我有些疑惑,也许你可以帮助我。 我有一个运行Nginx和Tomcat的亚马逊EC2实例。我正在尝试使用let加密来提高应用程序的安全性。我的疑惑:
1 - 我应该在Nginx的80端口接收请求(http或https)并将其转发到Tomcat的端口8080吗?
2 - 当获取let的加密证书时(使用此命令sudo ./certbot-auto certonly --agree-tos --webroot -w / opt / tomcat / webapps / ROOT -d mydomain.com)我的webroot文件夹是webapps的路径或特定应用程序的根路径?
3 - 文件夹.well-known / acme-challenge可能在webapps上?根路径的应用?另一个地方?
4 - 我是否需要更改路径/etc/letsencrypt/live/mydomain/key.pem中文件夹的权限?
5 - 我在不同的情况下试过这个配置。我在hostgator中有一个域,我创建了一个子域并指向我的亚马逊实例的ip。在这种情况下,Nginx应该安装在hostgator服务器上,或者我可以将请求从hostgator转发到亚马逊实例中的Nginx?
我尝试过不同类型的解决方案,但是成功了。 Nginx可以正常使用http协议,但是当我尝试使用https时,页面会永远保持加载状态。以上是我此刻的葬礼。感谢您的时间和对不起我的英语,我希望您能理解。
Nginx conf:
upstream tomcat_server {
server 127.0.0.1:8080 fail_timeout=0;
}
server {
listen 80;
listen [::]:80;
server_name mydomain;
return 301 https://$server_name$request_uri;
}
server {
include /etc/nginx/conf.d/ssl-params.conf;
location / {
proxy_pass http://tomcat_server/;
}
}
NGINX:ssl-params.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Tomcat server.xml
...
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
...