Shulou(Shulou.com)05/31 Report--

This article mainly explains "Nginx how to configure SSL certificate to achieve Https access", interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn "Nginx how to configure SSL certificates to achieve Https access"!

Background

Due to the project requirements, for security reasons, you need to change the previous http interface access to https access, so you need to configure the ssl certificate. The architecture of the project is as follows:

The basic architecture is hard load (readwhere) + soft load (nginx) + tomcat cluster. The question now is where to configure the ssl certificate, directly on the hard load? Or is it configured on nginx and tomcat respectively? Or other configuration methods?

First of all, the configuration on the hard load is abandoned, and then by looking up information on the Internet, it is found that the certificate can only be configured on nginx, that is to say, nginx access uses https, while nginx and tomcat use http to connect, so it swims an overall idea.

About ssl certificates

On the ssl certificate here a brief introduction, but also because of the needs of the project, a simple understanding.

Ssl certificates are roughly divided into three categories: domain name (dv), enterprise (ov), enhancement (ev), security and price increase in turn. Choose according to your own needs, personal use can use dv, cheap; for corporate use, generally use ov, special cases use ev.

Ssl certificate configuration

Because of nginx's support for ssl certificate configuration, this implementation is possible, and we have to sigh the strength of nginx.

Certificate preparation

Nginx configuration requires .pem / .crt certificate + .key key. If you have another form of certificate, please follow the relevant instructions to convert it to the required certificate type, otherwise you cannot complete the certificate configuration. Generally speaking, buyers will have corresponding conversion tools.

When you are ready, put the certificate and key in the conf directory of nginx (that is, in the same directory as the configuration file nginx.conf). You need to pay special attention here:

If it is configured under the linux system, it is ready.

If you are in the windows system, you need to remove the password in the .key key file, otherwise it will cause nginx not to start after configuration. Here is a pit, and I am stuck here, and the specific treatment method is very simple. Download the windows version of openssl on the Internet, then change the cmd to the bin directory, execute openssl rsa-in server.key-out server2.key, and the generated server2.key is the key file required for configuration. But you need to change the file name to server.key.

Modify nginx configuration file

The following is a part of my nginx.conf configuration file, port obsession did not use the default 443, but changed to 8185, according to your needs can be modified, other configurations are basically no problem according to the following.

Server {listen 8185; server_name localhost; ssl on; ssl_certificate server.pem; ssl_certificate_key server.key; ssl_session_timeout 5m; ssl_protocols tlsv1 tlsv1.1 tlsv1.2; ssl_ciphers highlands rc4V / md5mm / ssl_prefer_server_ciphers on; location / {proxy_set_header host $host:$server_port Proxy_set_header x-real-ip $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_set_header x-forwarded-proto $scheme; proxy_connect_timeout 5; proxy_send_timeout 5; proxy_read_timeout 5; proxy_pass http://qlddm_server;}

Modify tomcat configuration file

Although you do not need to configure the certificate in tomcat, you still need to modify the configuration server.xml configuration file of tomcat, which includes two places:

You need to change both redirectport and proxyport to your nginx listener port number.

The above value tag needs to be added. Note that httpsserverport also needs to be changed to nginx listener port number.

At this point, I believe you have a deeper understanding of "Nginx how to configure SSL certificates to achieve Https access". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.