【SSL证书配置】腾讯云申请ssl证书，nginx+tomcat配置ssl证书

登录腾讯云，点击云产品==》ssl证书

选默认的即可

查看证书详情

 

申请之后会在一个工作日内审核完成

下载证书，上传至服务器解压到指定目录（解压后有apache、nginx、tomcat、IIS类型的证书，选择自己需要的即可）

 

接下来搭建nginx，tomcat，jdk，这些服务搭建可以参考我的博客。这里不作解释了哈

新建目录cert，将Nginx目录下的证书文件复制到nginx的cert目录下

[root@tanbaobao Nginx]# ls
1_域名_bundle.crt  2_域名.key
[root@tanbaobao Nginx]# pwd
/usr/local/src/tourby.cn/Nginx
[root@tanbaobao Nginx]# mkdir /usr/local/nginx/conf/cert
[root@tanbaobao Nginx]# cp * /usr/local/nginx/conf/cert/

编辑nginxconf文件

[root@tanbaobao conf]# pwd
/usr/local/nginx/conf
[root@tanbaobao conf]# cat nginx.conf
#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    sendfile        on;

    keepalive_timeout  65;

    upstream 本地ip {
        #设置分权，权重越高优先访问
        server ip:8080;
    }

   # 连接外部conf文件
   include /usr/local/nginx/conf/thy/*.conf;

}

 

[root@tanbaobao conf]# cd thy/
[root@tanbaobao thy]# cat wssl.conf 
# 2020-01-07 配置https访问（ssl）
server {
        listen 80 default_server;
    listen       [::]:80 default_server;
        server_name 域名;
    # 将http强转为https    在这里（重复转发）就访问了https下面的server.所有里不需要location / {} 这里很重要，搞了我半天问的朋友才解决
    rewrite ^(.*) https://$server_name$1 permanent;
    
    #location / {
        #   proxy_pass http://upstream名称;
    #  proxy_set_header Host $host; 
    #  proxy_set_header Cookie $http_cookie;
    #  proxy_set_header X-Real-IP $remote_addr; 
    #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #  proxy_connect_timeout 600;
     #  proxy_read_timeout 600;
     #  proxy_send_timeout 600; 
    #}
    
    error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}

server {
      # SSL访问端口好443
      listen       443 ssl;
      # 填写绑定证书的域名
      server_name  域名;
      charset UTF-8;
      # 启用SSL功能
      # ssl on;
      # 证书文件名称
      ssl_certificate      /usr/local/nginx/conf/cert/1_域名_bundle.crt;
      # 私钥文件名称
      ssl_certificate_key  /usr/local/nginx/conf/cert/2_域名.key;

#      ssl_session_cache    shared:SSL:1m;
      ssl_session_timeout  5m;

      # 请按照以下套件配置，配置加密套件，写法遵循 openssl 标准
      ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
      proxy_ssl_server_name on;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers  on;
      proxy_ssl_session_reuse off;
      # 默认
      location / {
        root html;
        index index.html index.htm;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_redirect off;
        proxy_connect_timeout      240;
        proxy_send_timeout         240;
        proxy_read_timeout         240;
        proxy_pass  http://upstream名称/beian/;
      }
}

 

PS：这里注意：加上ssl on在检查配置文件是否配置错误时会报错：the "ssl" directive is deprecated, use the "listen ... ssl"

将ssl on注释之后，问题解决

[root@tanbaobao thy]# nginx -c /usr/local/nginx/conf/nginx.conf
[root@tanbaobao thy]# nginx -s reload

tomcat这里可以不做修改，通过nginx处理https请求，nginx和tomcat之间还是使用http请求。

将项目拷贝到tomcatwebapps目录下，启动tomcat服务，访问域名，即可访问到beian项目

[root@tanbaobao thy]# /usr/local/tomcat-9.0.29/bin/startup.sh 

浏览器访问：https://域名，因为上面rewrite做了强转，所以访问http会自动转换为https