Nginx

使用 SSL 到 Tomcat 的 nginx 代理

  • February 1, 2021

我錯誤地在stackoverflow上發布了這個(https://stackoverflow.com/questions/65942820/nginx-proxy-to-tomcat),我也把它放在這裡,希望能找到一些解決方案。

我經歷了幾十個教程,但我無法弄清楚以下內容(儘管它應該是非常基本的):

我在 /var/www/mydomain.com 中有我編譯的 vue 應用程序,我希望它作為靜態內容共享。

我的後端在 8080 上由 tomcat 在 /api/something… URL 上使用公共 API 執行。URL 是硬編碼的,包括“api”部分。

我想將 nginx 配置為代理 mydomain.com/api/something… 對 tomcat 的請求,並從 /var/www/mydomain.com 靜態地提供休息。一切都通過 SSL 提供。

我幾乎不需要任何其他東西。

你能幫我配置nginx和tomcat來實現嗎?謝謝!

nginx 配置 /etc/nginx/sites-available/mydomain.com

upstream tomcat {
   server 127.0.0.1:8080 fail_timeout=0;
}

server {
       listen 443 ssl default_server;
       #listen [::]:443 ssl default_server;

       root /var/www/mydomain.com;
       index index.html index.htm index.nginx-debian.html;

      server_name _ mydomain.com www.mydomain.com;

       location /api/ {
               include proxy_params;
               proxy_set_header Host $server_name;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Proto $scheme;
               proxy_pass http://tomcat;
       }

       location / {
               try_files $uri $uri/ /index.html;
       }

       ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot
}
server {
   if ($host = www.mydomain.com) {
       return 301 https://$host$request_uri;
   } # managed by Certbot


   if ($host = mydomain.com) {
       return 301 https://$host$request_uri;
   } # managed by Certbot


      listen 80 default_server;
       listen [::]:80 default_server;

      server_name _ mydomain.com www.mydomain.com;
  return 404; # managed by Certbot
}

(1) 我正在嘗試的替代位置塊

       location /api/ {
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-Proto https;
               proxy_pass http://localhost:8080/api/;
       }

(2) Praveen Premaratne 建議的替代區塊。

這樣我得到"GET /api/docs HTTP/1.0" 302 -並且靜態文件也可以工作。轉到 /api/docs 會重定向到domain:8443/api/docs我得到的地方ERR_CONNECTION_REFUSED

       location /api/ {
               include proxy_params;
               proxy_pass http://tomcat;
       }

       location / {
               try_files $uri $uri/ /index.html;
       }

(3) 替代使用子域。

我能夠創建子域 api.mydomain.com 並將 nginx 配置為從那裡轉到索引頁面(添加以下塊)。不知道之後如何進行代理。

server {
       listen 443 ssl;

       root /var/www/www.mydomain.com; <- redundand I guess?
       index index.html index.htm index.nginx-debian.html; <- redundand I guess?

       server_name api.mydomain.com

       ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot
}

Tomcat 配置 server.xml

<Connector port="8080" protocol="HTTP/1.1"
              connectionTimeout="20000"
              address="127.0.0.1"
              redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
  ...
  <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">
     
     <Valve className="org.apache.catalina.valves.AccessLogValve" 
        directory="logs"
        prefix="localhost_access_log" suffix=".txt"
        requestAttributesEnabled="true"
        pattern="%h %l %u %t "%r" %s %b" />
       
     <Valve className="org.apache.catalina.valves.RemoteIpValve"
        protocolHeader="X-Forwarded-Proto" /> 
  ...    

目前的情況是,當我轉到應該執行 swagger 的 mydomain.com/api/docs 時,我被重定向回 mydomain.com 或出現 500 或 502 錯誤。

好的,所以在@Praveen Premaratne@Piotr P. Karwasz以及這篇文章的幫助下,我想出了以下配置:

不要使用“# managed by Certbot”,它們是由 certbot 創建的,檢查https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt -on-ubuntu-18-04

等/nginx/sites-available/mydomain.com

server {
   server_name    mydomain.com www.mydomain.com;

   root /var/www/mydomain.com;
   index index.html;

   access_log /var/log/nginx/mydomain-access.log;
   error_log /var/log/nginx/mydomain-error.log;

   location / {
       try_files $uri $uri/ /index.html;
   }

   listen 443 ssl; # managed by Certbot
   ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
   if ($host = www.mydomain.com) {
       return 301 https://$host$request_uri;
   } # managed by Certbot


   if ($host = mydomain.com) {
       return 301 https://$host$request_uri;
   } # managed by Certbot


   server_name    mydomain.com www.mydomain.com;
   listen 80;
   return 404; # managed by Certbot
}

/etc/nginx/sites-available/api.mydomain.com

server {
   server_name    api.mydomain.com;

   access_log /var/log/nginx/api-mydomain-access.log;
   error_log /var/log/nginx/api-mydomain-error.log;

   location / {
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Host $http_host;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_pass http://127.0.0.1:8080;
   }

   listen 443 ssl; # managed by Certbot
   ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
   if ($host = api.mydomain.com) {
       return 301 https://$host$request_uri;
   } # managed by Certbot

   server_name    api.mydomain.com;
   listen 80;
   return 404; # managed by Certbot
}

Tomcat 伺服器.xml

<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
   connectionTimeout="20000"
   address="127.0.0.1"
   proxyName="api.mydomain.com"
   proxyPort="80"/>

<Engine name="Catalina" defaultHost="localhost">

   <Realm className="org.apache.catalina.realm.LockOutRealm">
   ...
   </Realm>

   <Host name="localhost"  appBase="webapps"
       unpackWARs="true" autoDeploy="true">

       <Valve className="org.apache.catalina.valves.RemoteIpValve"
           remoteIpHeader="x-forwarded-for"
           proxiesHeader="x-forwarded-by"
           protocolHeader="x-forwarded-proto" />

       <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log" suffix=".txt"
           pattern="%h %l %u %t %r %s %b" />

 </Host>
</Engine>

引用自:https://serverfault.com/questions/1051660