Implementation of Nginx domain name forwarding https access
|
A word in advance: Suddenly I received a task to forward the access of multiple domain names to https. In fact, it is very simple to use Niginx, and the documentation is also complete (whether it is Tencent Cloud or Alibaba Cloud). The reason for falling into this pit was the unfamiliarity with the Niginx server and the detours I took. 1. Detour: Tomcat supports SSL Tencent Cloud Tomcat Server Certificate Configuration Modify the server.xml file <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" keystoreFile="conf\ssl\produced certificate name I use a relative path.jks" keystoreType="JKS" keystorePass="Password corresponding to the certificate" clientAuth="false" sslProtocol="TLSv1+TLSv1.1+TLSv1.2" maxThreads="150" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"> </Connector> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8209" protocol="AJP/1.3" redirectPort="8443" secretRequired="" useBodyEncodingForURI="true" URIEncoding="UTF-8"/> keystoreType="JKS": Please note that this configuration is different from Alibaba Cloud, remember to modify it
<Engine defaultHost="My domain name" name="Catalina" jvmRoute="tomcat1" URIEncoding="UTF-8">
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
<Host name="My domain name" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
I heard from my colleagues that all it takes is configuration. The same thing happened. After the server was started, port 443 was also occupied. It was really a pitfall. If forwarding is not needed, you can change the configuration. Starting nginx failed bind() to 0.0.0.0:443 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions 2. Let’s get back to the point 2.1 Requirements Overview When multiple services are deployed on a server (the IP address of Tencent Cloud's server) and different services need to be accessed through different domain names, domain name forwarding can be performed through Nginx proxy, and https access can be achieved by configuring the SSL module. (My server uses the Windows system. If there is no SSL module, you need to enable it yourself. It is supported by default.) Deploy three services on one server at the same time: Service A, Service B, and Service C. The services need to be configured with the following domain names:
The service is accessed via https, and http requests are redirected to https. 2.2 Service Proxy Settings Configure Nginx to listen on port 443 (== I was stuck here for a long time because of Tomcat configuration, and it was unsuccessful ==), implement domain name forwarding and https access, the certificate used in this example is a crt format certificate (1) Configuration of Service A
server {
listen 443 ssl; #Listening port, Nginx1.5 and later recommends using server_name pangsir01.domain.com; #Request domain name ssl_certificate ssl/certificate name A.crt; #crt certificate path, storage location Nginx's conf/ssl folder, you can use the absolute path ssl_certificate_key ssl/certificate name A.key; #crt certificate key path ssl_session_timeout 5m; #Session timeout ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #Encryption algorithm ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL protocol #Intercept all requests location / {
proxy_http_version 1.1; #http protocol used by the proxy proxy_set_header Host $host; #header adds request host information proxy_set_header X-Real-IP $remote_addr; #header adds request source IP information proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Add proxy record proxy_pass http://127.0.0.1:8001; #Service A access address}
}
(2) Configuration of Service B
server {
listen 443 ssl; #Listening port, Nginx1.5 and later recommends using server_name pangsir02.domain.com; #Request domain name ssl_certificate ssl/certificate name B.crt; #crt certificate path, storage location Nginx's conf/ssl folder, you can use the absolute path ssl_certificate_key ssl/certificate name B.key; #crt certificate key path ssl_session_timeout 5m; #Session timeout ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #Encryption algorithm ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL protocol #Intercept all requests location / {
proxy_http_version 1.1; #http protocol used by the proxy proxy_set_header Host $host; #header adds request host information proxy_set_header X-Real-IP $remote_addr; #header adds request source IP information proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Add proxy record proxy_pass http://127.0.0.1:8002; #Service B access address}
}(3) Configuration of Service C
server {
listen 443 ssl; #Listening port, Nginx1.5 and later recommends using server_name pangsir03.domain.com; #Request domain name ssl_certificate ssl/certificate name C.crt; #crt certificate path, storage location Nginx's conf/ssl folder, you can use the absolute path ssl_certificate_key ssl/certificate name C.key; #crt certificate key path ssl_session_timeout 5m; #Session timeout ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #Encryption algorithm ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL protocol #Intercept all requests location / {
proxy_http_version 1.1; #http protocol used by the proxy proxy_set_header Host $host; #header adds request host information proxy_set_header X-Real-IP $remote_addr; #header adds request source IP information proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Add proxy record proxy_pass http://127.0.0.1:8003; #Service B access address}
}
2.3 Automatic forwarding of http requests Add server configuration, listen to port 80, and redirect all domain names to https
server {
listen 80; #Listening port server_name a.domain.com b.domain.com c.domain.com; #Request domain name return 301 https://$host$request_uri; #Redirect to https access.
}
My needs are met here. The following content is extended content. Please record it. 3. SSL Configuration for WebSocket If websocket is used in service A (the access interface is: /websocket), the ws protocol needs to be replaced with the wss protocol. A location configuration can be added to the server configuration of service A to intercept websocket for separate proxy. The configuration of service A, after modification:
server {
listen 443 ssl; #Listening port server_name pangsir01.domain.com; #Request domain name ssl_certificate ssl/certificate name A.crt; #crt certificate path ssl_certificate_key ssl/certificate name A.key; #crt certificate key path ssl_session_timeout 5m; #Session timeout ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #Encryption algorithm ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL protocol #Intercept all requests location / {
proxy_http_version 1.1; #http protocol used by the proxy proxy_set_header Host $host; #header adds request host information proxy_set_header X-Real-IP $remote_addr; #header adds request source IP information proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Add proxy record proxy_pass http://127.0.0.1:8001; #Service A access address}
#Intercept websocket request location /websocket {
proxy_pass http://127.0.0.1:8001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
} This is the end of this article about the implementation of Nginx domain name forwarding https access. For more relevant Nginx domain name forwarding https access content, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future! You may also be interested in:
|
<<: How to use MySQL group by and order by together
>>: WeChat Mini Program Lottery Number Generator
Recommend
Detailed explanation of the functions of each port of Tomcat
From the tomcat configuration file, we can see th...
Detailed explanation of JavaScript progress management
Table of contents Preface question principle test...
The viewport in the meta tag controls the device screen css
Copy code The code is as follows: <meta name=&...
CSS code to achieve background gradient and automatic full screen
CSS issues about background gradient and automati...
Summary of HTML Hack Tags in IE Browser
Copy code The code is as follows: <!--[if !IE]...
Summary of the differences between Vue's watch, computed, and methods
Table of contents 1 Introduction 2 Basic usage 2....
Detailed explanation of the deep and shallow cloning principles of JavaScript arrays and non-array objects
Table of contents What are shallow cloning and de...
Centos7 installation and configuration of Mysql5.7
Step 1: Get the MySQL YUM source Go to the MySQL ...
Detailed explanation of Nginx proxy_redirect usage
Today, I encountered a little problem when I was ...
How to control the proportion of Flex child elements on the main axis
background Flex layout achieves alignment and spa...
Docker Modify Docker storage location Modify container image size limit operation
This seems to be no longer possible with the new ...
Detailed example of remotely connecting to Docker using TLS encrypted communication
By default, Docker runs over a non-networked UNIX...
js to achieve a simple lottery function
This article shares the specific code of js to im...
Solve the problem of insufficient docker disk space
After the server where Docker is located has been...