use*_*051 11 ssl tomcat nginx tomcat7
在server.xml中使用nginx管理SSL的正确配置是什么?我的当前配置导致"重定向循环",除非我将tomcat标准连接标记为"安全",这不是我想要的.我的应用程序需要所有请求的https,如果使用http,则重定向到https.如果我设置secure ="true",它不再重定向,但"重定向循环"消失了.我究竟做错了什么?
我当前的tomcat server.xml:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" proxyPort="443"/>
Nginx conf:
server {
listen 80 default_server;
server_name localhost, mydomain.com;
location / {
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://localhost:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_send_timeout 6000;
}
}
server {
server_name localhost, mydomain.com;
listen 443;
ssl on;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
#make sure you already have this certificate pair!
ssl_certificate /etc/nginx/cert/server.crt;
ssl_certificate_key /etc/nginx/cert/server.key;
ssl_session_cache shared:SSL:10m;
error_page 497 https://$host:$server_port$request_uri;
# Our endpoint for tomcat reverse-proxy, assuming your endpoint java-servlet knows
# how to handle http://localhost/gadgets requests
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
# note, there is not SSL here! plain HTTP is used
proxy_pass http://localhost:8080/;
}
}
Jos*_*ust 12
我做的更改,以便Tomcat/Spring将设置正确的安全cookie标记:
确保Tomcat在server.xml以下位置运行SSL(443)重定向端口:
<Service name="Catalina">
...
<Connector executor="tomcatThreadPool"
port="9090" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
...
</Service>
确保您RemoteIpValve在主机内设置server.xml:
<Service name="Catalina">
...
<Engine name="Catalina" defaultHost="localhost">
...
<Host name="localhost" appBase="webapps"
unpackWARs="true" deployOnStartup="true" autoDeploy="true">
...
<!-- Mark HTTP as HTTPS forward from SSL termination at nginx proxy -->
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>
</Host>
</Engine>
</Service>
确保协议从其终止点转发nginx.conf:
# Tomcat we're forwarding to
upstream tomcat_server {
server 127.0.0.1:9090 fail_timeout=0;
}
# Main server proxy
server {
listen 443 ssl;
server_name sample.com;
# HTTPS setup
ssl on;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
#ssl cyphers
...
#ssl certs
...
location / {
# Forward SSL so that Tomcat knows what to do
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://tomcat_server;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
# Show error pages from S3 when down
proxy_next_upstream error timeout http_502 http_503 http_504;
error_page 502 503 504 https://s3.amazonaws.com/sample.com/maint;
}
我的大多数代理/ SSL nginx conf都包含在上面,以保证完整性.希望能帮助别人.
需要在Tomcat中处理x-forwarded-by和x-forwarded-proto标头.将以下内容添加到server.xml:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>
| 归档时间: |
|
| 查看次数: |
19336 次 |
| 最近记录: |