nginx 配置https反向代理http
nginx 配置
server {
listen 443 ssl;
server_name a.test.com;
ssl_certificate /root/nginx_ssl/a.test.com.crt;
ssl_certificate_key /root/nginx_ssl/a.test.com.key;
location /admin {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; 不设置tomcat返回的url地址是127.0.0.1不是a.test.com
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8086;
}
location /mch {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8087;
}
location /notify {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8089;
}
}
此时浏览器访问https://a.test.com/admin的时候返回的URL都是http,而且浏览器https验证不会提示安全和🔒。
nginx变量 $proxy_add_x_forwarded_for和$remote_addr值一样,证书是网上申请的。
tomcat上配置
<Engine name="Catalina" defaultHost="localhost">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https"/>
</Engine>
protocolHeaderHttpsValue和remoteIpHeader默认不用配置。
tomcat 源代码
private String protocolHeader = null;
private String protocolHeaderHttpsValue = "https";
private String portHeader = null;
private String proxiesHeader = "X-Forwarded-By";
private String remoteIpHeader = "X-Forwarded-For"
if (this.protocolHeader != null) {
String protocolHeaderValue = request.getHeader(this.protocolHeader);
if (protocolHeaderValue != null)
{
if (this.protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) {
request.setSecure(true);
request.getCoyoteRequest().scheme().setString("https");
setPorts(request, this.httpsServerPort);
} else {
request.setSecure(false);
request.getCoyoteRequest().scheme().setString("http");
setPorts(request, this.httpServerPort);
}
}
}
浙公网安备 33010602011771号