使用 Let’s Encrypt 为 nginx+tomcat 开启 https

有关 Let’s Encrypt 详细请参看本站另一篇博文

一、生成证书

# git clone https://github.com/letsencrypt/letsencrypt
# cd letsencrypt/
# ./letsencrypt-auto --debug certonly --email gxxxxy@163.com --standalone -d ssl.xxxxx.com
# echo $?

二、修改tomcat server.xm

# vim /tomcat_PATH/conf/server.xml 

  <Service name="Catalina">
    <Connector port="8080" protocol="HTTP/1.1"
     connectionTimeout="20000"
     redirectPort="443"  proxyPort="443"/
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
               remoteIpHeader="x-forwarded-for"
               remoteIpProxiesHeader="x-forwarded-by"
               protocolHeader="x-forwarded-proto"  />
      </Host>
    </Engine>
  </Service>

说明：

1.添加 proxyPort="443"，修改 redirectPort="443"

2.添加  <Value> 节点配置

三、修改nginx vhost配置文件

# vim /etc/nginx/conf.d/virtual.conf

server {
        listen 80;
        server_name ssl.xxxxx.com;
        rewrite ^ https://$server_name$request_uri permanent;
}
server {
        listen 443 ssl;
        server_name ssl.xxxxx.com;
        ssl_certificate /etc/letsencrypt/live/ssl.xxxxx.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/ssl.xxxxx.com/privkey.pem;
        ssl_protocols   TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
    location / {
        index index.html index.jsp;
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_redirect off;
        proxy_connect_timeout      240;
        proxy_send_timeout         240;
        proxy_read_timeout         240;
    }
}

说明：

1.添加 ssl_certificate 和 ssl_certificate_key 配置

2.添加 proxy_set_header X-Forwarded-Proto https 配置

四、重启nginx、重启tomcat

效果展示