首先要明白两个基本知识点:
- 平时我们在地址栏里面输入https://www.domain.com 访问的是80端口,相当于https://www.domain.com:80
- 而 https://www.domain.com 使用的是443端口
那么问题就来了,如果多个系统都要单独使用一个二级域名的话,直接修改tomcat的配置会导致端口冲突。
下面我的解决办法是在Internet和tomcat之间加一个nginx反向代理。
基本结构
https请求发送到nginx,nginx将请求代理到tomcat
nginx解决了单ip多域名的问题,多站点就需要tomcat来解决了
网上找到的最好的解决方案是多实例tomcat配置实现单机多站点
什么意思呢?
就是把tomcat拷贝多份,然后修改各个tomcat的server.xml中的shutdown,http以及AJP1.3的端口,然后将tomcat实例启动即可。
如果你们公司好比较重视技术基础设施最好是不要在一台server上部署太多的应用,这个方案对内存要求比较高,因为每个tomcat跑起来之后可能会占200M左右内存,这还是对并发量比较小的,如果实例数一多起来,内存会吃不消。
实操步骤
首先默认你有两个以上指向你的服务器的域名,顶级域名或二级域名都可以。
默认你的服务器上已经安装好了jdk环境。后文中使用的tomcat是8.5版本的。
默认你的服务器上已经安装好了jdk环境。后文中使用的tomcat是8.5版本的。
有两个站点:a.domain.com 和 b.domain.com ,a.domain.com使用https访问,b.domain.com使用http访问
- 1.安装nginx
- yum install nginx
- 2.下载tomcat,解压到你需要的路径下
- 假定tomcat解压在/home/admin/app/tomcat 下
- 3.配置各独立站点
- 为A、B站点各新建一个目录,分别为是/home/admin/app/a.domain.com 和 /home/admin/app/b.domain.com
- 将/home/admin/app/tomcat下的 conf、logs、temp、webapps、work分别拷贝一份到/home/admin/app/a.domain.com 和 /home/admin/app/b.domain.com下
- 建一个目录/home/admin/app/a.domain.com/https_certificate 存放ssl证书
- 分别修改两个站点目录下的conf/server.xml文件,修改原则就是:凡是涉及到端口的地方全都修改成唯一的
- /home/admin/app/a.domain.com/conf/server.xml
- ...
- <Server port="8105" shutdown="SHUTDOWN">
- ...
- <Connector port="8180" protocol="HTTP/1.1"
- connectionTimeout="20000"
- redirectPort="443"
- proxyPort="443" />
- ...
- <Connector port="8109" protocol="AJP/1.3" redirectPort="8543" />
- ...
- /home/admin/app/b.domain.com/conf/server.xml
- ...
- <Server port="8205" shutdown="SHUTDOWN">
- ...
- <Connector port="8280" protocol="HTTP/1.1"
- connectionTimeout="20000"
- redirectPort="8543" />
- ...
- <Connector port="8209" protocol="AJP/1.3" redirectPort="8643" />
- ...
- 为各独立站点配置独立的启动脚本,实际上就是把tomcat原来的startup.sh做了一点修改
- /home/admin/app/a.domain.com/startup.sh
- export CATALINA_BASE=/home/admin/app/a.domain.com
- export CATALINA_HOME=/home/admin/app/tomcat
- #!/bin/sh
- # Licensed to the Apache Software Foundation (ASF) under one or more
- # contributor license agreements. See the NOTICE file distributed with
- # this work for additional information regarding copyright ownership.
- # The ASF licenses this file to You under the Apache License, Version 2.0
- # (the "License"); you may not use this file except in compliance with
- # the License. You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
- # -----------------------------------------------------------------------------
- # Start Script for the CATALINA Server
- # -----------------------------------------------------------------------------
- # Better OS/400 detection: see Bugzilla 31132
- os400=false
- case "`uname`" in
- OS400*) os400=true;;
- esac
- # resolve links - $0 may be a softlink
- PRG="$0"
- while [ -h "$PRG" ] ; do
- ls=`ls -ld "$PRG"`
- link=`expr "$ls" : '.*-> \(.*\)
- [/align]`
- if expr "$link" : '/.*' > /dev/null; then
- PRG="$link"
- else
- PRG=`dirname "$PRG"`/"$link"
- fi
- done
- PRGDIR=`dirname "$PRG"`
- EXECUTABLE=/home/admin/app/tomcat/bin/catalina.sh
- # Check that target executable exists
- if $os400; then
- # -x will Only work on the os400 if the files are:
- # 1. owned by the user
- # 2. owned by the PRIMARY group of the user
- # this will not work if the user belongs in secondary groups
- eval
- else
- if [ ! -x "$EXECUTABLE" ]; then
- echo "Cannot find $PRGDIR/$EXECUTABLE"
- echo "The file is absent or does not have execute permission"
- echo "This file is needed to run this program"
- exit 1
- fi
- fi
- exec "$EXECUTABLE" start "$@"
- /home/admin/app/b.domain.com/startup.sh
- export CATALINA_BASE=/home/admin/app/b.domain.com
- export CATALINA_HOME=/home/admin/app/tomcat
- #!/bin/sh
- # Licensed to the Apache Software Foundation (ASF) under one or more
- # contributor license agreements. See the NOTICE file distributed with
- # this work for additional information regarding copyright ownership.
- # The ASF licenses this file to You under the Apache License, Version 2.0
- # (the "License"); you may not use this file except in compliance with
- # the License. You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
- # -----------------------------------------------------------------------------
- # Start Script for the CATALINA Server
- # -----------------------------------------------------------------------------
- # Better OS/400 detection: see Bugzilla 31132
- os400=false
- case "`uname`" in
- OS400*) os400=true;;
- esac
- # resolve links - $0 may be a softlink
- PRG="$0"
- while [ -h "$PRG" ] ; do
- ls=`ls -ld "$PRG"`
- link=`expr "$ls" : '.*-> \(.*\)
- [/align]`
- if expr "$link" : '/.*' > /dev/null; then
- PRG="$link"
- else
- PRG=`dirname "$PRG"`/"$link"
- fi
- done
- PRGDIR=`dirname "$PRG"`
- EXECUTABLE=/home/admin/app/tomcat/bin/catalina.sh
- # Check that target executable exists
- if $os400; then
- # -x will Only work on the os400 if the files are:
- # 1. owned by the user
- # 2. owned by the PRIMARY group of the user
- # this will not work if the user belongs in secondary groups
- eval
- else
- if [ ! -x "$EXECUTABLE" ]; then
- echo "Cannot find $PRGDIR/$EXECUTABLE"
- echo "The file is absent or does not have execute permission"
- echo "This file is needed to run this program"
- exit 1
- fi
- fi
- exec "$EXECUTABLE" start "$@"
- 4. 修改nginx配置
- 为两个站点分别准备一份nginx配置文件
- su - root
- cd /etc/nginx/conf.d
- cp default.conf a.domain.com.conf
- cp default.conf b.domain.com.conf
- 修改配置文件
- a.domain.com.conf
- server {
- listen 443;
- server_name a.domain.com;
- ssl on;
- ssl_certificate /home/admin/app/a.domain.com/https_certificate/Nginx/1_a.domain.com_bundle.crt;
- ssl_certificate_key /home/admin/app/a.domain.com/https_certificate/Nginx/2_a.domain.com.key;
- ssl_session_timeout 5m;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
- ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
- ssl_prefer_server_ciphers on;
- location / {
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- # note, there is not SSL here! plain HTTP is used
- proxy_pass https://127.0.0.1:8180;
- }
- }
- b.domain.com.conf
- server {
- client_max_body_size 2000M; ##上传文件时body的最大值(如:2G 、200K)
- listen 80;
- server_name b.domain.com;
- location / {
- proxy_pass https://127.0.0.1:8280;
- }
- }
- 测试配置文件测正确性
- nginx -t -c b.domain.com.conf
- nginx -t -c a.domain.com.conf
- 重启nginx
- service nginx restart