操作环境
操作系统:centos5.5前段静态内容处理:nginx后端JSP处理:tomcat 6一.Nginx + https + 免费SSL证书配置指南
生成证书
$ cd /usr/local/nginx/conf $ openssl genrsa -des3 -out server.key 1024 $ openssl req -new -key server.key -out server.csr $ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
编辑 nginx.conf
server { server_name YOUR_DOMAINNAME_HERE; listen 443; ssl on; ssl_certificate /etc/nginx/conf/server.crt; ssl_certificate_key /etc/nginx/conf/server.key; }
OK, 完成了。但这样证书是不被信任的,要被信任还需要购买相关证书()
验证配置:
https://127.0.0.1
二.Tomcat SSL配置
1. 生成 server key :
以命令行方式切换到目录%TOMCAT_HOME%,在command命令行输入如下命令(jdk1.4以上带的工具):keytool -genkey -alias tomcat -keyalg RSA -keypass junguoguo.com -storepass junguoguo.com -keystore server.keystore -validity 3600
keypass 和 storepass 两个参数后面跟的是密码。
用户名输入域名,如localhost(开发或测试用)或hostname.domainname(用户拥有的域名),其它全部以 enter 跳过,最后确认,此时会在%TOMCAT_HOME%下生成server.keystore 文件。注:参数 -validity 指证书的有效期(天),缺省有效期很短,只有90天。
配置TOMCAT
修改%TOMCAT_HOME%confserver.xml,以文字编辑器打开,查找这一行:
将之后的那段的注释去掉,并加上 keystorePass及keystoreFile属性。
注意,tomcat不同版本配置是不同的:
Tomcat4.1.34配置:
1 2 3 4 5 6 7 | <Connector className=”org.apache.coyote.tomcat4.CoyoteConnector” port=” 8443 ″ enableLookups=” true ” scheme=”https” secure=” true ” acceptCount=” 100 ″ useURIValidationHack=” false ” disableUploadTimeout=” true ” clientAuth=” false ” sslProtocol=”TLS” keystoreFile=”server.keystore” keystorePass=”changeit”/> |
Tomcat5.5.9配置:
1 2 3 4 5 6 7 | < strong >< Connector port=”8443″ maxHttpHeaderSize=”8192″ maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” keystoreFile=”server.keystore” keystorePass=”changeit”/></ strong > |
Tomcat5.5.20配置(此配置同样可用于Tomcat6.0):
1 2 3 4 5 6 7 8 | < Connector protocol=”org.apache.coyote.http11.Http11Protocol” port=”8443″ maxHttpHeaderSize=”8192″ maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” keystoreFile=”server.keystore” keystorePass=”changeit”/> |
Tomcat6.0.10配置:
1 2 3 4 5 6 7 8 | < Connector protocol=”org.apache.coyote.http11.Http11NioProtocol” port=”8443″ minSpareThreads=”5″ maxSpareThreads=”75″ enableLookups=”true” disableUploadTimeout=”true” acceptCount=”100″ maxThreads=”200″ scheme=”https” secure=”true” SSLEnabled=”true” clientAuth=”false” sslProtocol=”TLS” keystoreFile=”D:/tools/apache-tomcat-6.0.10/server.keystore” keystorePass=”changeit”/> |
tomcat6支持3种,请参考以下文档:
验证配置 :访问
三。综合配置
前段静态内容处理:nginx 配置
http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; server_tokens off; gzip on; gzip_static on; gzip_comp_level 5; gzip_min_length 1024; keepalive_timeout 65; limit_zone myzone $binary_remote_addr 10m; # Load config files from the /etc/nginx/conf.d directory include /etc/nginx/conf.d/*.conf;server { listen 80; server_name localhost; location ~ .(htm|html|gif|jpg|jpeg|png|ico|rar|css|js|zip|txt|flv|swf|doc|ppt|xls|pdf)$ { index index.jsp index.html; root /home/tomcat/webapps; access_log off; expires 24h; }#nginx处理静态内容 location /{ proxy_pass http://127.0.0.1:8080; #提交给后端的tomcat处理 }}
验证配置: https://127.0.0.1