nginx tcp长连接代理转发配置如下:
stream{
upstream socket_proxy {
hash $remote_addr consistent;
server 10.10.8.91:9090 weight=5 max_fails=3 fail_timeout=30s;
}
server {
listen 9090 so_keepalive=on;
tcp_nodelay on;
proxy_timeout 1d;
proxy_pass socket_proxy;
}
}
https双向认证代理配置如下:
...
location / {
proxy_pass https://10.10.8.91:8443/demo/;
proxy_ssl_certificate cert/client.pem;
proxy_ssl_certificate_key cert/demo.pem;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
}
...
其中证书生成方式为:
使用《使用keytool、portecle完成ssl双向认证证书生成,并在android、springboot配置与开发》文章里生成的client.p12转换成的client.jks来生成client.pem和ca.pem。
具体就是:
1、执行如下命令
openssl pkcs12 -nodes -in client.p12 -out demo.pem
2、将命令里的key和certification内容分别保存为client.pem和ca.pem。
tomcat https配置
server.xml里配置
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" keystoreFile="conf/server.p12" keystorePass="123456"
truststoreFile="conf/server_truststore.p12" truststorePass="123456" />
网友评论