https ngnix

第一步：阿里云申请云盾证书服务

第二步：下载证书

第三步：修改Nginx配置

1. 证书文件214033834890360.pem，包含两段内容，请不要删除任何一段内容。

2. 如果是证书系统创建的CSR，还包含：证书私钥文件214033834890360.key。

( 1 ) 在Nginx的安装目录下创建cert目录，并且将下载的全部文件拷贝到cert目录中。如果申请证书时是自己创建的CSR文件，请将对应的私钥文件放到cert目录下并且命名为214033834890360.key；

( 2 ) 打开 Nginx 安装目录下 conf 目录中的 nginx.conf 文件，找到：

worker_processes 4;error_log logs/error.log crit; #日志位置和日志级别pid logs/nginx.pid;worker_rlimit_nofile 65535;events {worker_connections 65535;}http {include mime.types;default_type application/octet-stream;sendfile on;keepalive_timeout 65;upstream backend {#ip_hash;server 172.17.0.3:8080 weight=1 max_fails=2 fail_timeout=2;server 172.17.0.4:8080 weight=1 max_fails=2 fail_timeout=2;}upstream mgr {#ip_hash;server 172.17.0.7:8080 weight=1 max_fails=2 fail_timeout=2;}server {    listen 443;    server_name  localhost;    ssl on;    root html;    index index.html index.htm;    ssl_certificate   cert/214031620150360.pem;    ssl_certificate_key  cert/214031620150360.key;    ssl_session_timeout 5m;    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;    ssl_prefer_server_ciphers on;location / {    proxy_pass  http://backend;    ### force timeouts if one of backend is died ##    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;    ### Set headers ####    proxy_set_header Host $host;    proxy_set_header X-Real-IP $remote_addr;    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    ## Most PHP, Python, Rails, Java App can use this header ###    proxy_set_header X-Forwarded-Proto https;    ### By default we don't want to redirect it ####    proxy_redirect     off;           }location /test/ {        proxy_pass  http://172.17.0.5:8080;    ### force timeouts if one of backend is died ##    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;    ### Set headers ####    proxy_set_header Host $host;    proxy_set_header X-Real-IP $remote_addr;    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    ## Most PHP, Python, Rails, Java App can use this header ###    proxy_set_header X-Forwarded-Proto https;    ### By default we don't want to redirect it ####    proxy_redirect     off;  }location /dev/ {    proxy_pass http://172.17.0.6:8080;    ### force timeouts if one of backend is died ##    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;    ### Set headers ####    proxy_set_header Host $host;    proxy_set_header X-Real-IP $remote_addr;    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    ## Most PHP, Python, Rails, Java App can use this header ###    proxy_set_header X-Forwarded-Proto https;    ### By default we don't want to redirect it ####    proxy_redirect     off;  }location /pre/ {        proxy_pass http://mgr;    ### force timeouts if one of backend is died ##    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;    ### Set headers ####    proxy_set_header Host $host;    proxy_set_header X-Real-IP $remote_addr;    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    ## Most PHP, Python, Rails, Java App can use this header ###    proxy_set_header X-Forwarded-Proto https;    ### By default we don't want to redirect it ####    proxy_redirect     off;}}}

修改Tomcat配置

新增配置项：
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For"protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https"/>

第四步：启动Nginx

/usr/local/nginx/nginx

第五步：测试https域名

OK

http 跳转https

server {

    listen 80;

    server_name 127.0.0.1;

     rewrite ^ https://$http_host$request_uri? permanent;

}