一、軟件環境及框架
1.環境:keepalived、CentOS 6.5、Nginx1.8.1、Tomcat8
2.框架簡述:A、B兩台服務器,IP假設為10.32.31.111、10.32.31.112,每台服務器上都安裝keepalived(主從配置)、Nginx(端口:80)和兩個Tomcat(端口:8081、8082)
虛擬IP:10.32.31.110,兩個web項目(firstWeb、secondWeb)根據路徑不同進行區分,如下圖所示:
二、配置SSL證書
1.Tomcat配置
修改tomcat8081的conf/server.xml文件,做下面調整(proxyName配置域名或者IP,若想同時生效,忽略proxyName配置):
<Connector port="8081" protocol="HTTP/1.1"
connectionTimeout="20000" URIEncoding="UTF-8"
redirectPort="8442" scheme="https" proxyName="10.32.31.110" proxyPort="443"/>
修改tomcat8082的conf/server.xml文件,做下面調整:
<Connector port="8082" protocol="HTTP/1.1"
connectionTimeout="20000" URIEncoding="UTF-8"
redirectPort="8443" scheme="https" proxyName="10.32.31.110" proxyPort="443"/>
2.Nginx配置
先檢查下Nginx是否安裝相應模塊:http_ssl_module,如下圖:
找到Nginx的配置文件nginx.conf,做下面修改(紅色是重點,如果不需要強制跳轉,去掉綠色文字):
worker_processes 4;
user super;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream alam {
ip_hash;
server 10.32.31.111:8081;
server 10.32.31.112:8081;
}
upstream alarm {
ip_hash;
server 10.32.31.111:8082;
server 10.32.31.112:8082;
}
server {
listen 80;
server_name 10.32.31.110 域名;#此處可填寫多個域名、IP
return 301 https://$server_name$request_uri; #強制跳轉
}
server {
listen 443 ssl; #443是默認端口
server_name 10.32.31.110 域名;
location /firstWeb {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#禁用緩存
proxy_buffering off;
#反向代理的地址
proxy_pass http://alam;
#上傳文件大小限制
client_max_body_size 2000m;
}
location /secondWeb {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#禁用緩存
#proxy_buffering off;
#反向代理的地址
proxy_pass http://alarm;
#上傳文件大小限制
client_max_body_size 2000m;
}
ssl_certificate server.pem; #(證書公鑰)
ssl_certificate_key server.key; #(證書私鑰)
ssl_session_cache shared:SSL:10m;
}
}
SSL證書可以自己生成,也可以購買!