【Tomcat】-- Tomcat + Nginx反向代理https和wss并解决获取客户端真实IP、域名、协议、端口

来源：互联网发布：流程图绘制软件编辑：程序博客网时间：2024/06/05 20:18

刚开始只做了http和ws，由于做小程序必须要https和wss，无奈将服务器http进行https转换，ws做wss转换。

首先我们得申请https证书，请参考前面的博客。

第二全站https和wss化：

以下是我的配置(tomcat已经支持https端口8999，websocket由单独的tomcat提供端口为10000)：

server    {        listen 80;        #listen [::]:80;        server_name xxx.com;        #ws代理         location /webtcpnode/        {             proxy_pass http://127.0.0.1:10000;             proxy_set_header X-Real-IP $remote_addr;             proxy_set_header Host $host;             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;             proxy_set_header X-Forward-For $remote_addr;             proxy_set_header X-Forwarded-Proto $scheme;             proxy_redirect off;             proxy_http_version 1.1;             proxy_set_header Upgrade $http_upgrade;             proxy_set_header Connection "upgrade";        }        #http强制https的两种方式        #rewrite ^(.*)$  https://$host$1 permanent;①        location / {②             rewrite ^/(.*) https://$host/$1 redirect;        }        access_log  /home/wwwlogs/xxx.log  access;    }server    {        listen 443;        #listen [::]:80;        server_name dev.smart-ism.com;        index index.html index.htm index.php default.html default.htm default.php;        root  /home/wwwroot/xxx.com;        ssl on;        ssl_certificate   cert/214214075370856.pem;        ssl_certificate_key  cert/214214075370856.key;        ssl_session_timeout 5m;        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;        ssl_prefer_server_ciphers on;        location /        {             proxy_pass https://127.0.0.1:8999;             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;             proxy_set_header Host $host;             proxy_set_header X-Real-IP $remote_addr;             proxy_set_header X-Forward-For $remote_addr;             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;             proxy_set_header X-Forwarded-Proto $scheme;             proxy_redirect     off;             #include proxy-totomcat.conf;        }#wss代理        location /webtcpnode/        {             proxy_pass http://127.0.0.1:10000;             proxy_set_header X-Real-IP $remote_addr;             proxy_set_header Host $host;             proxy_set_header X-Forward-For $remote_addr;             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;             proxy_set_header X-Forwarded-Proto $scheme;             proxy_http_version 1.1;             proxy_set_header Upgrade $http_upgrade;             proxy_set_header Connection "upgrade";             #rewrite /webtcpnode/(.*) /$1 break;             proxy_redirect off;        }        #location /        #{        #    try_files $uri @apache;        #}        #location @apache        #{        #    internal;        #    proxy_pass http://127.0.0.1:88;        #    include proxy.conf;        #}        #location ~ [^/]\.php(/|$)        #{        #    proxy_pass http://127.0.0.1:88;        #    include proxy.conf;        #}        #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$        #{        #    expires      30d;        #}        #location ~ .*\.(js|css)?$        #{        #    expires      12h;        #}        access_log  /home/wwwlogs/xxx.com.log  access;    }

第三修改tomcat获取代理前的客户端信息方式

具体文档：http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

配置：tomcat的server.xml

Nginx增加以下配置 proxy_set_header Host $host:$server_port; 非80端口 ，用80端口时 不需要$server_port proxy_set_header X-Real-IP $remote_addr; 非必须，添加此项之后可以在代码中通过request.getHeader("X-Real-IP")获取ipproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; Tomcat server.xml配置  重点在这里！<Engine name="Catalina" defaultHost="localhost"> <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" httpsServerPort="7001"/> 非80端口时，必须增加httpsServerPort配置，不然request.getServerPort()方法返回 443. </Engine>

参考：http://blog.csdn.net/vfush/article/details/51086274

http://blog.csdn.net/xiao__gui/article/details/73733797

阅读全文

1 0