1、Nginx配置https
示例:
#前台配置
upstream front {
server 39.104.73.18:9001;
server 123.56.43.70:8077 backup;
}
server {
listen 80;
server_name www.mzjrj.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
server_name www.mzjrj.com;
ssl_certificate /etc/ssl/star.mzjrj.com.crt;
ssl_certificate_key /etc/ssl/star.mzjrj.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://front;
}
}
#后台配置
upstream bm {
#主服务器IP地址
server 39.104.73.18:9002;
#备机服务器IP地址
server 123.56.43.70:8080 backup;
}
server {
listen 80;
#访问域名
server_name bm.mzjrj.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
server_name bm.mzjrj.com;
# 申请的https证书
ssl_certificate /etc/ssl/star.mzjrj.com.crt;
# 应用程序私钥
ssl_certificate_key /etc/ssl/star.mzjrj.com.key;
ssl_session_timeout 5m;
#下边3行固定写法
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://bm;
}
}
2、Tomcat配置https
配置完成之后, http https都可以访问web站点中的资源,如果想屏蔽掉http请求, 即是所有的请求都转发到https,则需要做以下几点:
- 把端口都改成443 (https协议的默认端口, 跟http一样, 用https访问的时候如果端口是443 则可以省略端口)
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Users/coffee/Desktop/coffee.keystore" keystorePass="coffee"/>
参数说明:
keystoreFile:在第一步创建的key存放位置
keystorePass:创建证书时的密码
- web.xml 需要配置一下
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern><!-- 全站使用SSL <url-pattern>/*</url-pattern>-->
</web-resource-collection>
<user-data-constraint>
<description>SSL required</description>
<!-- CONFIDENTIAL: 要保证服务器和客户端之间传输的数据不能够被修改,且不能被第三方查看到 -->
<!-- INTEGRAL: 要保证服务器和client之间传输的数据不能够被修改 -->
<!-- NONE: 指示容器必须能够在任一的连接上提供数据。(即用HTTP或HTTPS,由客户端来决定)-->
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>