Nginx + 阿里云SSL + tomcat 实现https访问代理

第一步：阿里云申请云盾证书服务

第二步：下载证书

第三步：修改Nginx配置

1. 证书文件214033834890360.pem，包含两段内容，请不要删除任何一段内容。

2. 如果是证书系统创建的CSR，还包含：证书私钥文件214033834890360.key。

( 1 ) 在Nginx的安装目录下创建cert目录，并且将下载的全部文件拷贝到cert目录中。如果申请证书时是自己创建的CSR文件，请将对应的私钥文件放到cert目录下并且命名为214033834890360.key；

( 2 ) 打开 Nginx 安装目录下 conf 目录中的 nginx.conf 文件，找到：

worker_processes 4;
error_log logs/error.log crit; #日志位置和日志级别
pid logs/nginx.pid;
worker_rlimit_nofile 65535;
events {
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream backend {
#ip_hash;
server 172.17.0.3:8080 weight=1 max_fails=2 fail_timeout=2;
server 172.17.0.4:8080 weight=1 max_fails=2 fail_timeout=2;
}
upstream mgr {
#ip_hash;
server 172.17.0.7:8080 weight=1 max_fails=2 fail_timeout=2;
}

server {

listen 443;
server_name  localhost;
ssl on;
root html;
index index.html index.htm;
ssl_certificate   cert/214031620150360.pem;
ssl_certificate_key  cert/214031620150360.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

location / {
proxy_pass  http://backend; ### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
### Set headers ####
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## Most PHP, Python, Rails, Java App can use this header ###
proxy_set_header X-Forwarded-Proto https;
### By default we don't want to redirect it ####
proxy_redirect     off;
}

location /test/ {
proxy_pass  http://172.17.0.5:8080; ### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
### Set headers ####
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## Most PHP, Python, Rails, Java App can use this header ###
proxy_set_header X-Forwarded-Proto https;
### By default we don't want to redirect it ####
proxy_redirect     off;
}
location /dev/ {
proxy_pass http://172.17.0.6:8080; ### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
### Set headers ####
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## Most PHP, Python, Rails, Java App can use this header ###
proxy_set_header X-Forwarded-Proto https;
### By default we don't want to redirect it ####
proxy_redirect     off;
}
location /pre/ {
proxy_pass http://mgr; ### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
### Set headers ####
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## Most PHP, Python, Rails, Java App can use this header ###
proxy_set_header X-Forwarded-Proto https;
### By default we don't want to redirect it ####
proxy_redirect     off;
}
}
}

修改Tomcat配置

新增配置项：
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https"/>

第四步：启动Nginx

/usr/local/nginx/nginx

第五步：测试https域名

OK