在线申请https证书:https://letsencrypt.osfipin.com
生产级应用一般不会直接在应用服务器(tomcat)上配置ssl证书,而是在nginx这种反向代理上配置
nginx的server部分示例配置:
#配置后端服务负载均衡 server tomcat地址:端口号 weight表示权值,权值越大,被分配的几率越大;
upstream backend_www {
server 127.0.0.1:8888 weight=4 max_fails=2 fail_timeout=30s;
}
#强制http跳转https
server {
listen 80;
server_name www.youdomain.com youdomain.com;
rewrite ^/(.*)$ https://www.youdomain.com/$1 permanent;
}
#https配置
server {
listen 443 ssl http2;
server_name www.yourdomain.com;
ssl on;
#ssl证书
ssl_certificate D:\web\service\ssl\fullchain.pem;
ssl_certificate_key D:\web\service\ssl\privkey.pem;
location / {
root D:\\web\\service\data\\template;
proxy_pass http://backend_www;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header x-agent $http_user_agent;
client_max_body_size 4m;
client_body_buffer_size 128k;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
解决通过nginx配置https后,访问到后端应用时HttpServletRequest.getRequestURL()获取到的地址不是真实https地址而是http地址 如果不配置下面的规则,那么浏览器访问https://www.yourdomain.com/news/209.jhtml时spring boot获取到的getRequestURL()是http://www.youdomain.com:443/news/209.jhtml
server:
#如果使用IDEA进行开发的话,这些参数都有提示
tomcat:
remote-ip-header: X-Forwarded-For
protocol-header: X-Forwarded-Proto
port-header: X-Forwarded-Port
use-forward-headers: true