카테고리 없음

nginx + tomcat ssl 적용

[czar] 2016. 7. 12. 16:40




server {

    listen 80;

server_name a.test.com;

    rewrite ^(.*) https://$host$1 permanent;

}


server {

    listen 0.0.0.0:8006;

    server_name _;

    ssl on;

    ssl_certificate cert/1_domain.tld_bundle.crt;

    ssl_certificate_key cert/2_domain.tld.key;

    ssl_session_timeout 5m; 

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 

    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;

    

    location / {

        proxy_pass https://127.0.0.1:8086;

    }

}





nginx 설정

server {
                listen 80;
                server_name test.a.com;
                rewrite ^(.*) https://$host$1 permanent;
        }

        # payraiz pay --nhn
        server {
#               listen                  80;
                listen                  443 ssl;
                server_name             test.a.com;
                charset                 utf-8;
                root                    /home/a/www;


                include         ssl.conf;

                location / {
                        index           index.jsp index.html index.do;
                }
                location ~ \.jsp$ {
                        proxy_pass              http://tomcat-a;
                        proxy_set_header        X-Real-IP $remote_addr;
                        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header        Host $http_host;
                }

                location ~ \.do* {
                        proxy_pass              http://tomcat-a;
                        proxy_set_header        X-Real-IP $remote_addr;
                        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header        Host $http_host;
                }

                location /probe/ {
                        proxy_pass              http://tomcat-a;
                }

                location /robots.txt {
                   return 200 "User-agent: *\nDisallow: /";
                }

        }

ssl.conf
ssl on;
ssl_certificate         /usr/local/nginx/ssl/bundle.crt; #ssl 인증서
ssl_certificate_key     /usr/local/nginx/ssl/key.key; #ssl 보안 키

#  add_header Strict-Transport-Security 'max-age=15552000; includeSubDomains; preload' always; #HSTS 설정 (필요하신 분만 사용)

ssl_session_timeout 5m;

ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 SSLv2 SSLv3;
ssl_ciphers                 EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers   on;

ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling_verify on; # Requires nginx => 1.3.7

resolver 8.8.8.8;
ssl_stapling on;
~


인증서는 wosign 에서 발급. 3년 무료
https://www.wosign.com/english/

https://www.wosign.com/english/freeSSL.htm



tomcat 설정

  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

<Connector URIEncoding="UTF-8" port="7880" protocol="HTTP/1.1"

               connectionTimeout="20000"

               proxyPort="443"

               scheme="https"

               redirectPort="7843" />



저작자표시