Nginx+Tomcat實現https安全鏈接
什么是HTTPS?
HTTPS(全稱:Hypertext Transfer Protocol over Secure Socket Layer),是以安全為目標的HTTP通道,簡單講是HTTP的安全版。即HTTP下加入SSL層,HTTPS的安全基礎是SSL,因此加密的詳細內容 就需要SSL。 它是一個URI scheme(抽象標識符體系),句法類同http:體系。用于安全的HTTP數據傳輸。https:URL表明它使用了HTTP,但HTTPS存在不同 于HTTP的默認端口及一個加密/身份驗證層(在HTTP與TCP之間)。這個系統的最初研發由網景公司進行,提供了身份驗證與加密通訊方法,現在它被廣 泛用于萬維網上安全敏感的通訊,例如交易支付方面。
更多內容:http://baike.baidu.com/view/14121.htm
操作環境
操作系統:centos5.5
前段靜態內容處理:nginx
后端JSP處理:tomcat 6
一.Nginx + https + 免費SSL證書配置指南
生成證書
$ cd /usr/local/nginx/conf
$ openssl genrsa -des3 -out server.key 1024
$ openssl req -new -key server.key -out server.csr
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
編輯 nginx.conf
server {
server_name YOUR_DOMAINNAME_HERE;
listen 443;
ssl on;
ssl_certificate /etc/nginx/conf/server.crt;
ssl_certificate_key /etc/nginx/conf/server.key;
}
OK, 完成了。但這樣證書是不被信任的,要被信任還需要購買相關證書(http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=8979)
驗證配置:
https://127.0.0.1
二.Tomcat SSL配置
1. 生成 server key :
以命令行方式切換到目錄%TOMCAT_HOME%,在command命令行輸入如下命令(jdk1.4以上帶的工具):
keytool -genkey -alias tomcat -keyalg RSA -keypass junguoguo.com -storepass junguoguo.com -keystore server.keystore -validity 3600
keypass 和 storepass 兩個參數后面跟的是密碼。
用戶名輸入域名,如localhost(開發或測試用)或hostname.domainname(用戶擁有的域名),其它全部以 enter 跳過,最后確認,此時會在%TOMCAT_HOME%下生成server.keystore 文件。
注:參數 -validity 指證書的有效期(天),缺省有效期很短,只有90天。
配置TOMCAT
Tomcat4.1.34配置:
<Connector className=”org.apache.coyote.tomcat4.CoyoteConnector”
port=”8443″ enableLookups=”true” scheme=”https” secure=”true”
acceptCount=”100″
useURIValidationHack=”false” disableUploadTimeout=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”server.keystore”
keystorePass=”changeit”/>Tomcat5.5.9配置:
<Connector port=”8443″ maxHttpHeaderSize=”8192″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”server.keystore”
keystorePass=”changeit”/>
Tomcat5.5.20配置(此配置同樣可用于Tomcat6.0):
<Connector protocol=”org.apache.coyote.http11.Http11Protocol”
port=”8443″ maxHttpHeaderSize=”8192″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”server.keystore”
keystorePass=”changeit”/>Tomcat6.0.10配置:
<Connector protocol=”org.apache.coyote.http11.Http11NioProtocol”
port=”8443″ minSpareThreads=”5″ maxSpareThreads=”75″
enableLookups=”true” disableUploadTimeout=”true”
acceptCount=”100″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”D:/tools/apache-tomcat-6.0.10/server.keystore”
keystorePass=”changeit”/>tomcat6支持3種,請參考以下文檔:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
驗證配置 :訪問 https://127.0.1.1:8443/
三。綜合配置
前段靜態內容處理:nginx 配置
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
gzip on;
gzip_static on;
gzip_comp_level 5;
gzip_min_length 1024;
keepalive_timeout 65;
limit_zone myzone $binary_remote_addr 10m;
# Load config files from the /etc/nginx/conf.d directory
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name localhost;
location ~ .(htm|html|gif|jpg|jpeg|png|ico|rar|css|js|zip|txt|flv|swf|doc|ppt|xls|pdf)$ {
index index.jsp index.html;
root /home/tomcat/webapps;
access_log off;
expires 24h;
}#nginx處理靜態內容 location /{
proxy_pass http://127.0.0.1:8080; #提交給后端的tomcat處理 }
}驗證配置: https://127.0.0.1