Nginx + 阿里雲SSL + tomcat 實現https訪問代理

第一步：阿里雲申請雲盾證書服務

第二步：下載證書

第三步：修改Nginx配置

1. 證書文件214033834890360.pem，包含兩段內容，請不要刪除任何一段內容。

2. 若是是證書系統建立的CSR，還包含：證書私鑰文件214033834890360.key。

( 1 ) 在Nginx的安裝目錄下建立cert目錄，而且將下載的所有文件拷貝到cert目錄中。若是申請證書時是本身建立的CSR文件，請將對應的私鑰文件放到cert目錄下而且命名爲214033834890360.key；

( 2 ) 打開 Nginx 安裝目錄下 conf 目錄中的 nginx.conf 文件，找到：

worker_processes 4;
error_log logs/error.log crit; #日誌位置和日誌級別
pid logs/nginx.pid;
worker_rlimit_nofile 65535;
events {
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream backend {
#ip_hash;
server 172.17.0.3:8080 weight=1 max_fails=2 fail_timeout=2;
server 172.17.0.4:8080 weight=1 max_fails=2 fail_timeout=2;
}
upstream mgr {
#ip_hash;
server 172.17.0.7:8080 weight=1 max_fails=2 fail_timeout=2;
}

server {

    listen 443;
    server_name  localhost;
    ssl on;
    root html;
    index index.html index.htm;
    ssl_certificate   cert/214031620150360.pem;
    ssl_certificate_key  cert/214031620150360.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

location / {
    proxy_pass  http://backend;
    ### force timeouts if one of backend is died ##
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
    ### Set headers ####
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    ## Most PHP, Python, Rails, Java App can use this header ###
    proxy_set_header X-Forwarded-Proto https;
    ### By default we don't want to redirect it ####
    proxy_redirect     off;           
}

location /test/ {
        proxy_pass  http://172.17.0.5:8080;
    ### force timeouts if one of backend is died ##
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
    ### Set headers ####
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    ## Most PHP, Python, Rails, Java App can use this header ###
    proxy_set_header X-Forwarded-Proto https;
    ### By default we don't want to redirect it ####
    proxy_redirect     off;  
}
location /dev/ {
    proxy_pass http://172.17.0.6:8080;
    ### force timeouts if one of backend is died ##
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
    ### Set headers ####
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    ## Most PHP, Python, Rails, Java App can use this header ###
    proxy_set_header X-Forwarded-Proto https;
    ### By default we don't want to redirect it ####
    proxy_redirect     off;  
}
location /pre/ {
        proxy_pass http://mgr;
    ### force timeouts if one of backend is died ##
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
    ### Set headers ####
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    ## Most PHP, Python, Rails, Java App can use this header ###
    proxy_set_header X-Forwarded-Proto https;
    ### By default we don't want to redirect it ####
    proxy_redirect     off;
}
}
}

修改Tomcat配置

新增配置項：
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https"/>

第四步：啓動Nginx

/usr/local/nginx/nginx

第五步：測試https域名

OK