一、最终正确配置

1. Tomcat server.xml 8080

xml

<Connector port="8080" protocol="HTTP/1.1"
    maxHttpHeaderSize="8192"
    minProcessors="100" maxProcessors="5000"
    maxThreads="2000" minSpareThreads="500"
    enableLookups="false" acceptCount="2000"
    compression="on" compressionMinSize="2048" maxKeepAliveRequests="1"
    compressableMimeType="text/html,text/xml,text/javascript,application/javascript,text/css,text/plain"
    disableUploadTimeout="true" debug="0"
    connectionTimeout="20000"
    scheme="https"
    proxyPort="443"
    redirectPort="8443"
/>

2. Nginx HTTPS 配置

nginx

server {
    listen  443 ssl http2;
    server_name  captest.yunnanca.cn;

    ssl_certificate      cert/captest.yunnanca.cn.pem;
    ssl_certificate_key  cert/captest.yunnanca.cn.key;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_redirect off;
        proxy_connect_timeout 180;
        proxy_send_timeout 180;
        proxy_read_timeout 180;
    }
}

二、核心说明

  • scheme="https":告诉 Tomcat 外部是 HTTPS

  • proxyPort="443":告诉 Tomcat 外部端口是 443

  • X-Forwarded-Proto https:传递真实协议,保证登录、Cookie 正常

三、现象

  • 外网 HTTPS:正常访问、登录、样式正常

  • 内网 HTTP:CSS/JS 加载失败(正常现象,不影响生产)

  • 结论:配置标准、正确,可直接用于生产