Implementation of Nginx domain name forwarding https access

A word in advance:

Suddenly I received a task to forward the access of multiple domain names to https. In fact, it is very simple to use Niginx, and the documentation is also complete (whether it is Tencent Cloud or Alibaba Cloud). The reason for falling into this pit was the unfamiliarity with the Niginx server and the detours I took.

1. Detour: Tomcat supports SSL

Tencent Cloud Tomcat Server Certificate Configuration

Modify the server.xml file

<Connector 
   port="443" 
   protocol="org.apache.coyote.http11.Http11NioProtocol" 
   SSLEnabled="true" 
   scheme="https" 
   secure="true" 
   keystoreFile="conf\ssl\produced certificate name I use a relative path.jks" 
   keystoreType="JKS" 
   keystorePass="Password corresponding to the certificate" 
   clientAuth="false" 
   sslProtocol="TLSv1+TLSv1.1+TLSv1.2"
   maxThreads="150" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256">
</Connector>

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8209" protocol="AJP/1.3" redirectPort="8443" secretRequired="" useBodyEncodingForURI="true" URIEncoding="UTF-8"/>

keystoreType="JKS": Please note that this configuration is different from Alibaba Cloud, remember to modify it

<Engine defaultHost="My domain name" name="Catalina" jvmRoute="tomcat1" URIEncoding="UTF-8">
 <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
 <Realm className="org.apache.catalina.realm.LockOutRealm">
  <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
 </Realm>
 <Host name="My domain name" appBase="webapps" unpackWARs="true" autoDeploy="true">
  <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
    prefix="localhost_access_log" suffix=".txt"
    pattern="%h %l %u %t &quot;%r&quot; %s %b" />
 </Host>
</Engine>

I heard from my colleagues that all it takes is configuration. The same thing happened. After the server was started, port 443 was also occupied. It was really a pitfall. If forwarding is not needed, you can change the configuration.

Starting nginx failed bind() to 0.0.0.0:443 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions

2. Let’s get back to the point

2.1 Requirements Overview

When multiple services are deployed on a server (the IP address of Tencent Cloud's server) and different services need to be accessed through different domain names, domain name forwarding can be performed through Nginx proxy, and https access can be achieved by configuring the SSL module. (My server uses the Windows system. If there is no SSL module, you need to enable it yourself. It is supported by default.)

Deploy three services on one server at the same time: Service A, Service B, and Service C. The services need to be configured with the following domain names:

The domain name pangsir01.domain.com corresponds to service A;
The domain name pangsir02.domain.com corresponds to service B;
The domain name pangsir03.domain.com corresponds to service C;

The service is accessed via https, and http requests are redirected to https.

2.2 Service Proxy Settings

Configure Nginx to listen on port 443 (== I was stuck here for a long time because of Tomcat configuration, and it was unsuccessful ==), implement domain name forwarding and https access, the certificate used in this example is a crt format certificate

(1) Configuration of Service A

server {
 listen 443 ssl; #Listening port, Nginx1.5 and later recommends using server_name pangsir01.domain.com; #Request domain name ssl_certificate ssl/certificate name A.crt; #crt certificate path, storage location Nginx's conf/ssl folder, you can use the absolute path ssl_certificate_key ssl/certificate name A.key; #crt certificate key path ssl_session_timeout 5m; #Session timeout ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #Encryption algorithm ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL protocol #Intercept all requests location / {
  proxy_http_version 1.1; #http protocol used by the proxy proxy_set_header Host $host; #header adds request host information proxy_set_header X-Real-IP $remote_addr; #header adds request source IP information proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Add proxy record proxy_pass http://127.0.0.1:8001; #Service A access address}
}

(2) Configuration of Service B

server {
 listen 443 ssl; #Listening port, Nginx1.5 and later recommends using server_name pangsir02.domain.com; #Request domain name ssl_certificate ssl/certificate name B.crt; #crt certificate path, storage location Nginx's conf/ssl folder, you can use the absolute path ssl_certificate_key ssl/certificate name B.key; #crt certificate key path ssl_session_timeout 5m; #Session timeout ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #Encryption algorithm ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL protocol #Intercept all requests location / {
  proxy_http_version 1.1; #http protocol used by the proxy proxy_set_header Host $host; #header adds request host information proxy_set_header X-Real-IP $remote_addr; #header adds request source IP information proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Add proxy record proxy_pass http://127.0.0.1:8002; #Service B access address}
}

(3) Configuration of Service C

server {
 listen 443 ssl; #Listening port, Nginx1.5 and later recommends using server_name pangsir03.domain.com; #Request domain name ssl_certificate ssl/certificate name C.crt; #crt certificate path, storage location Nginx's conf/ssl folder, you can use the absolute path ssl_certificate_key ssl/certificate name C.key; #crt certificate key path ssl_session_timeout 5m; #Session timeout ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #Encryption algorithm ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL protocol #Intercept all requests location / {
  proxy_http_version 1.1; #http protocol used by the proxy proxy_set_header Host $host; #header adds request host information proxy_set_header X-Real-IP $remote_addr; #header adds request source IP information proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Add proxy record proxy_pass http://127.0.0.1:8003; #Service B access address}
}

2.3 Automatic forwarding of http requests

Add server configuration, listen to port 80, and redirect all domain names to https

server {
 listen 80; #Listening port server_name a.domain.com b.domain.com c.domain.com; #Request domain name return 301 https://$host$request_uri; #Redirect to https access.
}

My needs are met here. The following content is extended content. Please record it.

3. SSL Configuration for WebSocket

If websocket is used in service A (the access interface is: /websocket), the ws protocol needs to be replaced with the wss protocol. A location configuration can be added to the server configuration of service A to intercept websocket for separate proxy.

The configuration of service A, after modification:

server {
  listen 443 ssl; #Listening port server_name pangsir01.domain.com; #Request domain name ssl_certificate ssl/certificate name A.crt; #crt certificate path ssl_certificate_key ssl/certificate name A.key; #crt certificate key path ssl_session_timeout 5m; #Session timeout ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #Encryption algorithm ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL protocol #Intercept all requests location / {
   proxy_http_version 1.1; #http protocol used by the proxy proxy_set_header Host $host; #header adds request host information proxy_set_header X-Real-IP $remote_addr; #header adds request source IP information proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Add proxy record proxy_pass http://127.0.0.1:8001; #Service A access address}
  
  #Intercept websocket request location /websocket {
   proxy_pass http://127.0.0.1:8001;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "upgrade";
  }
 }

This is the end of this article about the implementation of Nginx domain name forwarding https access. For more relevant Nginx domain name forwarding https access content, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!

You may also be interested in:

Nginx configuration example for distributing content based on domain name http and https
How to configure multiple HTTPS domain names in Nginx
Detailed explanation of the solution for NGINX to jump from https to http
How to force nginx to use https access (http jumps to https)
Detailed explanation of Nginx configuration SSL certificate to achieve Https access
Detailed explanation of how to configure HTTPS in nginx
Detailed process of Nginx converting http to https

<<: How to use MySQL group by and order by together

>>: WeChat Mini Program Lottery Number Generator

Implementation of Nginx domain name forwarding https access

Tomcat class loader implementation method and example code

How to modify the group to which a user belongs in Linux

js implements form validation function

Several ways to introduce pictures in react projects

Detailed steps for developing Java payment interface for Alipay

React internationalization react-i18next detailed explanation

MySQL 5.7.17 latest installation tutorial with pictures and text

Vue implements mobile phone verification code login

Vue encapsulation component upload picture component

MySQL8.0.18 configuration of multiple masters and one slave

Recommend

Detailed introduction to linux host name configuration

Detailed explanation of HTML form elements (Part 2)

Docker modifies the configuration information of an unstarted container

Solution to the welcome to emergency mode message when booting CentOS7.4

Introduction to scheduled tasks in Linux system

React and Redux array processing explanation

Detailed explanation of Linux command file overwrite and file append

Implementing a simple whack-a-mole game in JavaScript

Detailed explanation of compatibility issues and solutions for setting max-width and min-width in table

Detailed explanation of the example of Connect on the Socket (TCP) Client side from the Linux source code

Solve the problem of being unable to log in when installing MySQL on mac using homebrew

How to handle forgotten passwords in Windows Server 2008 R2

Building command line applications with JavaScript

JavaScript implementation of classic snake game

xtrabackup backup and restore MySQL database