關於Https配置,關閉服務器Option方法的文檔
部分服務器升級需要進行https的配置,關閉option和刪除tomcat默認的項目,如下爲一些操作介紹。
Https配置
證書生成
Openssl生成證書
生成RSA私鑰
openssl genrsa -out rsa_private.key 2048
======
rsa_private.key
創建證書請求
openssl req -new -key privkey.pem -out cert.csr
=======
rsa_private.key
cert.csr
自簽發證書:
openssl x509 -req -in cert.csr -out public.crt -signkey rsa_private.key -days 3650
=========
cert.csr
public.crt
rsa_private.key
導出爲p12證書
pkcs12 -export -in public.crt -inkey rsa_private.key -out server.p12
========
cert.csr
public.crt
rsa_private.key
server.p12
導出爲jks證書
keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks
========
cert.csr
keystore.jks
public.crt
rsa_private.key
server.p12
Tomcat配置
1、http請求配置
<Connector port="8081" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
/>
2、https(ssl/tls)請求配置,相關用戶名和密碼,配置參數根據需求進行修改
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="證書.jks"
keystorePass="keystorePass"
/>
Nginx配置(可選)
#gzip on;
#配置nginx的ssl
server {
listen 442 ssl;
server_name 域名;
ssl_certificate 證書.crt;
ssl_certificate_key 證書祕鑰.key;
ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location /{
#tomcat 中配置的443爲https請求端口
proxy_pass http://ip:443;
}
}
#監聽域名域名:80,並定向到http://ip:8081
server {
listen 80;
server_name 域名;
location /{
proxy_pass http://ip:8081;
}
}
#監聽ip:80,並定向到https://ip:8081(強制轉向到使用https進行請求)
server {
listen 80;
server_name ip;
rewrite ^(.*)$ https://$host$1 permanent;
}
#監聽域名,並定向到https://ip:8081(強制轉向到使用https進行請求)
server {
listen 80;
server_name 域名;
rewrite ^(.*)$ https://$host$1 permanent;
}
強制使用https(可選)
配置tomcat conf文件夾下web.xml文件,進行如下配置可關閉http請求,刪除如下配置可允許tomcat進行http請求
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
關閉服務器option
<!-- 過濾掉DELETE、HEAD、PUT等請求方式 -->
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
刪除webapp項目的默認項目文件
如下四個文件均刪除