Centos/debian 配置nginx+tomcat网站前后台部署方案并开启https访问--进阶篇
前面几篇讲述了nginx、tomcat、mariadb/mysql的安装和配置以及java类cms建站程序publiccms的建站部署。本篇讲解进阶篇,如何实现nginx+tomcat前后端部署并开启https访问。
在配置https之前,如果使用的是publiccms建站程序,需要在后台站点管理开启ssl选项
一、安装letsencrypt
Letsencrypt是目前免费的证书获取方式,这家伙很好用,其他的不介绍,就用这个了
加载wget命令
yum install wget
下载Letsencrypt自动化部署脚本
wget https://dl.eff.org/certbot-auto
赋予运行权限
chmod a+x certbot-auto
因为使用nginx配置的,所以使用nginx自动化配置命令
./certbot-auto –nginx
1、配置过程中,首个提示让输入邮箱,输入邮箱即可,回车,会自动获取nginx目前所有站点的信息
2、选择输入某个域名编号可单独某个域名开启https,不选择编号直接回车,默认所有域名开启
3、最后让选择跳转方式,选择1:在浏览器中需要手动输入带https的前缀来访问到https;选择2:会强制自动301跳转到https前缀。比如选择2,输入www.rednn.com域名,会自动跳转到https://www.rednn.com
4、选择完毕后配置结束,很简单的流程!关于更新证书,因为篇幅有限,会单独写一章更新方式
二、配置nginx
打开website.conf位置文件,这个文件是我们在前篇文章中配置的
vi /etc/nginx/conf.d/website.conf
upstream cms {
#这里填写CMS的真实地址和端口,可使用多行以下配置启用集群
server localhost:8080 weight=1;
}
#这里是红名网的静态站点配置
server {
listen 80;
server_name www.rednn.com;
location / {
alias /opt/website/web/site_1/;
index index.html;
add_header Access-Control-Allow-Origin *;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/rednn.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rednn.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
#这是红名网的动态站点配置
server {
listen 80;
server_name cms.rednn.com search.rednn.com;
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 5;
proxy_send_timeout 30;
proxy_read_timeout 10;
proxy_pass http://cms;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/rednn.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rednn.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location /webfile/ {
alias /opt/website/web/site_1/webfile/;
index index.html;
}
location /include/ {
alias / opt/website /web/site_1/include/;
}
location /message/ {
proxy_pass http://127.0.0.1:1000/;
}
}开启https后的配置,可以看到letsencrypt已经自动为我们添加了证书的路径,而我们还需要再添加一些内容,注意看增加的部分,有坑,不然你的网站打开是乱码的!
upstream cms {
server localhost:8080 weight=1;
}
#这里是红名网的静态站点配置
server {
listen 80;
server_name www.rednn.com;
ssi on;
ssi_silent_errors on;
ssi_types text/shtml;
location / {
alias /opt/website/web/site_1/;
index index.html;
add_header Access-Control-Allow-Origin *;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/rednn.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rednn.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
#这是红名网的动态站点配置
server {
listen 80;
server_name cms.rednn.com search.rednn.com;
ssi on;
ssi_silent_errors on;
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 5;
proxy_send_timeout 30;
proxy_read_timeout 10;
proxy_pass http://cms;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/rednn.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rednn.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location /webfile/ {
alias /opt/website/web/site_1/webfile/;
index index.html;
}
location /include/ {
alias / opt/website /web/site_1/include/;
}
location /message/ {
proxy_pass http://127.0.0.1:1000/;
}
}上面就是需要手动修改后的数据,不出意外你的静态网站此时已经开启https可以正常运行了,但是访问cms.rednn.com后台依然存在问题,就需要配置tomcat加载证书的方式
二、tomcat配置
使用Tomcat直接配置https繁琐又复杂,而且不能热加载证书,通常网站配置https都是在tomcat前面加一个反向代理程序比如apache、nginx之类的
比如下面这段配置 就是用nginx将本地的8080端口tomcat应用反向代理到了443端口
upstream u {
server localhost:8080 weight=1;
}
server {
listen 80;
server_name cms.rednn.com search.rednn.com;
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 5;
proxy_send_timeout 30;
proxy_read_timeout 10;
proxy_pass http://cms;
}
}上面的nginx配置中proxy_set_header配置项是将真正的请求协议头,客户ip等信息放在了发给tomcat的请求头中。nginx和tomcat直接是通过http协议通信的,tomcat直接用request.getScheme()方法取协议头拿到的是http。
通常大部分程序中取ip的时候 都附带了有限取头信息中X-Real-IP的逻辑,但是协议头一般还是使用的request.getScheme(); ,需要给tomcat conf/server.xml的Host标签中增加一行配置
<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto"/>
然后重启tomcat,tomcat就能从请求头中拿真正的协议头了
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Context path="" docBase="/opt/website/" debug="0" reloadable="true"></Context> <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto"/> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host>
重启tomcat
systemctl restart tomcat
此时的后台https已经可以正常访问了,配置结束!
提醒:
1、合理的分布前台网站数据和后台端程序,这些都应该放入单独的位置。
2、前台网站数据建议放入/data/web/或者/srv/web/内,因为网站的静态数据、模板都在前台数据里,后期数据会随着网站内容的增加而增加。建议给此数据目录单独挂载一个盘,这样管理也更安全更清晰规范。就像前篇那样,我是因为讲解部署方案,把前后端数据全部放在一起感觉很乱,当然你可以自行设置其他位置。
欢迎指正!
已获取点赞 +0
评论 点击评论