使用 SSL 到 Tomcat 的 nginx 代理
我錯誤地在stackoverflow上發布了這個(https://stackoverflow.com/questions/65942820/nginx-proxy-to-tomcat),我也把它放在這裡,希望能找到一些解決方案。
我經歷了幾十個教程,但我無法弄清楚以下內容(儘管它應該是非常基本的):
我在 /var/www/mydomain.com 中有我編譯的 vue 應用程序,我希望它作為靜態內容共享。
我的後端在 8080 上由 tomcat 在 /api/something… URL 上使用公共 API 執行。URL 是硬編碼的,包括“api”部分。
我想將 nginx 配置為代理 mydomain.com/api/something… 對 tomcat 的請求,並從 /var/www/mydomain.com 靜態地提供休息。一切都通過 SSL 提供。
我幾乎不需要任何其他東西。
你能幫我配置nginx和tomcat來實現嗎?謝謝!
nginx 配置 /etc/nginx/sites-available/mydomain.com
upstream tomcat { server 127.0.0.1:8080 fail_timeout=0; } server { listen 443 ssl default_server; #listen [::]:443 ssl default_server; root /var/www/mydomain.com; index index.html index.htm index.nginx-debian.html; server_name _ mydomain.com www.mydomain.com; location /api/ { include proxy_params; proxy_set_header Host $server_name; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://tomcat; } location / { try_files $uri $uri/ /index.html; } ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot } server { if ($host = www.mydomain.com) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = mydomain.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80 default_server; listen [::]:80 default_server; server_name _ mydomain.com www.mydomain.com; return 404; # managed by Certbot }
(1) 我正在嘗試的替代位置塊
location /api/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto https; proxy_pass http://localhost:8080/api/; }
(2) Praveen Premaratne 建議的替代區塊。
這樣我得到
"GET /api/docs HTTP/1.0" 302 -
並且靜態文件也可以工作。轉到 /api/docs 會重定向到domain:8443/api/docs
我得到的地方ERR_CONNECTION_REFUSED
。location /api/ { include proxy_params; proxy_pass http://tomcat; } location / { try_files $uri $uri/ /index.html; }
(3) 替代使用子域。
我能夠創建子域 api.mydomain.com 並將 nginx 配置為從那裡轉到索引頁面(添加以下塊)。不知道之後如何進行代理。
server { listen 443 ssl; root /var/www/www.mydomain.com; <- redundand I guess? index index.html index.htm index.nginx-debian.html; <- redundand I guess? server_name api.mydomain.com ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot }
Tomcat 配置 server.xml
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" address="127.0.0.1" redirectPort="8443" /> <Engine name="Catalina" defaultHost="localhost"> ... <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" requestAttributesEnabled="true" pattern="%h %l %u %t "%r" %s %b" /> <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" /> ...
目前的情況是,當我轉到應該執行 swagger 的 mydomain.com/api/docs 時,我被重定向回 mydomain.com 或出現 500 或 502 錯誤。
好的,所以在@Praveen Premaratne和@Piotr P. Karwasz以及這篇文章的幫助下,我想出了以下配置:
不要使用“# managed by Certbot”,它們是由 certbot 創建的,檢查https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt -on-ubuntu-18-04
等/nginx/sites-available/mydomain.com
server { server_name mydomain.com www.mydomain.com; root /var/www/mydomain.com; index index.html; access_log /var/log/nginx/mydomain-access.log; error_log /var/log/nginx/mydomain-error.log; location / { try_files $uri $uri/ /index.html; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = www.mydomain.com) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = mydomain.com) { return 301 https://$host$request_uri; } # managed by Certbot server_name mydomain.com www.mydomain.com; listen 80; return 404; # managed by Certbot }
/etc/nginx/sites-available/api.mydomain.com
server { server_name api.mydomain.com; access_log /var/log/nginx/api-mydomain-access.log; error_log /var/log/nginx/api-mydomain-error.log; location / { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:8080; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = api.mydomain.com) { return 301 https://$host$request_uri; } # managed by Certbot server_name api.mydomain.com; listen 80; return 404; # managed by Certbot }
Tomcat 伺服器.xml
<Service name="Catalina"> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" address="127.0.0.1" proxyName="api.mydomain.com" proxyPort="80"/> <Engine name="Catalina" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.LockOutRealm"> ... </Realm> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" /> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t %r %s %b" /> </Host> </Engine>