反向代理
在計(jì)算機(jī)世界里,由于單個(gè)服務(wù)器的處理客戶端(用戶)請(qǐng)求能力有一個(gè)極限,當(dāng)用戶的接入請(qǐng)求蜂擁而入時(shí),會(huì)造成服務(wù)器忙不過(guò)來(lái)的局面,可以使用多個(gè)服務(wù)器來(lái)共同分擔(dān)成千上萬(wàn)的用戶請(qǐng)求,這些服務(wù)器提供相同的服務(wù),對(duì)于用戶來(lái)說(shuō),根本感覺(jué)不到任何差別。
nginx做前端代理分發(fā),tomcat處理請(qǐng)求。nginx反代tomcat實(shí)現(xiàn)https有二個(gè)方法。
一、nginx配置https,tomcat也配置https
1、nginx配置https
upstream https_tomcat_web { server 127.0.0.1:8443; } server { listen 443; server_name www.test.com; index index.html; root /var/www/html/test; ssl on; ssl_certificate /etc/nginx/go.pem; ssl_certificate_key /etc/nginx/go.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1.2; # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_prefer_server_ciphers on; location ~ ^/admin { proxy_pass https://https_tomcat_web; //是https的 proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 100m; client_body_buffer_size 256k; proxy_connect_timeout 60; proxy_send_timeout 30; proxy_read_timeout 30; proxy_buffer_size 8k; proxy_buffers 8 64k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } 2、tomcat的https配置,配置文件server.xml
<Service name="Catalina"> <Connector port="8001" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector port="8091" protocol="AJP/1.3" redirectPort="8443" /> //添加以下內(nèi)容 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="false" keystoreFile="cert/gotom.pfx" keystoreType="PKCS12" keystorePass="214261272770418" clientAuth="false" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256" /> ..................省略.................... </Service>
配置好后重新啟動(dòng)nginx,tomcat,就可以https訪問(wèn)了,這也是我現(xiàn)在采用的配置方式 。
二、nginx采用https,tomcat采用http
1、nginx配置https
upstream https_tomcat_web { server 127.0.0.1:8001; } server { listen 443; server_name www.test.com; index index.html; root /var/www/html/test; ssl on; ssl_certificate /etc/nginx/go.pem; ssl_certificate_key /etc/nginx/go.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1.2; # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_prefer_server_ciphers on; location ~ ^/admin { proxy_pass http://https_tomcat_web; //是http的 proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 100m; client_body_buffer_size 256k; proxy_connect_timeout 60; proxy_send_timeout 30; proxy_read_timeout 30; proxy_buffer_size 8k; proxy_buffers 8 64k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } 2、tomcat的http配置,配置文件server.xml
<Service name="Catalina"> <Connector port="8001" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> //在這里重新定向到了443端口 <Connector port="8091" protocol="AJP/1.3" redirectPort="443" /> ..................省略.................... </Service>
重啟nginx,tomcat,https就配置好了。
不管是第一種方法,還是第二種方法,如果通過(guò)http,直接訪問(wèn)8001端口,瀏覽器都會(huì)提示你不安全的訪問(wèn),因?yàn)楸旧硎莌ttp,確被重定向到了https。
總結(jié)
以上就是這篇文章的全部?jī)?nèi)容了,希望本文的內(nèi)容對(duì)大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價(jià)值,如果有疑問(wèn)大家可以留言交流,謝謝大家對(duì)VEVB武林網(wǎng)的支持。
新聞熱點(diǎn)
疑難解答
圖片精選
