Apache配置SSL并反向代理Tomcat

环境搭建参考

Apache：https://www.xssfox.com/2015-12-01/apache%e5%bc%80%e5%90%afhttp2-or-spdy%e6%94%af%e6%8c%81/

JDK & Tomcat：https://www.xssfox.com/2016-01-07/centos7-java-web%E5%BC%80%E5%8F%91%E7%8E%AF%E5%A2%83%E5%BF%AB%E9%80%9F%E6%90%AD%E5%BB%BA/

Apache配置

为了开启SSL和反向代理功能，首先要确认Apache是否加载了必要的模块，查看httpd.conf：

# SSL相关必备模块

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

LoadModule socache_dbm_module modules/mod_socache_dbm.so

LoadModule socache_memcache_module modules/mod_socache_memcache.so

LoadModule ssl_module modules/mod_ssl.so

# Http2.0支持，酌情添加

LoadModule http2_module modules/mod_http2.so

# 反向代理

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_module modules/mod_proxy_*.so

httpd.conf中添加一行，使Apache监听443端口的请求：

1	Listen 443

为了使SSL安全评级得到一个大大的A+，我们手动设置Apache相关SSL参数配置，httpd.conf新增以下配置：

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

SSLProtocol All -SSLv2 -SSLv3

SSLHonorCipherOrder On

SSLCompression Off

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

#Header always set X-Frame-Options DENY

Header always set X-Content-Type-Options nosniff

SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)"

SSLSessionCacheTimeout 300

然后就如你所愿了：

QQ截图20160202153821

接着配置虚拟主机：

# HTTP协议顺序适配

ProtocolsHonorOrder On

# 优先HTTP2.0

Protocols h2 http/1.1

# 主机名

ServerName www.domain.com

# 开启SSL

SSLEngine on

# SSL证书公钥

SSLCertificateFile /etc/ssl/certs/release.crt

# SSL证书私钥

SSLCertificateKeyFile /etc/ssl/certs/release.key

# SSL中间链证书（根据需要配置，Startssl的证书是需要配置的）

SSLCertificateChainFile /etc/ssl/certs/sub.class2.server.ca.pem

#SSLCACertificateFile /etc/ssl/certs/byself/ca/ca-cert.pem

#SSLVerifyClient none

# 静态文档目录（根据需要配置）

DocumentRoot "/var/www/html/admin-console"

# Alias /console /var/www/html/admin-console

Options FollowSymLinks

AllowOverride None

Require all granted

</Directory>

# 反向代理设置，此处将以/api开头的请求转发给Tomcat处理

# 代理超时 60秒

ProxyTimeout 60

ProxyPass /api http://127.0.0.1:8080/project/api

ProxyPassReverse /api http://127.0.0.1:8080/project/api

</VirtualHost>

# 将80端口的请求重定向到443端口：

ServerName www.domain.com

Redirect 302 / https://www.domain.com/

</VirtualHost>

Tomcat配置

Tomcat端其实没有多少需要配置的，由于在Tomcat上多了一层Apache的代理，你需要告知Tomcat相关的代理信息，否则在使用HttpServletRequest.getRemoteHost()等相关方法时是无法获取正确的信息的：

Using standard configurations of Tomcat, web applications can ask for the server name and port number to which the request was directed for processing. When Tomcat is running standalone with the HTTP/1.1 Connector, it will generally report the server name specified in the request, and the port number on which the Connector is listening. The servlet API calls of interest, for this purpose, are:

ServletRequest.getServerName(): Returns the host name of the server to which the request was sent.
ServletRequest.getServerPort(): Returns the host name of the server to which the request was sent.
ServletRequest.getLocalName(): Returns the host name of the Internet Protocol (IP) interface on which the request was received.
ServletRequest.getLocalPort(): Returns the Internet Protocol (IP) port number of the interface on which the request was received.
When you are running behind a proxy server (or a web server that is configured to behave like a proxy server), you will sometimes prefer to manage the values returned by these calls. In particular, you will generally want the port number to reflect that specified in the original request, not the one on which the Connector itself is listening. You can use the proxyName and proxyPort attributes on the element to configure these values.

Proxy support can take many forms. The following sections describe proxy configurations for several common cases.

参考：https://tomcat.apache.org/tomcat-6.0-doc/proxy-howto.html

解决方案，修改tomcat的server.xml，添加相关访问配置项：

<Connector port="8080" protocol="HTTP/1.1"

connectionTimeout="20000"

redirectPort="8443"

scheme="https"

proxyName="www.domain.com"

proxyPort="443"/>

(责任编辑：IT)

搜索

热门标签: