注:本文按照泛微HTTPS配置指南操作并优化步骤。
Nginx部署的好处:部署时不需要重启oa服务,不需要升级jdk,可以做到热部署
Nginx部署的好处:部署时不需要重启oa服务,不需要升级jdk,可以做到热部署
1.选一个夜深人静的时候,给服务器打个快照
2.申请域名证书
我在腾讯云申请的免费SSL证书(TrustAsia TLS RSA CA 1年),在哪申请无所谓,网上很多相关教程的,自己找哦~
3.Linux下的编译安装Nginx
注:如果过程中报错了,或者验证安装时发现不对,那肯定是缺点啥,观察报错,然后问百度或者问GPT等解决(我这一路运行下来没出问题emmmm)
SSH进入服务器 安装 Nginx 依赖包
yum install -y zlib-devel pcre-devel e2fsprogs-devel keyutils-libs-devel libsepol-devel libselinux-devel krb5-devel openssl openssl098e openssl-devel安装 GCC 编译工具
yum -y install gcc下载 Nginx 安装包
wget http://nginx.p2hp.com/download/nginx-1.24.0.tar.gz -P /opt/nginx.bak解压 Nginx 安装包
tar -zxf /opt/nginx.bak/nginx-1.24.0.tar.gz -C /opt/nginx.bak编译 Nginx
cd /opt/nginx.bak/nginx-1.24.0
./configure --user=root --group=root --prefix=/opt/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-stream --with-stream_ssl_module
make
make install2024年9月10日 17:56:09增加了http2和gzipcd /opt/nginx.bak/nginx-1.24.0 && ./configure --user=root --group=root --prefix=/opt/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_slice_module && make && make install
编译完成后会在/opt目录中生成一个nginx文件夹。
验证安装
/opt/nginx/sbin/nginx -v如果显示nginx version: nginx/1.24.0,那OK,应该是没问题了,下一步,GOGOGO!
4.Nginx.conf文件配置 /opt/nginx/conf/nginx.conf
这一步顺便把你申请的证书oa.crt,oa.key放进/opt/nginx/conf
按照自己服务器情况修改,在网上学习下nginx配置文件说明哦~
worker_processes 8;
error_log logs/error.log;
worker_rlimit_nofile 65535;
events {
worker_connections 10024;
}
http {
upstream ecologyclusterhttps{
server 127.0.0.1:80;
}
upstream emobileclusterhttps{
server 127.0.0.1:8999;
}
upstream emessageclusterhttps{
server 127.0.0.1:7070;
}
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
client_max_body_size 1000M;
client_body_buffer_size 128K;
server_tokens off;
fastcgi_connect_timeout 300s;
fastcgi_send_timeout 300s;
fastcgi_read_timeout 300s;
fastcgi_buffer_size 128k;
fastcgi_buffers 8 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
client_header_buffer_size 128k;
large_client_header_buffers 4 128k;
proxy_buffer_size 64k;
proxy_buffers 8 64k;
server {
listen 443 ssl; #ecology的https端口号
server_name localhost;
#ssl on;
ssl_certificate oa.crt; #ecology的证书,crt/pem结尾的格式
ssl_certificate_key oa.key; #ecology的证书,key结尾的格式
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm index.jsp;
proxy_pass http://ecologyclusterhttps;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_buffer_size 128k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 128k;
proxy_redirect http:// $scheme://;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
}
server {
listen 9444 ssl; #emobile的https端口号
server_name localhost;
#ssl on;
ssl_certificate oa.crt; #emobile的证书,crt/pem结尾的格式
ssl_certificate_key oa.key; #emobile的证书,key结尾的格式
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm index.jsp;
proxy_pass http://emobileclusterhttps;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_buffer_size 128k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 128k;
proxy_redirect http:// $scheme://;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
}
##9090为信息服务端口
##PC客户端的emessage
server {
listen 7444 ssl; #pc端的emessgae的https端口号
server_name localhost;
#ssl on;
ssl_certificate oa.crt; #pc端的emessgae的证书,crt/pem结尾的格式
ssl_certificate_key oa.key; #pc端的emessgae的证书,key结尾的格式
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm index.jsp;
proxy_pass http://emessageclusterhttps;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_buffer_size 128k;
#7070必备
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
#
proxy_buffers 32 32k;
proxy_busy_buffers_size 128k;
proxy_redirect http:// $scheme://;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
}
}
##移动客户端的emessage
stream {
upstream emessagecluster3{
hash $remote_addr consistent;
server 127.0.0.1:5222; #移动端的emessage的内网ip+端口
}
server {
listen 5444 ssl; #移动端的emessgae的https端口号
#ssl on;
ssl_certificate oa.crt; #移动端的emessgae的证书,crt/pem结尾的格式
ssl_certificate_key oa.key; #移动端的emessgae的证书,key结尾的格式
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
proxy_pass emessagecluster3;
proxy_connect_timeout 2s;
proxy_timeout 360s;
}
}检查是否成功,进入/opt/nginx/sbin,运行代码
./nginx -t提示nginx: the configuration file /opt/nginx/conf/nginx.conf syntax is ok nginx: configuration file /opt/nginx/conf/nginx.conf test is successful,OK,继续!
启动nginx:/opt/nginx/sbin目录下执行
./nginx 启动nginx
你可以使用命令停止或重启运行
./nginx -s stop 停止nginx./nginx -s reload 重启nginx
5.配置nginx服务自启动
**编辑
/etc/rc.local**
- 使用
vi或其他文本编辑器打开/etc/rc.local。 - 添加
/opt/nginx/sbin/nginx(或者 Nginx 的实际安装路径)到文件中。
vi /etc/rc.local然后在文件中添加:
/opt/nginx/sbin/nginx赋予执行权限
- 确保
/etc/rc.local文件具有执行权限。
chmod +x /etc/rc.local6.强制http跳转https
在nginx.conf中增加一个新的server块
# 新增 server 块用于 HTTP 到 HTTPS 的重定向
server {
listen 80;
server_name localhost;
# 重定向所有 HTTP 请求到 HTTPS
return 301 https://$host$request_uri;
}找到泛微weaver目录下的resin文件夹中的conf文件夹中的resin.properties文件,修改端口80为81(避免冲突),重启ecology,修改nginx配置中的ip:80为ip:81,重启nginx,最后,记得去移动管理平台里改下链接端口为新的https端口,就OK了!
泛微OA-E9部署HTTPS过程(Linux'CentOS'使用Nginx部署) by https://oneszhang.com/archives/linux-nginx-oa.html
