How to configure Nginx SSL certificate to achieve HTTPS access

Background

Due to project requirements and security reasons, it is necessary to change the previous http interface access to https access, so an SSL certificate needs to be configured. The architecture of the project is like this:

The basic architecture is hard load (readwhere) soft load (nginx) tomcat cluster. The current problem is that the ssl certificate must be configured in Where, configured directly on the hard load? Or configure it on nginx and tomcat respectively? Or is there any other configuration method?

First of all, I gave up configuring the hard load, and then after searching for information on the Internet, I found that I can only configure the certificate on nginx. That is to say, nginx uses https for access, and http is used for connection between nginx and tomcat. This gives you an overall idea.

About ssl certificate

About ssl certificate, here is a brief introduction. It is also because of the needs of the project that I have a brief understanding.

SSL certificates are roughly divided into three types, domain level (dv), enterprise level (ov), and enhanced level (ev), with security and price increasing in order. Choose according to your own needs. For personal use, you can use dv, which is cheap; for corporate use, ov is generally used, and ev is used under special circumstances.

ssl certificate configuration

Because nginx’s support for ssl certificate configuration makes this implementation possible, I have to lament nginx of strength.

Certificate preparation

nginx configuration requires .pem/.crt certificate.key. If you currently have other forms of certificates, please follow the relevant instructions to convert into the required certificate type, otherwise the certificate configuration cannot be completed. Generally, purchasing merchants will have corresponding conversion tools.

After you are ready, place the certificate and secret key in the conf directory of nginx (that is, in the same directory as the configuration file nginx.conf). Special attention needs to be paid here:

1. If it is configured under a Linux system, it is ready;

2. If it is configured under a Windows system, the password in the .key secret key file needs to be removed. Otherwise, nginx will not start after configuration. This is a pit. I am stuck here. The specific solution is also very simple. Download the windows version of openssl online, then switch cmd to the bin directory and execute openssl rsa. -in server.key -out server2.key, the generated server2.key is the secret key file required for configuration, but the file name needs to be changed to server.key.

Modify nginx configuration file

The following is part of my nginx.conf configuration file. The port is not the default 443, but changed It becomes 8185. Just modify it according to your needs. Other configurations are basically as follows and there will be no problem.

server {
    listen    8185;
    server_name localhost; 
    ssl         on; 
    ssl_certificate   server.pem; 
    ssl_certificate_key server.key; 
    ssl_session_timeout 5m;
    ssl_protocols tlsv1 tlsv1.1 tlsv1.2;
    ssl_ciphers high:!rc4:!md5:!anull:!enull:!null:!dh:!edh:!exp:+medium; 
    ssl_prefer_server_ciphers  on;

    location / {
      proxy_set_header host $host:$server_port; 
      proxy_set_header x-real-ip $remote_addr; 
      proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; 
      proxy_set_header x-forwarded-proto $scheme;
      proxy_connect_timeout  5;
      proxy_send_timeout   5;
      proxy_read_timeout   5; 
      proxy_pass http://qlddm_server;
    }

Modify the tomcat configuration file

Although there is no need to configure the certificate in tomcat, you still need to modify the tomcat configuration server.xml configuration file, which specifically includes two places :

<connector 
    executor="tomcatthreadpool"
    port="7083" 
    protocol="org.apache.coyote.http11.http11nio2protocol" 
    connectiontimeout="20000" 
    maxconnections="8000" 
    redirectport="8185" 
    proxyport="8185"
    enablelookups="false" 
    acceptcount="100" 
    maxpostsize="10485760" 
    compression="on" 
    disableuploadtimeout="true" 
    compressionminsize="2048" 
    acceptorthreadcount="2" 
    compressablemimetype="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript" 
    uriencoding="utf-8"
  />

You need to modify both redirectport and proxyport to your nginx listening port number.

<valve classname="org.apache.catalina.valves.remoteipvalve"
       remoteipheader="x-forwarded-for"
       protocolheader="x-forwarded-proto"
       protocolheaderhttpsvalue="https" httpsserverport="8185"/>

You need to add the above value tag. Note that httpsserverport also needs to be modified to the nginx listening port number.

The above is the detailed content of How to configure Nginx SSL certificate to achieve HTTPS access. For more information, please follow other related articles on the PHP Chinese website!