Apex安装及配置

0.前提

ssh免密,改端口,禁用root登录
防火墙配置
添加用户,赋权
Oracle 数据库本次是四个对应不同连接
1. Oracle 19c数据库 test162 (非CDB/PDB模式)
2. Oracle 19c数据库 testdb (CDB/PDB模式 165)
3. Oracle 19c数据库 test163 (CDB/PDB模式)
4. Oracle 19c数据库 test164 (CDB/PDB模式)
Oracle 驱动环境Oracle Client 下载 - 官方安装参考
SQLcl (可选) 官方文档
jdk-16 Oracle JDK 下载
tomcat-9.0.45 Tomcat 9 下载
nginx-1.19.9 下载 wget http://nginx.org/download/nginx-1.19.10.tar.gz
ords 下载地址 - 官方文档
APEX 下载地址 - 官方文档
检查 Oracle字符集 NLS_CHARACTERSET AL32UTF8 后面会涉及到中文乱码

1	select * from nls_database_parameters where parameter like '%CHARACTERSET%';

配置多个数据库
1. test162 对应url http://xxxx.com/edex/test162/f?p=4000
2. testdb 对应url http://xxxx.com/edex/testdb/f?p=4000
3. test163 对应url http://xxxx.com/edex/test163/f?p=4000
4. test164 对应url http://xxxx.com/edex/test164/f?p=4000
Oracle
1. 命名长度128 文档
2. 支持varchar2 超过4000 文档
3. 字符集UTF8
4. 准备 user 不过期的profile 文档
5. 准备 user 半年或者一年过期的profile 文档
6. 指定 JOB_QUEUE_PROCESSES = cpu* 20 文档

整体架构

1.Tomcat(Java,tomcat)

1.1.JAVA

Oracle JDK 下载

rpm -ivh jdk-16_linux-x64_bin.rpm
find / -name jav*
...
/usr/java/jdk-16/bin/java
...
<!--设置环境变量-->
vim  /etc/profile
...
export JAVA_HOME="/usr/java/jdk-16"
export JAVA_BIN=$JAVA_HOME/bin
export PATH=$JAVA_BIN:$JAVA_HOME:$PATH

1.2.Tomcat

Tomcat 9 下载

unzip  apache-tomcat-9.0.45.zip 
<!--创建tomcat运行用户-->
useradd -d /opt/tomcat -s /bin/nologin tomcat
mv ./apache-tomcat-9.0.45 /opt/tomcat
chown -R tomcat:tomcat /opt/tomcat
<!--设置环境变量-->
vim  /etc/profile
...
export CATALINA_HOME=/opt/tomcat
export CATALINA_BASE=/opt/tomcat

1.设置tomcat后台进程及自启参考

vim /etc/systemd/system/tomcat.service
TODO 参数可能要改

[Unit]
Description=Apache Tomcat 9 Servlet Container
Wants=network.target
After=network.target

[Service]
User=tomcat
Group=tomcat
Type=forking
UMask=0007
RestartSec=10

Environment=CATALINA_PID=/opt/tomcat/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment=JAVA_HOME=/usr/java/jdk-16
Environment='CATALINA_OPTS=-Xms512M -Xmx1G -Djava.net.preferIPv4Stack=true'
Environment='JAVA_OPTS=-server -Xms4096m -Xmx4096m -XX:PermSize=256M -XX:MaxNewSize=512m -XX:MaxPermSize=512m -Djava.awt.headless=true'

ExecStart=/u01/tomcat/bin/startup.sh
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
SuccessExitStatus=143
Restart=on-failure

[Install]
WantedBy=multi-user.target

优化

1 2	rm -rf /opt/tomcat/webapps/manager /opt/tomcat/webapps/host-manager rm -rf ../webapps/docs ../webapps/examples

Server.xml 配置 vim /opt/tomcat/conf/server.xml

...
   <Service name="Catalina">
 <Connector port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"  
            scheme="https"
            redirectPort="8443" /> <!--奇奇怪怪的oauth2回调跳转 -->
 ...
  <Host name="localhost"  appBase="webapps"
         unpackWARs="true" autoDeploy="true">
     <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
            prefix="localhost_access_log" suffix=".txt"
            pattern="%h %l %u %t &quot;%r&quot; %s %b" />
    
       <!-- nginx配置-->
      <Valve className="org.apache.catalina.valves.RemoteIpValve"
            remoteIpHeader="X-Forwarded-For"
            protocolHeader="X-Forwarded-Proto"
            internalProxies="127\.0\.0\.1|10\.x\.x\.x"/> <!--nginx服务器地址 -->
   </Host>
...

2.Apex

2.1. Oracle Client

Oracle Client 下载 - 官方安装参考 - Oracle Client Sqlplus 下载

mkdir  /opt/oracle_client 
mv /home/xxxx/instantclient-basic-linux.x64-21.1.0.0.0.zip  /opt/oracle_client
<!-- sqlplus-->
mv /home/xxxx/instantclient-sqlplus-linux.x64-21.1.0.0.0.zip /opt/oracle_client
unzip instantclient-basic-linux.x64-21.1.0.0.0.zip
unzip instantclient-sqlplus-linux.x64-21.1.0.0.0.zip 
yum install libaio

sh -c "echo /opt/oracle_client/instantclient_21_1 >/etc/ld.so.conf.d/oracle-instantclient.conf"

ldconfig

<!--设置环境变量-->
vim  /etc/profile
...
export PATH=$JAVA_BIN:$JAVA_HOME:$PATH:/opt/oracle_client/instantclient_21_1

2.2. SQLcl(可选)

官方文档 - Oracle-base 文档 - SQLcl这个可爱的小工具，来了解一下呀~ 微信

unzip sqlcl-20.4.2.35.2359.zip
mv sqlcl /opt/sqlcl
<!--设置环境变量-->
vim  /etc/profile
...
export PATH=$JAVA_BIN:$JAVA_HOME:$PATH:/opt/oracle_client/instantclient_21_1:/opt/sqlcl/bin

<!--test-->
sql sys/我是密码@x.x.x.x:x/testpdb as SYSDBA
<!--或者-->
sql hr/我是密码@x.x.x.x:x/testpdb

2.3. Apex

官方下载 - 官方文档

CDB/PDB模式 PBD 本地安装apex

<!--创建pdb-->
CREATE PLUGGABLE DATABASE testdb ADMIN USER admin IDENTIFIED BY "w}RZJVCrzd" FILE_NAME_CONVERT=('pdbseed','testdb');

<!--打开pdb-->
ALTER PLUGGABLE DATABASE testdb OPEN;

<!--删除CDB中的apex-->
@apxremov.sql

<!--激活pdb-->
ALTER SESSION SET CONTAINER = testdb;

<!--PDB安装apex-->
@apexins.sql SYSAUX SYSAUX TEMP /i/

<!--验证apex安装结果-->
begin
    sys.dbms_utility.compile_schema( 'APEX_190200', false );
    sys.dbms_utility.compile_schema( 'FLOWS_FILES', false );
end;
select app_name, app_version, app_status from dba_applications where app_name = 'APEX';
select app_name, app_statement, errornum, errormsg from dba_app_errors where app_name = 'APEX';

用户	环境	密码	备注
APEX_PUBLIC_USER	testdb(165)	S9dFCaUaC	最低特权帐户用于通过ords和Oracle进行Application Express配置mod_plsql。

非CDB/PDB模式安装apex


<!--非PDB模式 安装apex -->
@apexins.sql SYSAUX SYSAUX TEMP /i/

<!--验证apex安装结果-->


<!--  设置 APEX_PUBLIC_USER -->
ALTER USER APEX_PUBLIC_USER IDENTIFIED BY S9dFCaUa ACCOUNT UNLOCK;

用户	环境	密码	备注
APEX_PUBLIC_USER	test162	S9dFCaUaC	最低特权帐户。

设置internal工作区admin用户,配置RESTful服务


<!-- PDB模式切换SESSION-->
ALTER SESSION SET CONTAINER = testdb;

<!--设置 INTERNAL 工作区的admin用户及密码-->
@apxchpwd.sql


<!-- PDB模式关闭SESSION-->
ALTER SESSION SET CONTAINER = testdb;
<!--配置RESTful服务-->
@apex_rest_config.sql

安装中文支持

<!--如果需要 PDB模式 切换库(PDB)--> 
ALTER SESSION SET CONTAINER = xxxxxxx;
############################  注意 是APEX_190200用户   ############################ 
<!--PDB模式 切换SCHEMA -->
ALTER SESSION SET CURRENT_SCHEMA = APEX_190200;
<!--安装中文支持-->
@/u01/apex/builder/zh-cn/load_zh-cn.sql

APEX打补丁

unzip p30392181_1920_Generic.zip
cat 30392181/README.txt

按照说明执行

...
sqlplus "sys/ as sysdba" 
<!--切SESSION -->
<!--以下任选其一-->
1. @catpatch.sql        -- 适用于Oracle数据库11.2及更早版本，适用于非CDB，以及APEX没有安装在根目录下的CDB
2. @catpatch_con.sql    -- for CDB where Application Express is installed in the root
3. @catpatch_appcon.sql -- for installations where Application Express is installed in an application container
...

验证补丁

1	select APEX_INSTANCE_ADMIN.GET_PARAMETER( 'APEX_19_2_0_PATCH_30392181' ) from dual;

备注留用

<!--删除Apex-->
@apxremov.sql
<!--执行后必须关闭SQL*Plus 重新打开-->
<!--关闭pdb-->
ALTER PLUGGABLE DATABASE testdb CLOSE;
<!--删除pdb-->
DROP PLUGGABLE DATABASE testdb INCLUDING DATAFILES;

Apex ACl 配置

ALTER SESSION SET CONTAINER = testDB;

declare
l_acl_name  varchar2(30) := 'HttpsServiceACLConfig.xml';
l_principal varchar2(20) := 'APEX_190200';
begin
    begin
        dbms_network_acl_admin.drop_acl(acl => l_acl_name);
    exception
        when others then
            null; -- ACL does not exist yet
    end;
    dbms_network_acl_admin.create_acl(
            acl => l_acl_name
        , description => 'ding ding https'
        , principal => l_principal
        , is_grant => true
        , privilege => 'connect'
        , start_date => systimestamp
        , end_date => null
        );
    dbms_network_acl_admin.add_privilege(
            acl => l_acl_name
        , principal => l_principal
        , is_grant => true
        , privilege => 'resolve'
        , start_date => systimestamp
        , end_date => null
        );
    -- 添加钉钉
    dbms_network_acl_admin.assign_acl(
            acl => l_acl_name
        , host => '*.dingtalk.com'
        , lower_port => 443
        , upper_port => 443
        );
    -- 添加
    dbms_network_acl_admin.assign_acl(
            acl => l_acl_name
        , host => '*.oracle.com'
        , lower_port => 443
        , upper_port => 443
        );
    --  删除
    -- DBMS_NETWORK_ACL_ADMIN.UNASSIGN_ACL(host =>'*.oracle.com');
    commit;
end;

Apex wallet 配置

cd $ORACLE_HOME
pwd
<!--创建wallet目录-->
mkdir wallets
<!--创建wallet-->
orapki wallet create -wallet /xx/xx/xx/xx/xxx/xxx/wallets/https_wallet  -pwd xxxxxxxx -auto_login 
<!--复制证书-->  #  可以参考 7. 服务器验证证书 第一个 ---BEGIN CERTIFICATE---END CERTIFICATE---
<!--授权-->
chown -R oracle:oinstall /u01/ssl
<!--添加证书-->
orapki wallet add -wallet /xx/xx/xx/xx/xxx/xxx/wallets/https_wallet -trusted_cert -cert "/u01/ssl/sts.cer" -pwd xxxxxxxx
<!--查看wallet-->
orapki wallet display -wallet /xx/xx/xx/xx/xxx/xxx/wallets/https_wallet
<!--清空wallet-->
orapki wallet remove -wallet /xx/xx/xx/xx/xxx/xxx/wallets/https_wallet  -trusted_cert_all  -pwd xxxxx

验证https

select 
apex_web_service.make_rest_request(p_url=>'https://xxxxx.xxxx.com/adfs/oauth2/token',
p_http_method => 'GET',
p_wallet_path => 'file:/xx/xx/xx/xx/xxx/xxx/wallets/https_wallet') 
from dual;

8.1. 正常请求post接口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
declare
    l_clob1              clob;
    l_response_json_clob clob;
    L_1                  clob := '';
begin
    apex_json.initialize_clob_output;
    apex_json.open_object;
    apex_json.write('AppId', '');
    apex_json.write('AppSecret', 'B');
    apex_json.open_array('Email');
    for i in 1..2
        loop
            apex_json.open_object;
            apex_json.write('from', '@.com');
            apex_json.write('to', '@.com');
            apex_json.write('subject', '下');
            apex_json.write('body', L_1);
            apex_json.close_object;
        end loop;
    apex_json.close_array;
    apex_json.close_object;
    l_clob1 := apex_json.get_clob_output;
    apex_json.free_output;
    apex_web_service.g_request_headers(1).name := 'Content-Type';
    apex_web_service.g_request_headers(1).VALUE := 'application/json';
    l_response_json_clob := apex_web_service.make_rest_request(
            p_url => 'http://xxxx/api/EmailSender/SendEmail',
            p_http_method => 'POST',
            p_body => l_clob1);

    apex_debug.warn(l_response_json_clob);
    end;

服务器验证证书

openssl s_client -connect www.dingtalk.com:443 -tls1 -showcerts
...
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = *.dingtalk.com
verify return:1
---
Certificate chain
 0 s:/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.dingtalk.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
MIIGYDCCBUigAwIBAgIMCZwLPIt+KS8mrSqZMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
......
Dn6XwwJTuLDHvdZhE54cswjBpc0OizT63hRg6X+C5syJB8CKLSJxJGmPThWuNbpI
MVUwRA==
-----END CERTIFICATE-----
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG
.....
SOlCdjSXVWkkDoPWoC209fN5ikkodBpBocLTJIg1MGCUF7ThBCIxPTsvFwayuJ2G
K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.dingtalk.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3453 bytes and written 315 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 795C7128D1F65CD328662802B1DCD0DC2D753A185568EE1A9BC9ED8172078942
    Session-ID-ctx: 
    Master-Key: B5BE8CAF4C8CE29D0945324B39FEDC3E40B293DD7A5B8395248169B8AAC3587134E6D3B9D0ADFA75E3ADFB251233185D
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 86 a7 5b 81 b5 e0 db 84-29 fd 41 bd cb 2c 65 fc   ..[.....).A..,e.

    Start Time: 1585991577
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

3.Ords

下载地址

官方文档

-1. 注意如果是多个环境需要验证下ords的版本 java -jar edex.war version

设置URL前缀

1 2	<!--xxxx.com/ords 将变成 xxxx.com/edex--> cp ords.war edex.war

0.1. 安装或升级 ordsjava -jar edex.war schema --database test162

添加数据库 test162 官方提示说明

<!--配置ords连接数据库 test162-->
java -jar edex.war  setup --database test162

[root@xxxxx ords]# java -jar edex.war  setup --database test162
Specify the database connection type to use.
Enter number for [1] Basic  [2] TNS  [3] Custom URL [1]:
Enter the name of the database server [localhost]:10.x.x.x
Enter the database listen port [1521]:xxxx
Enter 1 to specify the database service name, or 2 to specify the database SID [1]:
Enter the database service name:edextest164
Enter 1 if you want to verify/install Oracle REST Data Services schema or 2 to skip this step [1]:
Enter the database password for ORDS_PUBLIC_USER:
Confirm password:
Requires to login with administrator privileges to verify Oracle REST Data Services schema.

Enter the administrator username:sys
Enter the database password for SYS AS SYSDBA:
Confirm password:
Connecting to database user: SYS AS SYSDBA url: jdbc:oracle:thin:@//10.x.x.x:xxxx/edextest164

Retrieving information.
Enter the default tablespace for ORDS_METADATA [SYSAUX]:
Enter the temporary tablespace for ORDS_METADATA [TEMP]:
Enter the default tablespace for ORDS_PUBLIC_USER [SYSAUX]:
Enter the temporary tablespace for ORDS_PUBLIC_USER [TEMP]:
Enter 1 if you want to use PL/SQL Gateway or 2 to skip this step.
If using Oracle Application Express or migrating from mod_plsql then you must enter 1 [1]:
Enter the PL/SQL Gateway database user name [APEX_PUBLIC_USER]:
Enter the database password for APEX_PUBLIC_USER:
Confirm password:
Enter 1 to specify passwords for Application Express RESTful Services database users (APEX_LISTENER, APEX_REST_PUBLIC_USER) or 2 to skip this step [1]:
Enter the database password for APEX_LISTENER:
Confirm password:
Enter the database password for APEX_REST_PUBLIC_USER:
Confirm password:
Enter a number to select a feature to enable:
   [1] SQL Developer Web  (Enables all features)
   [2] REST Enabled SQL
   [3] Database API
   [4] REST Enabled SQL and Database API
   [5] None
Choose [1]:
2021-04-15T07:36:18.280Z INFO        reloaded pools: [|test162||, |test162|al|, |test162|pu|, |test162|rt|, |test163||, |test163|al|, |test163|pu|, |test163|rt|, |test164||, |test164|al|, |test164|rt|, |test164|pu|]
Installing Oracle REST Data Services version 20.4.3.r0501904
... Log file written to /root/ords_install_core_2021-04-15_153618_00432.log
... Verified database prerequisites
... Created Oracle REST Data Services proxy user
... Created Oracle REST Data Services schema
... Granted privileges to Oracle REST Data Services
... Created Oracle REST Data Services database objects
... Log file written to /root/ords_install_datamodel_2021-04-15_153629_00290.log
... Log file written to /root/ords_install_apex_2021-04-15_153630_00155.log
Completed installation for Oracle REST Data Services version 20.4.3.r0501904. Elapsed time: 00:00:12.659

配置指向如:xxx.com/edex/test162 将指向 test162这个数据库

1	java -jar edex.war map-url --type base-path /test162 test162

添加Ords相关配置(实测影响挺大的.) 官方文档

ls /opt/ords/conf/ords/
conf/         credentials   defaults.xml  standalone/ 

vim /opt/ords/conf/ords/defaults.xml
...
<entry key="debug.printDebugToScreen">false</entry>
<entry key="feature.sdw">true</entry>
<entry key="apex.jdbc.AbandonedConnectionTimeout">1900</entry>
<entry key="apex.jdbc.DriverType">thin</entry>
<entry key="apex.jdbc.InactivityTimeout">2000</entry>
<entry key="apex.jdbc.InitialLimit">16</entry>
<entry key="apex.jdbc.MaxConnectionReuseCount">50000</entry>
<entry key="jdbc.MaxLimit">300</entry>
<entry key="jdbc.MinLimit">130</entry>
<entry key="jdbc.cleanup.mode">recycle</entry>
<entry key="plsql.gateway.add">true</entry>
<entry key="restEnabledSql.active">true</entry>

<entry key="instance.api.enabled">true</entry>
...

3.Nginx

安装基础环境
1. GCC编辑器 yum install -y gcc
2. gcc-c++ 自定义Nginx Http模块yum install -y gcc-c++
3. PCRE 函数库支持正则表达式 yum install -y pcre pcre-devel
4. zlib HTTP包gzip压缩yum install -y zlib zlib-devel
5. OpenSSL 开发库Https支持 yum install -y openssl openssl-devel
下载 wget http://nginx.org/download/nginx-1.19.10.tar.gz)

解压tar -zxvf nginx-1.19.10.tar.gz

参数说明见官网文档
–with-debug
–with-http_ssl_module
–with-http_v2_module
–with-http_realip_module
–with-http_gzip_static_module
–with-http_stub_status_module
–with-http_sub_module

cd nginx-1.19.10
<!--编译三部曲-->
./configure --with-debug --with-http_ssl_module  --with-http_v2_module --with-http_realip_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module

<!--查看编译后的插件-->
cat auto/options | grep YES --color

make

4.1. 升级

备份旧版本和配置文件(可选)

mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_old
mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.old
拷贝新版本
cp ./objs/nginx /usr/local/nginx/sbin/nginx
验证配置文件
/usr/local/nginx/sbin/nginx -t
通知正在运行的Nginx
kill -s SIGUSR2 (nginx会将/usr/local/nginx/logs/pid文件重命名)
退出旧版本
kill -s SIGQUIT <旧版本Nginx master pid>
清理旧版本

4.2. 新安装 make install

nginx配置

user nginx;
worker_processes auto;
error_log logs/error.log error;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
pid logs/nginx.pid;
events {
  worker_connections 5000;
}
http {
  server_tokens off;# 隐藏版本号
  charset UTF-8;
  include mime.types;
  default_type application/octet-stream;

  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';
  log_format timing '$remote_addr - $remote_user [$time_local] $request'
  'upstream_response_time $upstream_response_time'
  'msec $msec request_time $request_time';
  log_format up_head '$remote_addr - $remote_user [$time_local] $request'
  'upstream_http_content_type $upstream_http_content_type';
  access_log logs/access.log main;

  sendfile on;
  #tcp_nopush     on;
  client_max_body_size 64M;
  #keepalive_timeout  0;
  keepalive_timeout 65;

  gzip on;
  gzip_min_length 1k;
  gzip_buffers 4 16k;
  #gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_types application/javascript text/plain application/-javascript image/jpeg image/gif image/png application/css text/css application/xml text/javascript
  gzip_vary off;
  gzip_disable "MSIE [1-6]\.";
  
  gzip_static  on;
  gzip_proxied expired no-cache no-store private auth;
  
  upstream backend {
    ip_hash;  # 文档 http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ip_hash
    server 10.x.x.x:8080;
    server 10.x.x.x:8080 down;
    server 10.x.x.x:8080;
  }
  server {
    listen 80;
#     兼容旧的连接
    location ^~ /ords/ {
        rewrite ^/ords(.*)$ /edex/test162$1    redirect;
    }
    location ^~ /edex/ {
      proxy_pass http://backend/edex/;
      proxy_set_header Host $host;
      proxy_set_header Origin "";
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Real-Port $remote_port;
      #proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Server $host;
      #proxy_redirect http://$host/ords/ https://$host/ords/;
      #proxy_redirect off;
      proxy_set_header X-Forwarded-Host $server_port;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    location /i/ {
      root html;
    }
    error_page 500 502 503 504 /50x.html;
    error_page 404 /404.html;
    location = /50x.html {
      root html;
    }
  }
}

拷贝apex静态文件 cp -fr /opt/tomcat/webapps/i /usr/local/nginx/html

SSL配置

server {
  listen 443 ssl http2;
  ssl_certificate /etc/nginx/certificate/crt_2021/wcom.crt;
  ssl_certificate_key /etc/nginx/certificate/crt_2021/wcom.key;
  ssl_session_cache	shared:SSL:1m;
  ssl_prefer_server_ciphers on;

后期处理

常见问题

使用Oauth2 认证时出现奇奇怪怪的重定向
如:redirect_uri=https://xx.xx.com:80/ords
解决办法 tomcat server.xml 配置添加scheme="https"

<Connector port="8080" protocol="HTTP/1.1"
       connectionTimeout="20000"
       proxyPort="443"
       scheme="https"
       redirectPort="8443" />

我的元宇宙