【微信小程序】配置服务端https协议-nginx+tomcat

基本结构

首先要明白两个基本知识点：

• 平时我们在地址栏里面输入http://www.domain.com 访问的是80端口，相当于http://www.domain.com:80
• 而 https://www.domain.com 使用的是443端口

那么问题就来了，如果多个系统都要单独使用一个二级域名的话，直接修改tomcat的配置会导致端口冲突。

下面我的解决办法是在Internet和tomcat之间加一个nginx反向代理。

基本结构

https请求发送到nginx，nginx将请求代理到tomcat

---

nginx解决了单ip多域名的问题，多站点就需要tomcat来解决了

网上找到的最好的解决方案是多实例tomcat配置实现单机多站点

什么意思呢？

就是把tomcat拷贝多份，然后修改各个tomcat的server.xml中的shutdown，http以及AJP1.3的端口，然后将tomcat实例启动即可。

如果你们公司好比较重视技术基础设施最好是不要在一台server上部署太多的应用，这个方案对内存要求比较高，因为每个tomcat跑起来之后可能会占200M左右内存，这还是对并发量比较小的，如果实例数一多起来，内存会吃不消。

---

实操步骤

首先默认你有两个以上指向你的服务器的域名，顶级域名或二级域名都可以。
默认你的服务器上已经安装好了jdk环境。后文中使用的tomcat是8.5版本的。

有两个站点：a.domain.com 和 b.domain.com ,a.domain.com使用https访问，b.domain.com使用http访问

1.安装nginx

yum install nginx

2.下载tomcat，解压到你需要的路径下

假定tomcat解压在/home/admin/app/tomcat 下

3.配置各独立站点

• 为A、B站点各新建一个目录，分别为是/home/admin/app/a.domain.com 和 /home/admin/app/b.domain.com
• 将/home/admin/app/tomcat下的 conf、logs、temp、webapps、work分别拷贝一份到/home/admin/app/a.domain.com 和 /home/admin/app/b.domain.com下
• 建一个目录/home/admin/app/a.domain.com/https_certificate 存放ssl证书
• 分别修改两个站点目录下的conf/server.xml文件，修改原则就是：凡是涉及到端口的地方全都修改成唯一的

/home/admin/app/a.domain.com/conf/server.xml

...
<Server port="8105" shutdown="SHUTDOWN">

...
<Connector port="8180" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443"
               proxyPort="443" />

...
<Connector port="8109" protocol="AJP/1.3" redirectPort="8543" />
...

/home/admin/app/b.domain.com/conf/server.xml

...
<Server port="8205" shutdown="SHUTDOWN">

...
<Connector port="8280" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8543" />

...
<Connector port="8209" protocol="AJP/1.3" redirectPort="8643" />
...

• 为各独立站点配置独立的启动脚本,实际上就是把tomcat原来的startup.sh做了一点修改

/home/admin/app/a.domain.com/startup.sh

export CATALINA_BASE=/home/admin/app/a.domain.com
export CATALINA_HOME=/home/admin/app/tomcat

#!/bin/sh

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# -----------------------------------------------------------------------------
# Start Script for the CATALINA Server
# -----------------------------------------------------------------------------

# Better OS/400 detection: see Bugzilla 31132
os400=false
case "`uname`" in
OS400*) os400=true;;
esac

# resolve links - $0 may be a softlink
PRG="$0"

while [ -h "$PRG" ] ; do
  ls=`ls -ld "$PRG"`
  link=`expr "$ls" : '.*-> \(.*\)$'`
  if expr "$link" : '/.*' > /dev/null; then
    PRG="$link"
  else
    PRG=`dirname "$PRG"`/"$link"
  fi
done

PRGDIR=`dirname "$PRG"`
EXECUTABLE=/home/admin/app/tomcat/bin/catalina.sh

# Check that target executable exists
if $os400; then
  # -x will Only work on the os400 if the files are:
  # 1. owned by the user
  # 2. owned by the PRIMARY group of the user
  # this will not work if the user belongs in secondary groups
  eval
else
  if [ ! -x "$EXECUTABLE" ]; then
    echo "Cannot find $PRGDIR/$EXECUTABLE"
    echo "The file is absent or does not have execute permission"
    echo "This file is needed to run this program"
    exit 1
  fi
fi

exec "$EXECUTABLE" start "$@"

/home/admin/app/b.domain.com/startup.sh

export CATALINA_BASE=/home/admin/app/b.domain.com
export CATALINA_HOME=/home/admin/app/tomcat

#!/bin/sh

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# -----------------------------------------------------------------------------
# Start Script for the CATALINA Server
# -----------------------------------------------------------------------------

# Better OS/400 detection: see Bugzilla 31132
os400=false
case "`uname`" in
OS400*) os400=true;;
esac

# resolve links - $0 may be a softlink
PRG="$0"

while [ -h "$PRG" ] ; do
  ls=`ls -ld "$PRG"`
  link=`expr "$ls" : '.*-> \(.*\)$'`
  if expr "$link" : '/.*' > /dev/null; then
    PRG="$link"
  else
    PRG=`dirname "$PRG"`/"$link"
  fi
done

PRGDIR=`dirname "$PRG"`
EXECUTABLE=/home/admin/app/tomcat/bin/catalina.sh

# Check that target executable exists
if $os400; then
  # -x will Only work on the os400 if the files are:
  # 1. owned by the user
  # 2. owned by the PRIMARY group of the user
  # this will not work if the user belongs in secondary groups
  eval
else
  if [ ! -x "$EXECUTABLE" ]; then
    echo "Cannot find $PRGDIR/$EXECUTABLE"
    echo "The file is absent or does not have execute permission"
    echo "This file is needed to run this program"
    exit 1
  fi
fi

exec "$EXECUTABLE" start "$@"

4. 修改nginx配置

• 为两个站点分别准备一份nginx配置文件

su - root
cd /etc/nginx/conf.d
cp default.conf a.domain.com.conf
cp default.conf b.domain.com.conf

• 修改配置文件

a.domain.com.conf

server {
    listen  443;
    server_name a.domain.com;

    ssl on;
    ssl_certificate /home/admin/app/a.domain.com/https_certificate/Nginx/1_a.domain.com_bundle.crt;
    ssl_certificate_key /home/admin/app/a.domain.com/https_certificate/Nginx/2_a.domain.com.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
    ssl_prefer_server_ciphers on;

    location / {
        proxy_set_header       Host $host;
        proxy_set_header  X-Real-IP  $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;

        # note, there is not SSL here! plain HTTP is used

        proxy_pass http://127.0.0.1:8180;
    }
}

b.domain.com.conf

server {
    client_max_body_size 2000M;  ##上传文件时body的最大值(如：2G 、200K)
    listen  80;
    server_name b.domain.com;

    location / {
         proxy_pass http://127.0.0.1:8280;
    }
}

• 测试配置文件测正确性

nginx -t -c b.domain.com.conf
nginx -t -c a.domain.com.conf

• 重启nginx

service nginx restart

---

这篇教程是根据昨天的配置写的，我的机器是在阿里云上买的centos6.5版本，如果各位同学按照这个配置不能成功可以留言提问