Before the baidu search information, inadvertently see the HTTPS protocol is used in some personal blog site, in the browser address bar is marked as green “security”, the other specially responsible for the project to upgrade yourself into the HTTPS protocol, its advantages are outside here, friends to baidu, the integration of the deployment share here today, Hope friends less detours ~
The effect is as follows:
Software version:
| System | Centos 6.5 |
| Nginx | Tengine / 2.1.2 (nginx / 1.6.2) |
| SSL certificate | Let’s Encrypt free SSL certificate |
| Tomcat | Apache tomcat — 8.0.47 |
| CDN | Cloudflare.com |
1. Generate an SSL certificate
First we create a path to the letsENCRYPT generated certificate project and enter:
cd /usr/local/letsencryptCopy the codeNext we clone the letsENCRYPT project:
git clone https://github.com/letsencrypt/letsencryptCopy the codeStart generating SSL certificates:
./letsencrypt-auto certonly --standalone --email test@qq.com -d www.test1.com -d www.test2.com --agree-tosCopy the codeNote here:
(1). Domain name binding cannot be generated on domestic DNS servers. You need to switch the DNS server to DNS service providers, such as ClouldFlare, Godaddy and Dnsever, before it can be generated properly! (2). The web service needs to be closed, pay attention to close nginx and port 80 occupied! -d stands for domain. Multiple domain names can be generated at the same time. After the generation, we can see in the default directory:
/ etc/letsencrypt/live/www.test.com/ cert. Pem (user certificate) chain. Pem certificate (middle) fullchain. Pem (certificate chain) privkey. Pem certificate (private key)Copy the codeFinally, we generate Perfect Forward Security (PFS) key values.
mkdir /etc/ssl/private/ -p
cd /etc/ssl/private/
openssl dhparam 2048 -out dhparam.pemCopy the codeNginx configures SSL certificates and Tomcat proxies
# Tomcat port 8080Upstream tomcat_8080{server 127.0.0.1:8080 weight=1; }Redirect all HTTP content to HTTPS
server {
listen 80;
server_name www.test.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
# the HTTPS protocol
server {
listen 443;
server_name www.test.com;
# letsencrypt generated file
ssl on;
ssl_certificate /etc/letsencrypt/live/www.test.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.test.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;
ssl_dhparam /etc/ssl/private/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# generally recommended ssl_ciphers value: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE -RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA -AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AE S256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA -AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:! aNULL:! eNULL:! EXPORT:! DES:! RC4:! MD5:! PSK';
ssl_prefer_server_ciphers on;
# agent tomcat
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Cookie $http_cookie;
proxy_pass http://tomcat_8080;
#proxy_redirect default;
}
access_log /home/wwwlogs/www.test.com_access.log;
error_log /home/wwwlogs/www.test.com_error.log;
}
Copy the codeTomcat SSL configuration
1. Change redirectPort=”8443″ to redirectPort=”443″ and proxyPort=”443″.
<Connector port="8080" protocol="HTTP / 1.1" connectionTimeout="20000" redirectPort="443" proxyPort="443" />Copy the code2. Find the Engine node and add it to the last Host tag:
<Host name="www.test.com" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/>
<Context docBase="/www/java/projectName" path="" crossContext="true" debug="3" privileged="true" reloadable="false" deubt="true" />
</Host>Copy the codeCloudFlare CDN Settings (important here)
After we resolve the domain name to our server, click the Crypto TAB and change the SSL state to Full(strict) mode. In this mode, the SSL certificate in your server will be used, otherwise the page will be infinite 301 redirect, resulting in chrome prompting too many redirects and request failure!
V. References:
1. Nginx + SSL integrating http://blog.csdn.net/sheng119/article/details/72956717 2. Tomcat + SSL consolidation https://www.cnblogs.com/zhanghaoh/p/5293158.html 3. Infinite 301 redirect problem solving CloudFlare CDN The answer to https://www.v2ex.com/t/188230#r_2026842 on the 9 floor
Six, search engine optimization suggestions:
If it is an external project, it is recommended to baidu webmaster platform, HTTPS protocol application, HTTPS protocol is also one of the ranking algorithm.
The above is a personal summary, I hope to help you, if there is a wrong place we can point out, welcome clap brick 🙂