linux下 yum 方式安裝 Tomcat 後配置https,定義端口爲 443 後無法正常啓動服務
問題現象: 定義端口爲默認的 8443 可以正常啓動服務和監聽端口:
root@centos7 ~
# vim /etc/tomcat/server.xml
-
<Connector port="8443"
protocol="HTTP/1.1"
maxThreads="150"
-
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="/etc/tomcat/test.seekerhcl.cn.jks"
keystorePass="123456"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
sslProtocol="TLS"
/>
root@centos7 ~
# rpm -q tomcat
tomcat-7.0.76-3.el7_4.noarch
root@centos7 ~
# systemctl start tomcat.service
root@centos7 ~
# netstat -anpt | grep java
tcp 0
0
0.0.0.0:8443
0.0.0.0:* LISTEN 6168/java
tcp 0
0
127.0.0.1:8005
0.0.0.0:* LISTEN 6168/java
tcp 0
0
0.0.0.0:8009
0.0.0.0:* LISTEN 6168/java
tcp 0
0
0.0.0.0:8080
0.0.0.0:* LISTEN 6168/java
root@centos7 ~
#
定義 https 端口443 不可以正常監聽對應端口:
root@centos7 ~
# vim /etc/tomcat/server.xml
-
<Connector port="443"
protocol="HTTP/1.1"
maxThreads="150"
-
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="/etc/tomcat/test.seekerhcl.cn.jks"
keystorePass="123456"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
sslProtocol="TLS"
/>
root@centos7 ~
# systemctl restart tomcat.service
root@centos7 ~
# netstat -anpt | grep java
tcp 0
0
127.0.0.1:8005
0.0.0.0:* LISTEN 49091/java
tcp 0
0
0.0.0.0:8009
0.0.0.0:* LISTEN 49091/java
tcp 0
0
0.0.0.0:8080
0.0.0.0:* LISTEN 49091/java
問題分析:
查看日誌文件發現以下錯誤,原來是權限問題,緊接着我們通過 ps 查看進程信息會發現程序用戶是tomcat,因爲 linux 下非 root 用戶不能打開1024以下的端口,所以問題就比較清楚了
Caused by: java.net.BindException: Permission denied (Bind failed) <null>:443
root@centos7 ~
# cat /var/log/tomcat/catalina.2018-04-07.log
Apr
07,
2018
12:29:48 AM org.apache.catalina.core.StandardService initInternal
SEVERE:
Failed to initialize connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException:
Failed to initialize component [Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:642)
at org.apache.catalina.startup.Catalina.load(Catalina.java:667)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427)
Caused
by: org.apache.catalina.LifecycleException:
Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
-
...
12 more
Caused
by: java.net.BindException:
Permission denied (Bind failed)
<null>:443
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
-
...
13 more
Caused
by: java.net.BindException:
Permission denied (Bind failed)
at java.net.PlainSocketImpl.socketBind(Native
Method)
at java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:387)
at java.net.ServerSocket.bind(ServerSocket.java:375)
at java.net.ServerSocket.<init>(ServerSocket.java:237)
at java.net.ServerSocket.<init>(ServerSocket.java:181)
at javax.net.ssl.SSLServerSocket.<init>(SSLServerSocket.java:136)
at sun.security.ssl.SSLServerSocketImpl.<init>(SSLServerSocketImpl.java:113)
at sun.security.ssl.SSLServerSocketFactoryImpl.createServerSocket(SSLServerSocketFactoryImpl.java:87)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:256)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)
root@centos7 ~
# ps aux | grep java
tomcat 3921
0.3
3.1
3585548
120932
?
Ssl
00:29
0:02
/usr/lib/jvm/jre/bin/java -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
root 5054
0.0
0.0
110376
896 pts/0 S+
00:40
0:00 grep --color=auto java
解決方案: tomcat https 端口依舊監聽在大於 1024 的端口上,使用 iptables 來做個轉換,這樣訪問 https 時我們就不用手動在域名後面寫端口號了 iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-port 8443