1.申请 ssl 证书
使用腾讯云的话,目前腾讯云可以免费申请一年的 TrustAsia DV SSL CA 证书。
可以在这里申请 https://console.qcloud.com/ssl
把申请到的证书放到服务器 nginx 配置目录
2.配置 tomcat
在 Engine 中加上配置
<Engine name="Catalina" defaultHost="localhost">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https"/>
加上了一个 Value 配置项。
3.配置 nginx
upstream qiushao {
server 127.0.0.1:8080;
}
server {
listen 80;
#http 重定向到https,强制走 https 协议
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
#https 相关配置
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl_key/1_qiushao.net_bundle.crt;
ssl_certificate_key /etc/nginx/ssl_key/2_qiushao.net.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
......
# 静态文件配置
location ~ .*\.(ico|gif|jpg|png|bmp|swf)$ {
expires 30d;
}
location ~ .*\.(js|css)?$ {
expires 1d;
}
location / {
#把一些参数传给后端 tomcat
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#websock 配置
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
#交给后端 tomcat处理
proxy_pass http://qiushao;
}
}
重新启动 tomcat, nginx 即可。