Upgrade to HTTPS for communication
preface
Address for obtaining an SSL certificate
The first way
Configure TOMcat8.5 to use HTTPS
<! RedirectPort8443:443--> redirectPort8443:443
<Connector port="8080" protocol="HTTP / 1.1"
connectionTimeout="20000"
redirectPort="443" />
<! -- Delete this comment from server. XML and change Tomcat's default HTTPS port Connector port 8443 to 443. Port 8443 cannot be directly accessed through the domain name. You need to add the port number after the domain name. Port 443 is the default HTTPS port. You can access the port through a domain name without adding a port number to the domain name. -->
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateKeystoreFile="/usr/local/tomcat/cert/ certificate domain.pfx"
certificateKeystorePassword="Certificate Password"
certificateKeystoreType="PKCS12" />
</SSLHostConfig>
</Connector>
<! -- Remove this comment from server.xml, change redirectPort to 443, and forward HTTPS requests to port 443. -->
<Connector port="8009" protocol="AJP / 1.3" redirectPort="443" />
Copy the codeConfigure Nginx to use HTTPS
server {
listen 80; # HTTP default port number
listen 443 ssl; HTTPS default port number
server_name www.yourdomain.xyz; Listen to the IP address or domain name
ssl_certificate /usr/local/nginx/cert/3631326_www.yourdomain.pem; This is where the CRT file of the certificate resides
ssl_certificate_key /usr/local/nginx/cert/3631326_www.yourdomain.xyz.key; This is the directory where the certificate key file residesssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:! NULL:! aNULL:! MD5:! ADH:! RC4;# Use this encryption suite.Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;Configure using this protocol.
ssl_prefer_server_ciphers on;
Access log, error log
access_log /usr/local/nginx/logs/access.log;
error_log /usr/local/nginx/logs/error.log; Location / {proxy_pass http://xxxx own IP address :8080; }Intercepting static resources
location ~ .*\.(html|htm|gif|jpg|jpeg|bmp|png|ico|js|css)$ {
# Configure nginx where to find static resources
root /usr/local/ tomcat, apache tomcat - 8.5.51 / webapps/ROOT;The client cache time is 2 days
expires 2d;
proxy_redirect off;
proxy_set_header Host $host;
add_header wall "hey! I am zcc"; }}Copy the codeRecord on pit
The second way
Configure nginx
Load balancing configurationupstream linuxTom { ip_hash; Server 101.37.171.85:8080; Server 101.37.171.85:8081; }Redirect HTTP requests to HTTPS requests
server {
listen 80;
server_name www.zengcc.xyz;
rewrite ^(.*)$ https://www.zengcc.xyzThe $1 permanent;
}
Set # HTTPS
server {
listen 443 ssl; HTTPS default port number
server_name www.zengcc.xyz; Listen to the IP address or domain name
ssl_certificate /usr/local/nginx/cert/3631326_www.zengcc.xyz.pem; This is where the CRT file of the certificate resides
ssl_certificate_key /usr/local/nginx/cert/3631326_www.zengcc.xyz.key; This is the directory where the certificate key file residesssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:! NULL:! aNULL:! MD5:! ADH:! RC4;# Use this encryption suite.Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;Configure using this protocol.
ssl_prefer_server_ciphers on;
# Force binding WWW to improve SEO
if ( $host! ='www.zengcc.xyz' ) {
rewrite ^(.*)$ https://www.zengcc.xyzThe $1 permanent;
}
Access log, error log
access_log /usr/local/nginx/logs/access.log;
error_log /usr/local/nginx/logs/error.log;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host "www.zengcc.xyz";
Tell Tomcat about the HTTPS protocol, otherwise Tomcat may think it is an HTTP request
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
proxy_pass http://linuxTom;
}
Intercepting static resources
location ~ .*\.(html|htm|gif|jpg|jpeg|bmp|png|ico|js|css)$ {
# Configure nginx where to find static resources
root /usr/local/ tomcat, apache tomcat - 8.5.51 / webapps/ROOT;The client cache time is 2 days
expires 2d;
proxy_redirect off;
proxy_set_header Host $host;
add_header wall "hey! I am zcc";
}
Copy the codeConfigure tomcat
<! RedirectPort8443: HTTPS default port 443-->
<Connector port="8080" protocol="HTTP / 1.1"
connectionTimeout="20000"
redirectPort="443" />
<! -- Second modification -->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>
</Host>
Copy the code
Record on pit
2: I tried to change the proxy of nginx, proxy_pass http://linuxTom, to https://linuxTom, thinking that if someone accesses my domain name, he will directly enter HTTPS instead of HTTP. However, after that, I reported 502 error, and tried all online methods. I changed it to HTTP and redirected it to HTTPS
Upgraded to HTTP2
preface
Upgrade the OpenSSL version
Download and unzip openSSL1.0.2
cd /usr/local
wget --no-check-certificate https://www.openssl.org/source/ openssl - 1.0.2 j.t. ar. Gz tar - ZXVF openssl - 1.0.2 j.t. ar. GzcdOpenssl - 1.0.2 jInstall /usr/local/openssl
./config shared zlib --prefix=/usr/local/openssl && make && make install
Run the following command after the installation
./config -t
make depend
# enter/usr/local directory, execute the following command The use of ln https://www.cnblogs.com/peida/archive/2012/12/11/2812294.html
ln -s openssl ssl
# add /usr/local/openssl/lib to the end of /etc/ld.so.conf
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
# refresh configuration
ldconfig
Add the OPESSL environment variable in the last line of the profile in etc /
export OPENSSL=/usr/local/openssl/bin
export PATH=$OPENSSL:$PATH:$HOME/bin
Copy the codeLog out of the login page and check the openSSL version information. The openSSL version is updated.
Upgrade the Nginx version
# copy nginx compile parameters from nginx
cd /usr/local/nginx/sbin
./nginx -V
# stop nginx
./nginx -s quit
mv nginx nginx.old
Download nginx version 1.9.7 and unzip it
cd /usr/localWget http://nginx.org/download/nginx-1.9.7.tar.gz tar - ZXVF nginx - 1.9.7. Tar. GzcdNginx - 1.9.7--with-openssl=/usr/local/openssl --with-openssl=/usr/local/openssl
./configure \
--prefix=/usr/local/nginx \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_v2_module \
--pid-path=/var/run/nginx/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_gzip_static_module \
--http-client-body-temp-path=/var/temp/nginx/client \
--http-proxy-temp-path=/var/temp/nginx/proxy \
--http-fastcgi-temp-path=/var/temp/nginx/fastcgi \
--http-uwsgi-temp-path=/var/temp/nginx/uwsgi \
--http-scgi-temp-path=/var/temp/nginx/scgi \
--with-openssl=/usr/local/openssl
Create a new executable file, make it, do not make install later, otherwise you will overwrite your previous nginx configuration file
/usr/local/ SSL /. Openssl / = /usr/local/ SSL /
# modified follow this link: https://blog.csdn.net/zhangge3663/article/details/84647077
make
The new executable is in /usr/local/nginx-1.9.7/objs
cd /usr/localCp/nginx - 1.9.7 / objs nginx/usr /local/nginx/sbin
Copy the codeNginx openSSL built with Openssl 1.0.2j 26 Sep 2016 nginx.conf config file (http2 default_server
Set # HTTPS
server {
listen 443 ssl http2 default_server; HTTPS default port number
server_name www.zengcc.xyz; Listen to the IP address or domain name. . }Copy the codeFinally, reload the configuration and visit the web site.
Refer to the link
HTTP is strong jump HTTPS, domain name without the WWW jump to www:zhuanlan.zhihu.com/p/51673748 Nginx compiler parameters explanation: blog.51cto.com/blief/17098… Upgrade openssl:blog.csdn.net/shiyong1949… Nging configuration http2 ineffective blog.csdn.net/a454213722/… Blog.csdn.net/zhangge3663…