搜索到
2
篇与
Tomcat
的结果
-
nginx配置「锦上添花」的小修小补 1. 统一 SSL 配置块(可维护性)把重复的 ssl_* 指令抽成一个独立文件,主配置里 include 即可,例如:# /etc/nginx/ssl/ssl_best.conf ssl_certificate /etc/nginx/ssl/_baidu.com.crt; ssl_certificate_key /etc/nginx/ssl/_baidu.com.key; ssl_trusted_certificate /etc/nginx/ssl/_baidu.com.crt; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA^...............:ECDHE-RSA-AE^.............-GCM-SHA384;然后在每个 443 段里写一句:include ssl_best.conf; 配上路径,容器运行注意! 比如include /etc/nginx/ssl/ssl_best.conf;以后换证书/调加密套件只改一行。2. 补充安全响应头(看情况用吧)新建 /etc/nginx/conf.d/security_headers.conf:add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # 如需上传或外链,按需调整 CSP add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;在 所有 443 段 的 location / 里加:include security_headers.conf; 配上路径,容器运行注意! 比如include /etc/nginx/conf.d/security_headers.conf;(Tomcat 已自带 X-Frame-Options,nginx 再统一一次无冲突。)3. 代理头统一模板把 proxy 头也抽成 /etc/nginx/conf.d/proxy_headers.conf:proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header REMOTE-HOST $remote_addr; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";以后 location / 里只要写:proxy_pass http://backend_5800; include proxy_headers.conf; 比如include /etc/nginx/conf.d/proxy_headers.conf;Tomcat 路径同理。4. 小优化:正则 location 加 breaklocation ~ ^/(test|oa|ob|oc) { proxy_pass http://tomcat; include proxy_headers.conf; }• 正则 ~ 会顺序匹配,保持放在「普通 location /」前面即可。• 若担心性能,可改为:location /oa { ... } location /ob { ... }5. 可选:Tomcat 真实 IP 日志Tomcat 要记录访客真实 IP,在 server.xml 里加:<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" />nginx 已传头,直接可用。{lamp/}附配置:{collapse}{collapse-item label="一、nginx的default.conf的配置"}# ---------- upstream ---------- upstream tomcat { server tomcat:8080; } upstream backend_5800 { server 172.25.194.247:5800; } # ---------- 80 → 443 统一跳转 ---------- server { listen 80; listen [::]:80; server_name baidu.com *.baidu.com *.cloud.baidu.com; return 301 https://$host$request_uri; } # ---------- 主域名 + 通配证书 ---------- server { listen 443 ssl; listen [::]:443 ssl; server_name baidu.com *.baidu.com *.cloud.baidu.com; #ssl_best统一SSL配置块,要配路径,容器运行注意! include /etc/nginx/ssl/ssl_best.conf; # 根目录 → 5800 location / { proxy_pass http://backend_5800; #代理头proxy_header,要配路径容器运行要注意! include /etc/nginx/conf.d/proxy_headers.conf; #安全响应头security_headers,要配路径容器运行要注意! include /etc/nginx/conf.d/security_headers.conf; } # 子路径 → tomcat location ~ ^/(ixjkj|oa|ob|oc) { proxy_pass http://tomcat; #代理头proxy_header,要配路径容器运行要注意! include /etc/nginx/conf.d/proxy_headers.conf; #安全响应头security_headers,要配路径容器运行要注意! include /etc/nginx/conf.d/security_headers.conf; } } # ---------- oa.cloud.baidu.com 专用 ---------- server { listen 443 ssl; listen [::]:443 ssl; server_name oa.cloud.baidu.com; #ssl_best统一SSL配置块,要配路径,容器运行注意! include /etc/nginx/ssl/ssl_best.conf; # 根目录 → tomcat /oa(去掉路径前缀) location / { proxy_pass http://tomcat/oa/; #代理头proxy_header,要配路径容器运行要注意! include /etc/nginx/conf.d/proxy_headers.conf; #安全响应头security_headers,要配路径容器运行要注意! include /etc/nginx/conf.d/security_headers.conf; } } # ========== ob.cloud.baidu.com 专用 ========== server { listen 443 ssl; listen [::]:443 ssl; server_name ob.cloud.baidu.com; #ssl_best统一SSL配置块,要配路径,容器运行注意! include /etc/nginx/ssl/ssl_best.conf; # 根目录反向代理到 Tomcat 的 /ob(去掉前缀) location / { proxy_pass http://tomcat/ob/; # 注意末尾斜杠 #代理头proxy_header,要配路径容器运行要注意! include /etc/nginx/conf.d/proxy_headers.conf; #安全响应头security_headers,要配路径容器运行要注意! include /etc/nginx/conf.d/security_headers.conf; } }{/collapse-item}{collapse-item label="二、统一SSL配置块的配置"}ssl_certificate /etc/nginx/ssl/_.cloud.baidu.com.crt; ssl_certificate_key /etc/nginx/ssl/_.cloud.baidu.com.key; ssl_trusted_certificate /etc/nginx/ssl/_.cloud.baidu.com_issuerCertificate.crt; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-....................................................SHA384;{/collapse-item}{collapse-item label="三、安全响应头的配置"}add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;{/collapse-item}{collapse-item label="四、统一代理头的配置"}proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header REMOTE-HOST $remote_addr; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";{/collapse-item}{collapse-item label="2026年1月16日配置重写路径"}虽然页面转过来了,但页面资源元素全部404,随后添加一个server块server { listen 8888 ssl; listen [::]:8888 ssl; server_name jxzy2.baidu.com; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; ssl_prefer_server_ciphers on; location / { # 保留请求的 URI set $backend_uri $request_uri; # 如果请求的不是 /hzsjapi/ 开头,则添加前缀 if ($request_uri !~ ^/hzsjapi/) { set $backend_uri /hzsjapi$request_uri; } proxy_pass http://tomcat2$backend_uri; #设置正确的 Host 头,包含端口 proxy_set_header Host $host:$server_port; #proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Original-URI $request_uri; client_max_body_size 20000m; #重写重定向 proxy_redirect http:// https://; }{/collapse-item}{/collapse} -
Tomcat强制跳转https 不使用nginx代理Tomcat直接服务1 全局Tomcat的conf/server.xml找到这一段默认是这样<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" <!-- 改回 8443,不再强制 443 --> maxParameterCount="1000" URIEncoding="utf-8"/>需要https<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" maxParameterCount="1000" uRIEncoding="utf-8"2 单个应用里webapps/你的项目/WEB-INF/web.xml默认<!-- <security-constraint> ... <transport-guarantee>CONFIDENTIAL</transport-guarantee> </security-constraint> -->需要强制https<!--跳转--> <security-constraint> <web-resource-collection> <web-resource-name>Secure Area</web-resource-name> <url-pattern>/*</url-pattern> <!-- 匹配所有 URL --> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> <!-- 强制 HTTPS --> </user-data-constraint> </security-constraint>“作用域”速查表文件位置作用域优先级说明conf/server.xml全局(整个 Tomcat)最低里面的 Connector、Host、Context 对所有应用生效。conf/web.xml全局默认(所有应用共用)中Tomcat 自带的默认部署描述符,相当于“父模板”。webapps/xxx/WEB-INF/web.xml单个应用最高只影响 xxx 这个应用;与上面冲突时以它为准。
