linux下tomcat開通443端口

linux下 yum 方式安裝 Tomcat 後配置https，定義端口爲 443 後無法正常啓動服務

---

問題現象： 定義端口爲默認的 8443 可以正常啓動服務和監聽端口：

1. root@centos7 ~ # vim /etc/tomcat/server.xml
2. <Connector port="8443"
3. protocol="HTTP/1.1"
4. maxThreads="150"
5. SSLEnabled="true"
6. scheme="https"
7. secure="true"
8. clientAuth="false"
9. keystoreFile="/etc/tomcat/test.seekerhcl.cn.jks"
10. keystorePass="123456"
11. ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
12. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
13. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
14. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
15. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
16. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
17. sslProtocol="TLS" />
18. root@centos7 ~ # rpm -q tomcat
19. tomcat-7.0.76-3.el7_4.noarch
20. root@centos7 ~ # systemctl start tomcat.service
21. root@centos7 ~ # netstat -anpt | grep java
22. tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 6168/java
23. tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 6168/java
24. tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 6168/java
25. tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 6168/java
26. root@centos7 ~ #

定義 https 端口443 不可以正常監聽對應端口：

1. root@centos7 ~ # vim /etc/tomcat/server.xml
2. <Connector port="443"
3. protocol="HTTP/1.1"
4. maxThreads="150"
5. SSLEnabled="true"
6. scheme="https"
7. secure="true"
8. clientAuth="false"
9. keystoreFile="/etc/tomcat/test.seekerhcl.cn.jks"
10. keystorePass="123456"
11. ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
12. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
13. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
14. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
15. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
16. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
17. sslProtocol="TLS" />
18. root@centos7 ~ # systemctl restart tomcat.service
19. root@centos7 ~ # netstat -anpt | grep java
20. tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 49091/java
21. tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 49091/java
22. tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 49091/java

問題分析：

查看日誌文件發現以下錯誤，原來是權限問題，緊接着我們通過 ps 查看進程信息會發現程序用戶是tomcat，因爲 linux 下非 root 用戶不能打開1024以下的端口，所以問題就比較清楚了

Caused by: java.net.BindException: Permission denied (Bind failed)  <null>:443

1. root@centos7 ~ # cat /var/log/tomcat/catalina.2018-04-07.log
2. Apr 07, 2018 12:29:48 AM org.apache.catalina.core.StandardService initInternal
3. SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]
4. org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
5. at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
6. at org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)
7. at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
8. at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)
9. at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
10. at org.apache.catalina.startup.Catalina.load(Catalina.java:642)
11. at org.apache.catalina.startup.Catalina.load(Catalina.java:667)
12. at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
13. at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
14. at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
15. at java.lang.reflect.Method.invoke(Method.java:498)
16. at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253)
17. at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427)
18. Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
19. at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
20. at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
21. ... 12 more
22. Caused by: java.net.BindException: Permission denied (Bind failed) <null>:443
23. at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413)
24. at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715)
25. at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
26. at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
27. at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
28. ... 13 more
29. Caused by: java.net.BindException: Permission denied (Bind failed)
30. at java.net.PlainSocketImpl.socketBind(Native Method)
31. at java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:387)
32. at java.net.ServerSocket.bind(ServerSocket.java:375)
33. at java.net.ServerSocket.<init>(ServerSocket.java:237)
34. at java.net.ServerSocket.<init>(ServerSocket.java:181)
35. at javax.net.ssl.SSLServerSocket.<init>(SSLServerSocket.java:136)
36. at sun.security.ssl.SSLServerSocketImpl.<init>(SSLServerSocketImpl.java:113)
37. at sun.security.ssl.SSLServerSocketFactoryImpl.createServerSocket(SSLServerSocketFactoryImpl.java:87)
38. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:256)
39. at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)
41. root@centos7 ~ # ps aux | grep java
42. tomcat 3921 0.3 3.1 3585548 120932 ? Ssl 00:29 0:02 /usr/lib/jvm/jre/bin/java -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
43. root 5054 0.0 0.0 110376 896 pts/0 S+ 00:40 0:00 grep --color=auto java

解決方案： tomcat https 端口依舊監聽在大於 1024 的端口上，使用 iptables 來做個轉換，這樣訪問 https 時我們就不用手動在域名後面寫端口號了 iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-port 8443