我们在tomcat上的网络应用程序直接在端口8080或8443上运行良好,已经运行了好几年。在同一台服务器上的nginx后面,它仍然可以运行,但是以前需要花费毫秒才能检索到的某些资源(根据Chrome)占用了分钟(准确地说是可疑),使其无法使用。
这里是nginx.conf,其中删除了一些不相关的路径。目的是处理多个端口上的连接并处理证书:
events {
worker_connections 4096; ## Default: 1024
}
http {
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 8080 default_server;
listen [::]:8080 default_server;
root /var/www/html;
server_name zeblon.redangus.org;
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl;
listen 8443 ssl;
listen [::]:8443 ssl;
# RSA certificate
ssl_certificate <the legitimate path>;
ssl_certificate_key <the legitimate path>;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_session_cache shared:SSL:1m; # holds approx 4000 sessions
location / {
keepalive_timeout 300;
keepalive_requests 100000;
proxy_pass http://zeblon.redangus.org:8088/;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
这是tomcat使用的server.xml。已经在tomcat 8和tomcat 9上进行了尝试,结果始终一致。删除RemoteIpValve块并将8088更改为8080,它是在没有代理的情况下可以正常工作多年的配置:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener
className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener"
/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
/>
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
/>
<GlobalNamingResources>
<Resource
name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector
SSLEnabled="false"
port="8088"
protocol="HTTP/1.1"
connectionTimeout="20000"
scheme="http"
secure="false"
maxThreads="150"
/>
<Connector port="8009" protocol="AJP/1.3" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host
name="localhost"
appBase="webapps"
unpackWARs="true"
autoDeploy="true">
<Valve
className="org.apache.catalina.authenticator.SingleSignOn" />
<Valve
className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log."
suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
<!-- This is the magic that makes this work correctly
behind nginx -->
<Valve
className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />
</Host>
</Engine>
</Service>
</Server>