关于Https配置,关闭服务器Option方法的文档
部分服务器升级需要进行https的配置,关闭option和删除tomcat默认的项目,如下为一些操作介绍。
Https配置
证书生成
Openssl生成证书
生成RSA私钥
openssl genrsa -out rsa_private.key 2048
======
rsa_private.key
创建证书请求
openssl req -new -key privkey.pem -out cert.csr
=======
rsa_private.key
cert.csr
自签发证书:
openssl x509 -req -in cert.csr -out public.crt -signkey rsa_private.key -days 3650
=========
cert.csr
public.crt
rsa_private.key
导出为p12证书
pkcs12 -export -in public.crt -inkey rsa_private.key -out server.p12
========
cert.csr
public.crt
rsa_private.key
server.p12
导出为jks证书
keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks
========
cert.csr
keystore.jks
public.crt
rsa_private.key
server.p12
Tomcat配置
1、http请求配置
<Connector port="8081" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
/>
2、https(ssl/tls)请求配置,相关用户名和密码,配置参数根据需求进行修改
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="证书.jks"
keystorePass="keystorePass"
/>
Nginx配置(可选)
#gzip on;
#配置nginx的ssl
server {
listen 442 ssl;
server_name 域名;
ssl_certificate 证书.crt;
ssl_certificate_key 证书秘钥.key;
ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location /{
#tomcat 中配置的443为https请求端口
proxy_pass http://ip:443;
}
}
#监听域名域名:80,并定向到http://ip:8081
server {
listen 80;
server_name 域名;
location /{
proxy_pass http://ip:8081;
}
}
#监听ip:80,并定向到https://ip:8081(强制转向到使用https进行请求)
server {
listen 80;
server_name ip;
rewrite ^(.*)$ https://$host$1 permanent;
}
#监听域名,并定向到https://ip:8081(强制转向到使用https进行请求)
server {
listen 80;
server_name 域名;
rewrite ^(.*)$ https://$host$1 permanent;
}
强制使用https(可选)
配置tomcat conf文件夹下web.xml文件,进行如下配置可关闭http请求,删除如下配置可允许tomcat进行http请求
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
关闭服务器option
<!-- 过滤掉DELETE、HEAD、PUT等请求方式 -->
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
删除webapp项目的默认项目文件
如下四个文件均删除