轉載自:https://blog.csdn.net/rexueqingchun/article/details/82251563
1.下載tar.gz格式jdk並配置環境變量(已配置jdk環境的可以忽略第一步)
解壓jdk壓縮包到opt目錄下:
tar zxvf /opt/jdk-8u144-linux-x64.tar.gz -C /opt/
配置環境變量:
通過vi命令編輯profile文件
vi /etc/profile
按鍵i開啓編輯模式,在文件最後添加:
export JAVA_HOME="/opt/jdk1.8.0_144"
export PATH="$JAVA_HOME/bin:$PATH"
其中jdk1.8.0_144爲jdk加壓後的文件夾,修改完成後,esc鍵返回命令模式,輸入:x保存並退出。
java -version
顯示jdk版本,則配置成功。
備註:tomcat下載後解壓即可,無需配置環境變量。
2.安裝openssl
yum install openssl
3.配置yun源並安裝nginx(centos不支持yum 安裝 nginx,所以需要配置一下)
vi /etc/yum.repos.d/nginx.repo
增加如下配置:
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/x86_64/
gpgcheck=0
enabled=1
其中"7"代表CentOS7,"x86_64"代表系統架構。
安裝nginx:
yum install nginx
4.生成nginx證書
創建證書文件夾,依次輸入如下命令:
cd /etc/nginx
sudo mkdir ca
cd ca
sudo mkdir newcerts private conf server users
conf目錄新建openssl.conf文件:
vi /etc/nginx/ca/conf/openssl.conf
增加如下配置:
[ ca ]
default_ca = myserver
[ myserver ]
dir = /etc/nginx/ca
database = /etc/nginx/ca/index.txt
new_certs_dir = /etc/nginx/ca/newcerts
certificate = /etc/nginx/ca/private/ca.crt
serial = /etc/nginx/ca/serial
private_key = /etc/nginx/ca/private/ca.key
RANDFILE = /etc/nginx/ca/private/.rand
default_days = 3650
default_crl_days = 3650
default_md = sha256
unique_subject = no
policy = policy_any
[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
localityName = optional
commonName = supplied
emailAddress = optional
private目錄創建根證書
生成私鑰key文件:
sudo openssl genrsa -out /etc/nginx/ca/private/ca.key 2048
生成根證書請求csr文件:
sudo openssl req -new -key /etc/nginx/ca/private/ca.key -out private/ca.csr
生成憑證crt文件:
sudo openssl x509 -req -days 3650 -in /etc/nginx/ca/private/ca.csr -signkey /etc/nginx/ca/private/ca.key -out /etc/nginx/ca/private/ca.crt
設置key起始序列號:
sudo echo FACE > /etc/nginx/ca/serial
創建CA鍵庫:
sudo touch /etc/nginx/ca/index.txt
爲 “用戶證書” 的移除創建一個證書吊銷列表:
sudo openssl ca -gencrl -out /etc/nginx/ca/private/ca.crl -crldays 7 -config "/etc/nginx/ca/conf/openssl.conf"
server目錄創建服務器證書
生成私鑰key文件:
sudo openssl genrsa -out /etc/nginx/ca/server/server.key 2048
生成證書請求csr文件:
sudo openssl req -new -key /etc/nginx/ca/server/server.key -out /etc/nginx/ca/server/server.csr
生成憑證crt文件:
sudo openssl ca -in /etc/nginx/ca/server/server.csr -cert /etc/nginx/ca/private/ca.crt -keyfile /etc/nginx/ca/private/ca.key -out /etc/nginx/ca/server/server.crt -config "/etc/nginx/ca/conf/openssl.conf"
users目錄創建客戶端證書
生成私鑰key文件:
sudo openssl genrsa -des3 -out /etc/nginx/ca/users/client.key 2048
生成證書請求csr文件:
sudo openssl req -new -key /etc/nginx/ca/users/client.key -out /etc/nginx/ca/users/client.csr
生成憑證crt文件:
sudo openssl ca -in /etc/nginx/ca/users/client.csr -cert /etc/nginx/ca/private/ca.crt -keyfile /etc/nginx/ca/private/ca.key -out /etc/nginx/ca/users/client.crt -config "/etc/nginx/ca/conf/openssl.conf"
5.修改Nginx配置文件nginx.conf
user root;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
#pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 120;
#gzip on;
client_max_body_size 120m;
client_body_buffer_size 128k;
server_names_hash_bucket_size 128;
large_client_header_buffers 4 4k;
open_file_cache max=8192 inactive=20s;
open_file_cache_min_uses 1;
open_file_cache_valid 30s;
upstream tomcat_server {
server 192.168.1.220:8080 fail_timeout=0;
}
server {
listen 443;
server_name 192.168.1.220;
ssi on;
ssi_silent_errors on;
ssi_types text/shtml;
ssl on;
ssl_certificate /etc/nginx/ca/server/server.crt;
ssl_certificate_key /etc/nginx/ca/server/server.key;
ssl_client_certificate /etc/nginx/ca/private/ca.crt;
ssl_session_timeout 5m;
ssl_verify_client on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
charset utf-8;
access_log logs/host.access.log main;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location = /favicon.ico {
log_not_found off;
access_log off;
expires 90d;
}
location / {
proxy_pass http://tomcat_server;
include proxy.conf;
}
}
#include /etc/nginx/conf.d/*.conf;
}
備註:upstream tomcat_server中的server修改爲nginx轉發服務器的ip地址及端口號,server中server_name爲nginx所在服務器ip,此處配置ssl安全認證,故採用https默認端口號443,另外安裝nginx後,若根目錄沒有logs文件夾,可手動創建,否則啓動nginx會提示找不到logs文件夾錯誤。
6.Nginx代理文件配置
編輯nginx的proxy.conf文件:
vi /etc/nginx/proxy.conf
添加如下配置:
proxy_redirect off;
proxy_connect_timeout 60;
proxy_read_timeout 600;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
proxy_set_header X-SSL-DN $ssl_client_s_dn;
7.修改Tomcat配置文件server.xml
<!-- proxyName:雙向認證服務器地址,如映射外網地址,則爲外網地址 -->
<!-- proxyPort:雙向認證服務端口,與Nginx配置文件中server節listen端口相同,如映射外網地址,則爲外網端口 -->
<!-- scheme:雙向認證服務器協議類型,此處爲https -->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
scheme="https"
proxyName="192.168.1.220"
proxyPort="443" />
至此已配置結束,接下來我們測試一下:
8.啓動Tomcat和Nginx服務
啓動tomcat服務:
opt/apache-tomcat-8.5.20/bin/startup.sh
打印啓動日誌:
tail -f opt/apache-tomcat-8.5.20/logs/catalina.out
啓動nginx服務:
nginx -c /etc/nginx/nginx.conf
9.測試https請求
把客戶端證書.crt轉化爲Windows可安裝的.p12格式
sudo openssl pkcs12 -export -clcerts -in /etc/nginx/ca/users/client.crt -inkey /etc/nginx/ca/users/client.key -out /etc/nginx/ca/users/client.p12
生成後把.p12格式的證書拷貝到windows系統上安裝,重啓瀏覽器訪問https請求,例如:https://192.168.1.220:443,選擇剛安裝的證書,能顯示tomcat或者應用首頁則安裝成功。