nginx 使用ssl的方法代理tomcat

一.配置tomcat

1. 生成私钥

openssl genrsa -out tomcatkey.pem

  2. 使用私钥自签证书

openssl req -new -x509 -key tomcatkey.pem -out tomcatca.pem -days 1095

  3.配置tomcat的https连接器，修改server.xml文件，这里是配置的apr模式

  <Connector port="8443" SSLEnabled="true"  protocol="org.apache.coyote.http11.Http11AprProtocol"
 SSLCertificateFile="/home/hxtest/tomcat6/conf/ssl/tomcatca.pem" SSLCertificateKeyFile="/home/hxtest/tomcat6/conf/ssl/tomcatkey.pem"   maxThreads="500" scheme="https" secure="true" sslProtocol="TLSv1+TLSv1.1+TLSv1.2"  SSLVerifyClient="optional"  />

 二.配置nginx

 1.生成私钥

     openssl genrsa -des3 -out ssl.key 1024

 2.创建证书签名请求(CSR)

     openssl req -new -key ssl.key -out ssl.csr

 3.清除SSL启动nginx时提示必须输入密钥

     cp ssl.key ssl.key.org

     openssl rsa -in ssl.key.org -out ssl.key

 4.使用刚生成的私钥和CSR进行证书签名

     openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt

 5.把私钥和证书加入到nginx.conf的配置文件中

     ssl_certificate      /etc/nginx/ssl/ssl.crt;
     ssl_certificate_key  /etc/nginx/ssl/ssl.key;

三.配置nginx 使用https协议代理tomcat。

# HTTPS server
    #
    server {
        listen       443 ;
        server_name  192.168.100.2;#本机nginx的IP地址
        ssl on;
    ### SSL log files ###
        access_log      /var/log/nginx/ssl-access.log;
        error_log       /var/log/nginx/ssl-error.log;

    ### SSL cert files ###
       ssl_certificate      /etc/nginx/ssl/ssl.crt;
       ssl_certificate_key  /etc/nginx/ssl/ssl.key;
    ###  Limiting Ciphers ########################
       ssl_session_cache    shared:SSL:10m;
       ssl_session_timeout  5m;
    # Intermediate configuration. tweak to your needs.
#       ssl_protocols TLSv1.1 TLSv1.2;
       ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
       ssl_prefer_server_ciphers  on;
#       ssl_ecdh_curve secp384r1;
#       ssl_session_tickets off;
#       ssl_stapling on;
#       ssl_stapling_verify on;
#       ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
       add_header Strict-Transport-Security max-age=31536000;
       add_header X-Frame-Options DENY;

       add_header X-Content-Type-Options nonsniff;      

 ##############################################
    ### We want full access to SSL via backend ###
        location / {
        proxy_pass https://192.168.100.2:8443;#代理的tomcat的IP地址
    #        root   html;
        index  index.html index.htm index.php;
#       proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
       proxy_set_header        Host            $host;
       proxy_set_header        X-Real-IP       $remote_addr;
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
#       proxy_set_header        X-Forwarded-Proto $scheme;
#       add_header              Front-End-Https   on;
#       proxy_redirect     off;

             }

本文转自服务器运维博客51CTO博客，原文链接http://blog.51cto.com/shamereedwine/1790398如需转载请自行联系原作者

neijiade10000