT.cn *.debugIT.cn;
#   if ($invalid_referer) {
#    return 403;
#   }
     #跨域相关设置
#     add_header 'Access-Control-Allow-Origin' '*' always;
#     add_header 'Access-Control-Allow-Credentials' 'true';
#     add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept' always;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

关键点:

ssl_certificate认证证书的配置:

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章