用户通过https访问nginx,nginx和tomcat之间使用http交互。
User —(https)–> Nginx —(http)—> Tomcat —-> SpringMVC
从User 到Nginx的配置,参照centos下使用nginx搭建https服务器.
从Nginx到http过程如下:
前提
1
2
3
4
我们不希望为了增加https,而需要更改我们的应用程序。
SSL的默认端口是443,我们不打算更改我们的默认端口。
假设我们之前没有使用https访问的地址是:192.168.10.188:8080
我们希望给客户良好的体验。
方法一
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
server {
listen 8080;
server_name _;
rewrite ^ https://$host$request_uri? permanent;
}
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/conf/server.crt;
ssl_certificate_key /etc/nginx/conf/server_nopwd.key;
location / {
index index.html index.htm;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_buffers 32 4k;
proxy_connect_timeout 3;
proxy_send_timeout 30;
proxy_read_timeout 30;
proxy_pass http://site;
}
}
方法二
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
server {
listen 8080;
listen 443 ssl; # ssl on要注解掉
server_name localhost;
if ($scheme != "https") {
rewrite ^ https://$host$request_uri? permanent;
}
#ssl on;
ssl_certificate /etc/nginx/conf/server.crt;
ssl_certificate_key /etc/nginx/conf/server_nopwd.key;
location / {
index index.html index.htm;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_buffers 32 4k;
proxy_connect_timeout 3;
proxy_send_timeout 30;
proxy_read_timeout 30;
proxy_pass http://site;
}
}