最近在做一個項目, 架構上使用了 Nginx +tomcat 集群, 且nginx下配置了SSL,tomcat no SSL,項目使用https協議

但是,明明是https url請求,發現 log里面,

 

0428 15:55:55 INFO  (PaymentInterceptor.java:44) preHandle() - requestStringForLog:    {  
        "request.getRequestURL():": "http://trade.feilong.com/payment/paymentChannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6",  
        "request.getMethod:": "GET",  
        "_parameterMap":         {  
            "id": ["212"],  
            "s": ["a84485e0985afe97fffd7fd7741c93851d83a4f6"]  
        }  
    }
request.getRequestURL() 輸出出來的 一直是  http://trade.feilong.com/payment/paymentChannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6
但是瀏覽器中的URL卻是 https://trade.feilong.com/payment/paymentChannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6

 

 

瞬間要顛覆我的Java觀尷尬,API上寫得很清楚:

 

getRequestURL():

Reconstructs the URL the client used to make the request. The returned URL contains a protocol, server name, port number, and server path, but it does not include query string parameters.

也就是說, getRequestURL() 輸出的是不帶query string的路經(含協議 端口 server path等信息).

 

 

并且,還發現

 

request.getScheme()  //總是 http,而不是實際的http或https  
request.isSecure()  //總是false(因為總是http)  
request.getRemoteAddr()  //總是 nginx 請求的 IP,而不是用戶的IP  
request.getRequestURL()  //總是 nginx 請求的URL 而不是用戶實際請求的 URL  
response.sendRedirect( 相對url )  //總是重定向到 http 上 (因為認為當前是 http 請求)

查閱了一些資料,找到了解決方案:

 

解決方法很簡單,只需要分別配置一下 Nginx 和 Tomcat 就好了,而不用改程序。

 

配置 Nginx 的轉發選項:

proxy_set_header       Host $host;  
proxy_set_header  X-Real-IP  $remote_addr;  
proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;  
proxy_set_header X-Forwarded-Proto  $scheme;

proxy_set_header X-Forwarded-Proto $scheme;

 

配置Tomcat server.xml 的 Engine 模塊下配置一個 Valve:

<Valve className="org.apache.catalina.valves.RemoteIpValve"  
remoteIpHeader="X-Forwarded-For"  
protocolHeader="X-Forwarded-Proto"  
protocolHeaderHttpsValue="https"/>

位置如下

<Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <!-- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" /> -->
        <!--- nginx https-->
         <Valve className="org.apache.catalina.valves.RemoteIpValve"
             remoteIpHeader="X-Forwarded-For"
             protocolHeader="X-Forwarded-Proto"
             protocolHeaderHttpsValue="https"/>
      </Host>

 

配置雙方的 X-Forwarded-Proto 就是為了正確地識別實際用戶發出的協議是 http 還是 https。

這樣以上5項測試就都變為正確的結果了,就像用戶在直接訪問 Tomcat 一樣。

 

關于 RemoteIpValve,有興趣的同學可以閱讀下 doc 

http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

Tomcat port of mod_remoteip, this valve replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. "X-Forwarded-For").   
   
Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").

看了下他們的源碼,比較簡單,在各種框架,各種算法面前,這個類對性能影響很小

 

  • 如果沒有配置protocolHeader 屬性, 什么都不做.
  • 如果配置了protocolHeader,但是request.getHeader(protocolHeader)取出來的值是null,什么都不做
  • 如果配置了protocolHeader,但是request.getHeader(protocolHeader)取出來的值(忽略大小寫)是 配置的protocolHeaderHttpsValue(默認https),scheme設置為https,端口設置 為 httpsServerPort
  • 其他設置為 http
if (protocolHeader != null) {  
    String protocolHeaderValue = request.getHeader(protocolHeader);  
    if (protocolHeaderValue == null) {  
        // don't modify the secure,scheme and serverPort attributes  
        // of the request  
    } else if (protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) {  
        request.setSecure(true);  
        // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0  
        request.getCoyoteRequest().scheme().setString("https");  
          
        request.setServerPort(httpsServerPort);  
    } else {  
        request.setSecure(false);  
        // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0  
        request.getCoyoteRequest().scheme().setString("http");  
          
        request.setServerPort(httpServerPort);  
    }  
}

轉載地址:http://www.rzrgm.cn/interdrp/p/4881785.html