The internal system of my company needs to be modified to https access, and Nginx+Tomcat is used. This article records the entire process because the system uses jsp, and the page uses a lot of ()+": //"+()+":"+() to combine URLs for data submission, resulting in the http:// protocol appearing in the final interface. In order not to change the code, the final solution uses nginx and tomcat to enable https, and forwarded from nginx to tomcat's https, and finally successfully built it.
1. Obtain a certificate
If it is an Internet application, you need to apply for a certificate from an authoritative organization.
Here is a method for generating private certificates in the LAN (execute under linux):
1. Create a server certificate key file:
openssl genrsa -des3 -out 1024
Enter your password, confirm your password, and define it yourself, but remember it will be used later.
2. Create application documents for server certificate
openssl req -new -key -out
The output content is:
Enter pass phrase for : ← Enter the password created earlier Country Name (2 letter code) [AU]:CN ← Country code,Imported in ChinaCN State or Province Name (full name) [Some-State]:HeNan ← The full name of the province,Pinyin Locality Name (eg, city) []:ZhengZhou ← The full name of the city,Pinyin Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany. ← Company English name Organizational Unit Name (eg, section) []: ← Can not enter Common Name (eg, YOUR name) []: ← Don't enter Email Address []:admin@ ← Email,Can be filled in as you like Please enter the following ‘extra' attributes to be sent with your certificate request A challenge password []: ← Can not enter An optional company name []: ← Can not enter
3. Back up a server key file
cp
4. Remove the file password and generate a private key
openssl rsa -in -out
5. Generate a certificate file (public key, which will be sent to the browser)
openssl x509 -req -days 365 -in -signkey -out
6. What is useful is the file and it will be used when configuring Nginx below.
2. Configure Nginx
Modify conf/file, modify the port listening part of the server segment
server {
#listen 80;
#Used 443 compared to the default 80, the default is the ssl method listen 443 default ssl;
#Open If you remove ssl on; this line, write ssl behind port 443. This way, both http and https links can be used ssl on;
#Certificate (public key.sent to client) ssl_certificate ssl/;
#Private Key ssl_certificate_key ssl/;
Modify the part of the reverse proxy
location / {
proxy_pass https://127.0.0.1:8443;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header Remote_Addr $remote_addr;
proxy_set_header X-REAL-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Content-Security-Policy upgrade-insecure-requests;
index ;
}Rewrite http request to the configuration of https request (write in server section)
error_page 497 https://$host:$server_port$uri;
3. Configure Tomcat and open https request
Modify conf/file, open the configuration section of Https, configure the certificate path, and copy the and file to the Tomcat/ssl directory.
<Connector port="8443" protocol=".http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https">
<SSLHostConfig>
<Certificate certificateFile="ssl/" certificateKeyFile="ssl/"
type="RSA" />
</SSLHostConfig>
</Connector>
4. Solve various problems
1. Rewrite the http request address that accesses the https port to the https protocol
In the server section in the file, add the forwarding configuration for 497 status codes
error_page 497 https://$host:$server_port$uri;
Principle: When the site only allows https access, a 497 error code will be reported when using http access. At this time, use the error_page directive to redirect the URL of the 497 code to the correct path of https
Official explanation of HTTP CODE 497:
497 - normal request was sent to HTTPS
2. Handling of missing port number during redirect forwarding
Among the various configurations found online, many configurations use the h o s t variable for the settings of Host. Because the host variable, because the host variable does not contain port number information, the port number will be lost. The solution is to modify h o s t to host, host, http_post or h o s t : host:host:server_port
proxy_set_header Host $host:$server_port; #Either configuration is possible, where $http_post is the matching rule of $http_HEADER, which takes the attribute value of the host in the request headerproxy_set_header Host $http_host;
3. Using() in Jsp only gets http problem
Currently, only one solution is found in this problem, which is to enable the https protocol to also enable Tomcat. When forwarding nginx, it can perfectly solve this problem.
Variables that can be used in the attached table
| Variable name | definition |
|---|---|
| $arg_PARAMETER | Value of the variable name PARAMETER parameter in the GET request |
| $args | This variable is equal to the parameter in the GET request. For example, foo=123&bar=blahblah; This variable can only be modified |
| $binary_remote_addr | Client address in binary code form. |
| $body_bytes_sent | Number of bytes to transfer the page |
| $content_length | Content-length field in the request header. |
| $content_type | Content-Type field in the request header. |
| $cookie_COOKIE | cookie COOKIE value. |
| $document_root | The value specified in the root directive. |
| $document_uri | Same as $uri. |
| $host | The host header field in the request. If the host header in the request is unavailable or empty, it is the server name (the value of the server_name instruction of the server that handles the request). The value is lowercase and does not include the port. |
| $hostname | The machine name uses the value of the gethostname system call |
| $http_HEADER | The content in the HTTP request header, HEADER is the content in the HTTP request and is converted to lowercase, and - becomes _ (the dash becomes underscore), for example: $http_user_agent(the value of Uaer-Agent); |
| $sent_http_HEADER | The content in the HTTP response header, HEADER is the content in the HTTP response to lowercase, and - becomes _ (the dash becomes underscore), for example: $sent_http_cache_control, $sent_http_content_type…; |
| $is_args | If $args is set, the value is "?", otherwise it is "". |
| $limit_rate | This variable can limit the connection rate. |
| $nginx_version | The current nginx version number. |
| $query_string | Same as $args. |
| $remote_addr | The IP address of the client. |
| $remote_port | The client's port. |
| $remote_user | Username that has been verified by Auth Basic Module. |
| $request_filename | The file path of the current connection request is generated by the root or alias directive and the URI request. |
| $request_body | This variable (0.7.58+) contains the main information of the request. More meaningful in location using proxy_pass or fastcgi_pass directives. |
| $request_body_file | The temporary file name of the client requests the principal information. |
| $request_completion | If the request is successful, set to "OK"; if the request is not completed or is not the last part of a series of requests, set to empty. |
| $request_method | This variable is an action requested by the client, usually GET or POST. Including versions 0.8.20 and previous, this variable is always an action in main request. If the current request is a sub-request, the action of the current request is not used. |
| $request_uri | This variable is equal to the original URI containing some client request parameters, it cannot be modified, please check the $uri change or rewrite the URI. |
| $scheme | The protocol used, such as http or https, such as rewrite ^(.+)$ $scheme://$1 redirect; |
| $server_addr | Server address, this value can be determined after completing a system call. If you want to bypass the system call, you must specify the address in listen and use the bind parameter. |
| $server_name | Server name. |
| $server_port | The port number that requests the server to reach. |
| $server_protocol | The protocol used by the request is usually HTTP/1.0 or HTTP/1.1. |
| $uri | The current URI in the request (without request parameters, the parameters are located in args, different from the args passed by the browser), and different from the value of request_uri passed by the browser, it can be modified through internal redirection, or using the index directive. Excluding protocol and hostnames, such as /foo/ |
This is the end of this article about the implementation of Nginx+Tomcat configuration https. For more information about Nginx+Tomcat configuration https, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!