Nginx SSL+tomcat集群,request.getScheme() 取到https正确的协议

转自：http://feitianbenyue.iteye.com/blog/2056357

最近在做一个项目, 架构上使用了 Nginx +tomcat 集群, 且nginx下配置了SSL,tomcat no SSL,项目使用https协议



但是,明明是https url请求,发现 log里面,

Xml代码


0428 15:55:55 INFO (PaymentInterceptor.java:44) preHandle() - requestStringForLog: {

"request.getRequestURL():": "http://trade.feilong.com/payment/paymentChannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6",

"request.getMethod:": "GET",

"_parameterMap": {

"id": ["212"],

"s": ["a84485e0985afe97fffd7fd7741c93851d83a4f6"]

}

}

request.getRequestURL() 输出出来的 一直是
http://trade.feilong.com/payment/paymentChannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6

但是浏览器中的URL却是
https://trade.feilong.com/payment/paymentChannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6

瞬间要颠覆我的Java观

,API上写得很清楚:

getRequestURL():

Java代码


Reconstructs the URL the client used to make the request.

The returned URL contains a protocol, server name, port number, and server path,

but it does not include query string parameters.

也就是说, getRequestURL() 输出的是不带query string的路经(含协议,端口,server path等信息).



并且,还发现

Xml代码


request.getScheme() //总是 http，而不是实际的http或https

request.isSecure() //总是false（因为总是http）

request.getRemoteAddr() //总是 nginx 请求的 IP，而不是用户的IP

request.getRequestURL() //总是 nginx 请求的URL 而不是用户实际请求的 URL

response.sendRedirect( 相对url ) //总是重定向到 http 上 （因为认为当前是 http 请求）

查阅了一些资料,找到了解决方案:

解决方法很简单，只需要分别配置一下 Nginx 和 Tomcat 就好了，而不用改程序。

配置 Nginx 的转发选项：

Xml代码


proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Proto $scheme;

配置Tomcat server.xml 的 Engine 模块下配置一个 Valve：

Xml代码


<Valve className="org.apache.catalina.valves.RemoteIpValve"

remoteIpHeader="X-Forwarded-For"

protocolHeader="X-Forwarded-Proto"

protocolHeaderHttpsValue="https"/>

配置双方的 X-Forwarded-Proto 就是为了正确地识别实际用户发出的协议是 http 还是 https。

这样以上5项测试就都变为正确的结果了，就像用户在直接访问 Tomcat 一样。

关于 RemoteIpValve,有兴趣的同学可以阅读下 doc

http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

Xml代码


Tomcat port of mod_remoteip, this valve replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. "X-Forwarded-For").

Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").

看了下他们的源码,比较简单,在各种框架,各种算法面前,这个类对性能影响很小

如果没有配置protocolHeader 属性, 什么都不做.

如果配置了protocolHeader,但是request.getHeader(protocolHeader)取出来的值是null,什么都不做

如果配置了protocolHeader,但是request.getHeader(protocolHeader)取出来的值(忽略大小写)是配置的protocolHeaderHttpsValue(默认https),scheme设置为https,端口设置为 httpsServerPort

其他设置为 http

Java代码


if (protocolHeader != null) {

String protocolHeaderValue = request.getHeader(protocolHeader);

if (protocolHeaderValue == null) {

// don't modify the secure,scheme and serverPort attributes

// of the request

} else if (protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) {

request.setSecure(true);

// use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0

request.getCoyoteRequest().scheme().setString("https");

request.setServerPort(httpsServerPort);

} else {

request.setSecure(false);

// use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0

request.getCoyoteRequest().scheme().setString("http");

request.setServerPort(httpServerPort);

}

}

参考:

SSL证书与Https应用部署小结

http://han.guokai.blog.163.com/blog/static/136718271201211631456811/