1.安装Nginx或Nginx增加SSL模块

1.1如果没有安装Nginx

#1.1.1上传Nginx包
cd /usr/local/
rz #选择Nginx安装包
#1.1.2解压
tar -zxvf nginx-1.9.9.tar.gz
#1.1.3编译安装
#1.1.3.1安装依赖gcc、openssl-devel、pcre-devel、zlib-devel
yum -y install gcc openssl-devel pcre-devel zlib-devel
#1.1.3.2 configure
cd nginx-1.9.9
./configure --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --prefix=/usr/local/nginx
#1.1.3.3 make
make
#1.1.3.4 makeinstall
makeinstall
#1.1.4配置环境变量
#环境变量的配置可以在当前用户的.profile或全局的/etc/profile,使用全局环境变量
vim /etc/profile
#修改export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL行为
JAVA_HOME=/usr/local/jdk1.6.0_45
CATALINA_HOME=/usr/local/apache-tomcat-7.0.67
NGINX_HOME=/usr/local/nginx
PATH=$JAVA_HOME/bin:$CATALINA_HOME/bin:$MYSQL_HOME/bin:$NGINX_HOME/sbin:$PATH
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL JAVA_HOME CATALINA_HOME NGINX_HOME
#重新加载环境变量配置文件
source /etc/profile
#1.1.5开放80端口
/sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
/etc/rc.d/init.d/iptables save
#查看防火墙状态
/etc/init.d/iptables status #service iptables status

1.2若已经安装过NGINX,但是没有安装SSL模块

nginx -V #查看安装时使用的参数
cd /usr/local/nginx-1.9.9
./configure --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --prefix=/usr/local/nginx #重新编译
cp ./objs/nginx /usr/local/nginx/sbin/ #覆盖二进制文件

2.证书制作

注:使用工具OpenSSL

2.1生成根证书

OpenSSL> req -x509 -nodes -days 365 -newkey rsa:2048 -keyout root-key.key -out root-cert.pem #无密码,需要密码去掉参数 -nodes

2.2生成用户私钥

OpenSSL> genrsa -out user-key.key 2048

2.3生成用户证书请求文件

OpenSSL> req -new -out user-req.csr -key user-key.key

注:Common Name 为网站域名,不能使用IP地址,测试的话,使用LOCALHOST

2.4为用户颁发证书

OpenSSL> x509 -req -in user-req.csr -out user-cert.cer -CA root-cert.cer -CAkey root-key.key -CAcreateserial -days 365

3.Nginx配置反向代理

cd /usr/local/nginx/conf
vim nginx.conf
#增加内容为:
server {
listen 443;
server_name localhost;

ssl on;
ssl_protocols SSLv2 SSLv3 TLSv1;

ssl_certificate user-cert.cer;
ssl_certificate_key user-key.key;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location /java/ {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header SSL_CERT $ssl_client_cert;
}
}

注:将上一步生成的证书放到/usr/local/nginx/conf目录下

4.浏览器端安装证书

5.Https直接访问Tomcat如何配置:

<Connector port="8443"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
sslProtocol="TLS"
SSLCertificateFile="user-cert.cer"
SSLCertificateKeyFile="user-key.key"/>