Deploy Nginx+tomcat, start https, and solve the problems encountered

The original business system is deployed on the ECS and published through tomcat deployment, port 80, and SSL is not enabled

Recently, due to the replacement of the server, we are going to upgrade the overall architecture, use HTTPS, and use Nginx+tomcat for the web container

The overall deployment steps are as follows:

1. tomcat is installed and deployed on ECs. The default port is 8080. After the migration of the original business system is completed, it can be accessed locally http://127.0.0.1:8080 Normal;

2. Deploy Nginx, listen to port 80 and proxy to http://127.0.0.1:8080 The Internet access http: / / server IP is normal, and the Nginx configuration is as follows:

    server{
      listen 80;
      server_name www.xxx.com xxx.com;
      location / {
          proxy_pass http://127.0.0.1:8080;
      }

3. Configure HTTPS. Since the external service is Nginx, you only need to configure the certificate on Nginx and access it through the Internet http://www.xxx.com All requests are redirected to: https://www.xxx.com The external network access service system is normal, and the configuration is as follows:

 server{
      listen 80;
      server_name www.xxx.com xxx.com;
      location / {
          rewrite (.*) https://www.xxx.com permanent; # Redirect http requests to https
      }
   }
    server {
        listen 443 ssl;
         ssl_certificate /nginx\1_www.xxx.com_bundle.crt; #Certificate public key file path
         ssl_certificate_key  /nginx\2_www.xxx.com.key;   #Certificate private key file path
         ssl_session_timeout  5m;  #5-minute session hold
         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
         ssl_ciphers  HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;
        server_name  www.xxx.com xxx.com;

        location / {
            proxy_pass http://127.0.0.1:8080;
            #proxy_redirect off;
            proxy_set_header Host $host;
	    proxy_set_header Upgrade $http_upgrade;
	    proxy_set_header Connection "Upgrade";
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	    proxy_set_header X-Real-IP $remote_addr;
        }

So far, the normal deployment has been completed

 

However, the test business system found that the login failed. Through F12 to check the error, it was found that:

Mixed Content: The page at 'https://www.xxx.com/' was loaded over HTTPS, but requested an insecure resource 'http://www.xxx.com/Login?'. This request has been blocked; the content must be served over HTTPS.

After analysis, it is found that iframe is used in the home page of the business system, and the login request and jump are carried out through ajax in iframe. However, if the login page address is directly opened without iframe, the login can be successful

Now we mainly solve the problem of login in iframe. Through search, we find the solution (the content comes from other people's blogs):

  1. ginx enforces https access (http jumps to https)
  2. Static resources such as js and css of http are intercepted by the browser (http is not trusted)

Solution (also from someone else's blog, record it):

If both tomcat and nginx do not configure x-forwarded-proto, tomcat cannot correctly distinguish whether the actual user is http or https, resulting in the static resources configured in tomcat being considered as http and intercepted by the browser, request Getscheme () is always http, not the actual http or https

Configure Nginx and Tomcat respectively, which is really good.  
Configure the forwarding options of Nginx:

 proxy_set_header       Host $host;  
    proxy_set_header  X-Real-IP  $remote_addr;  
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;  
    proxy_set_header X-Forwarded-Proto  $scheme;  

Configure Tomcat server Configure a Valve under the Engine module of XML:

<Valve className="org.apache.catalina.valves.RemoteIpValve"  
remoteIpHeader="X-Forwarded-For"  
protocolHeader="X-Forwarded-Proto"  
protocolHeaderHttpsValue="https"/>  

 

After the configuration is completed, the business system login and use are normal

 

Next time, record the problems encountered when using CDN: the domestic CDN acceleration is used, and the business system sometimes fails to log in

Posted by poring on Sat, 07 May 2022 04:12:49 +0300