最近在做一個項目,?架構上使用了 Nginx +tomcat 集群, 且nginx下配置了SSL,tomcat no SSL,項目使用https協議

但是,明明是https url請求,發現 log里面,

1 2 3 4 5 6 7 8

0428?15:55:55?INFO??(PaymentInterceptor.java:44)?preHandle()?-?requestStringForLog:????{?? ????????"request.getRequestURL():":?"http://trade.feilong.com/payment/paymentChannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6",?? ????????"request.getMethod:":?"GET",?? ????????"_parameterMap":?????????{?? ????????????"id":?["212"],?? ????????????"s":?["a84485e0985afe97fffd7fd7741c93851d83a4f6"]?? ????????}?? ????}

request.getRequestURL() 輸出出來的 一直是 ?http://trade.feilong.com/payment/paymentChannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6

但是瀏覽器中的URL卻是?https://trade.feilong.com/payment/paymentChannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6

?

?

瞬間要顛覆我的Java觀,API上寫得很清楚:

?

getRequestURL():

1	Reconstructs?the?URL?the?client?used?to?make?the?request.?The?returned?URL?contains?a?protocol,?server?name,?port?number,?and?server?path,?but?it?does?not?include?query?string?parameters.

也就是說,?getRequestURL() 輸出的是不帶query string的路經(含協議 端口 server path等信息).

?

并且,還發現

?

1 2 3 4 5

request.getScheme()??//總是?http，而不是實際的http或https?? request.isSecure()??//總是false（因為總是http）?? request.getRemoteAddr()??//總是?nginx?請求的?IP，而不是用戶的IP?? request.getRequestURL()??//總是?nginx?請求的URL?而不是用戶實際請求的?URL?? response.sendRedirect(?相對url?)??//總是重定向到?http?上?（因為認為當前是?http?請求）

查閱了一些資料,找到了解決方案:

?

解決方法很簡單，只需要分別配置一下 Nginx 和 Tomcat 就好了，而不用改程序。

?

配置 Nginx 的轉發選項：

1 2 3 4

proxy_set_header???????Host?$host;?? proxy_set_header??X-Real-IP??$remote_addr;?? proxy_set_header??X-Forwarded-For?$proxy_add_x_forwarded_for;?? proxy_set_header?X-Forwarded-Proto??$scheme;

proxy_set_header X-Forwarded-Proto $scheme;

?

配置Tomcat server.xml 的 Engine 模塊下配置一個 Valve：

1 2 3 4

<Valve?className="org.apache.catalina.valves.RemoteIpValve"?? remoteIpHeader="X-Forwarded-For"?? protocolHeader="X-Forwarded-Proto"?? protocolHeaderHttpsValue="https"/>

配置雙方的 X-Forwarded-Proto 就是為了正確地識別實際用戶發出的協議是 http 還是 https。

這樣以上5項測試就都變為正確的結果了，就像用戶在直接訪問 Tomcat 一樣。

?

關于?RemoteIpValve,有興趣的同學可以閱讀下 doc?

http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

?

1 2 3

Tomcat?port?of?mod_remoteip,?this?valve?replaces?the?apparent?client?remote?IP?address?and?hostname?for?the?request?with?the?IP?address?list?presented?by?a?proxy?or?a?load?balancer?via?a?request?headers?(e.g.?"X-Forwarded-For").??? ???? Another?feature?of?this?valve?is?to?replace?the?apparent?scheme?(http/https)?and?server?port?with?the?scheme?presented?by?a?proxy?or?a?load?balancer?via?a?request?header?(e.g.?"X-Forwarded-Proto").

看了下他們的源碼,比較簡單,在各種框架,各種算法面前,這個類對性能影響很小

?

• 如果沒有配置protocolHeader 屬性, 什么都不做.

• 如果配置了protocolHeader,但是request.getHeader(protocolHeader)取出來的值是null,什么都不做

• 如果配置了protocolHeader,但是request.getHeader(protocolHeader)取出來的值(忽略大小寫)是 配置的protocolHeaderHttpsValue(默認https),scheme設置為https,端口設置 為?httpsServerPort

• 其他設置為 http

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

if?(protocolHeader?!=?null)?{?? ????String?protocolHeaderValue?=?request.getHeader(protocolHeader);?? ????if?(protocolHeaderValue?==?null)?{?? ????????//?don't?modify?the?secure,scheme?and?serverPort?attributes?? ????????//?of?the?request?? ????}?else?if?(protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue))?{?? ????????request.setSecure(true);?? ????????//?use?request.coyoteRequest.scheme?instead?of?request.setScheme()?because?request.setScheme()?is?no-op?in?Tomcat?6.0?? ????????request.getCoyoteRequest().scheme().setString("https");?? ??????????? ????????request.setServerPort(httpsServerPort);?? ????}?else?{?? ????????request.setSecure(false);?? ????????//?use?request.coyoteRequest.scheme?instead?of?request.setScheme()?because?request.setScheme()?is?no-op?in?Tomcat?6.0?? ????????request.getCoyoteRequest().scheme().setString("http");?? ??????????? 本文轉自yunlielai51CTO博客，原文鏈接：http://blog.51cto.com/4925054/1949323，如需轉載請自行聯系原作者

總結

以上是生活随笔為你收集整理的Nginx SSL+tomcat集群配置SSL，ngnix配置SSL后js/css访问出现404的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。