nginx 前端https +tomcat 后端 http 非80、443端口反向代理的配置方式

前端nginx https +tomcat http 非80端口配置方式

Nginx增加以下配置

proxy_set_header Host host:host:server_port; 非80端口 ，用80端口时 不需要$server_port

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;        //主要加这个协议

Tomcat server.xml配置

<Engine name="Catalina" defaultHost="localhost">

位置： <Host ....中  />

<!-- 方法一： -->
    <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeaderHttpsValue="https" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" />

<!-- 方法二： -->
      <Valve className="org.apache.catalina.valves.RemoteIpValve"
             remoteIpHeader="X-Forwarded-For"
             protocolHeader="X-Forwarded-Proto"
             protocolHeaderHttpsValue="https"  httpsServerPort="7001"/> 非80端口时，必须增加httpsServerPort配置，不然request.getServerPort()方法返回 443.
</Engine>

例如：

upstream backend {
        hash $remote_addr consistent;
        server 192.168.1.41:4444 max_fails=3 fail_timeout=10s;
        server 192.168.1.41:5555 max_fails=3 fail_timeout=10s;
} 



server {
       listen 80;
       listen 443 ssl http2;
       server_name 304350.com;

        #HTTP_TO_HTTPS_END
        ssl_certificate    /ssl/fullchain.pem;
        ssl_certificate_key    /ssl/privkey.pem;
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        add_header Strict-Transport-Security "max-age=31536000";
        error_page 497  https://$host$request_uri;
        #SSL-END


       location / {
           proxy_pass http://backend;
           proxy_set_header Host $http_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       }
       
        # 防止静态资源找不到
       location ~ .* {
           proxy_pass http://backend;
           proxy_set_header Host $http_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       }

       location ~ .*\.(gif|jpg|jpeg|bmp|png|ico|txt|js|css)$ {
            expires      12h;
        }

       location ~ .*\.war$ {
              return 404;
          }


      location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
          expires      30d;
          error_log off;
          access_log /dev/null;
      }
      
      location ~ .*\.(js|css)?$ {
          expires      12h;
          error_log off;
          access_log /dev/null; 
      }
}

tomcat

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
            <!-- 添加这行
                <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeaderHttpsValue="https" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" />
            -->
            <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
               <!-- path是访问路径， docBase是项目实际路径-->
          <Context crossContext="true" path="/"  docBase="./xxxx" reloadable="true" />
      </Host>

PreviousTomcat NextTomcat 8.x基于Redis Session会话保持

Last updated 3 years ago

proxy_set_header Host host:host:server_port; 非80端口，用80端口时不需要$server_port proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; //主要加这个协议

<Engine name="Catalina" defaultHost="localhost"> 位置： <Host ....中 />  <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeaderHttpsValue="https" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" />  <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" httpsServerPort="7001"/> 非80端口时，必须增加httpsServerPort配置，不然request.getServerPort()方法返回 443. </Engine>

upstream backend { hash $remote_addr consistent; server 192.168.1.41:4444 max_fails=3 fail_timeout=10s; server 192.168.1.41:5555 max_fails=3 fail_timeout=10s; } server { listen 80; listen 443 ssl http2; server_name 304350.com; #HTTP_TO_HTTPS_END ssl_certificate /ssl/fullchain.pem; ssl_certificate_key /ssl/privkey.pem; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; add_header Strict-Transport-Security "max-age=31536000"; error_page 497 https://$host$request_uri; #SSL-END location / { proxy_pass http://backend; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # 防止静态资源找不到 location ~ .* { proxy_pass http://backend; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location ~ .*\.(gif|jpg|jpeg|bmp|png|ico|txt|js|css)$ { expires 12h; } location ~ .*\.war$ { return 404; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; error_log off; access_log /dev/null; } location ~ .*\.(js|css)?$ { expires 12h; error_log off; access_log /dev/null; } }