有关 Let’s Encrypt 详细请参看本站另一篇博文
一、生成证书
# git clone https://github.com/letsencrypt/letsencrypt # cd letsencrypt/ # ./letsencrypt-auto --debug certonly --email gxxxxy@163.com --standalone -d ssl.xxxxx.com # echo $?二、修改tomcat server.xm
# vim /tomcat_PATH/conf/server.xml
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" proxyPort="443"/
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />
</Host>
</Engine>
</Service>
说明:
1.添加 proxyPort="443",修改 redirectPort="443"
2.添加 <Value> 节点配置
三、修改nginx vhost配置文件# vim /etc/nginx/conf.d/virtual.conf
server {
listen 80;
server_name ssl.xxxxx.com;
rewrite ^ https://$server_name$request_uri permanent;
}
server {
listen 443 ssl;
server_name ssl.xxxxx.com;
ssl_certificate /etc/letsencrypt/live/ssl.xxxxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ssl.xxxxx.com/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
location / {
index index.html index.jsp;
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
}
}
说明:
1.添加 ssl_certificate 和 ssl_certificate_key 配置
2.添加 proxy_set_header X-Forwarded-Proto https 配置
四、重启nginx、重启tomcat
效果展示
我来说说