letsencrypt+nginx+tomcat
一、NGINX安裝
參考:https://blog.csdn.net/luckyzsion/article/details/76473039
二、安裝certbot工具
yum install -y epel-release
yum install -y certbot
三、初次申請證書
1、配置nginx,主要新增location ~ /.well-known/acme-challenge,獲取證書時,需要驗證域名有效性。修改完nginx.conf後,執行命令nginx -s reload
server {
listen 80;
server_name 119.23.24.173;
location / {
proxy_pass http://servers2.mydomain.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ /.well-known/acme-challenge {
root /usr/local/nginx/html;
allow all;
}
}
2、獲取證書
# 使用方法:certbot certonly --webroot -w [Web站點目錄] -d [站點域名] -m [聯繫人email地址] --agree-tos
certbot certonly --webroot -w /usr/local/nginx/html -d www.xxx.com -m xx@qq.com --agree-tos
獲取成功後,證書保存位置:
/etc/letsencrypt/live/www.xxx.com/
查看證書有效期
openssl x509 -noout -dates -in /etc/letsencrypt/live/www.xxx.com/fullchain.pem
四、配置nginx、tomcat
服務器部署採用nginx作爲反向代理、或負載均衡,外面訪問採用https,nginx訪問tomcat採用http,這樣好處是tomcat不需要配置證書,只需要nginx配置即可。
1、nginx證書配置,新增以下內容。
upstream tomcat {
server 127.0.0.1:8080;
}
server {
listen 443 ssl;
server_name www.xxx.com;
ssl_certificate /etc/letsencrypt/live/www.xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.xxx.com/privkey.pem;
ssl on;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
proxy_pass http://tomcat;
}
}
重啓時可能報錯,提示https錯誤,請查看附錄1
2、tomcat主要配置如下,proxyPort配置爲nginx https所監聽的端口號
<Connector connectionTimeout="20000" port="8080" executor="tomcatThreadPool" acceptCount="600" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="8443" scheme="https" proxyPort="443"/>
五、定時更新證書
執行命令 crontab -e
0 00 01 * * certbot renew --quiet --pre-hook "/usr/local/nginx/sbin/nginx -s stop" --post-hook "/usr/local/nginx/sbin/nginx"
每月1號0點更新 --quiet不返回信息
附錄1 Nginx如果未開啓SSL模塊,配置Https時提示錯誤
原文:https://www.cnblogs.com/ghjbk/p/6744131.html
原因也很簡單,nginx缺少http_ssl_module模塊,編譯安裝的時候帶上--with-http_ssl_module配置就行了,但是現在的情況是我的nginx已經安裝過了,怎麼添加模塊,其實也很簡單,往下看: 做個說明:我的nginx的安裝目錄是/usr/local/nginx這個目錄,我的源碼包在/usr/local/src/nginx-1.6.2目錄
nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37
1.2 Nginx開啓SSL模塊
切換到源碼包:
cd /usr/local/src/nginx-1.11.3
查看nginx原有的模塊
/usr/local/nginx/sbin/nginx -V
在configure arguments:後面顯示的原有的configure參數如下:
--prefix=/usr/local/nginx --with-http_stub_status_module
那麼我們的新配置信息就應該這樣寫:
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
運行上面的命令即可,等配置完
配置完成後,運行命令
make
這裏不要進行make install,否則就是覆蓋安裝
然後備份原有已安裝好的nginx
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
然後將剛剛編譯好的nginx覆蓋掉原有的nginx(這個時候nginx要停止狀態)
cp ./objs/nginx /usr/local/nginx/sbin/
然後啓動nginx,仍可以通過命令查看是否已經加入成功
/usr/local/nginx/sbin/nginx -V
附錄2 cer或者pem轉換爲jks證書,tomcat配置證書
原文:https://www.iyunw.cn/archives/cer-huo-zhe-pem-zhuan-huan-wei-jks-zheng-shu-tomcat-pei-zhi-zheng-shu/
1. 默認pem證書轉換爲Tomcat需要的jks
①pem或者cer文件轉換爲pfx文件,會讓設置密碼我這裏設置的全部爲password
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.pem
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.pem
②pfx文件轉換爲jks文件
keytool -importkeystore -srckeystore server.pfx -destkeystore server.jks -srcstoretype PKCS12 -deststoretype JKS
keytool -importkeystore -srckeystore server.pfx -destkeystore server.jks -srcstoretype PKCS12 -deststoretype JKS
2. 配置Tomcat配置文件server.xml文件,會讓設置密碼我這裏設置的全部爲password
Shell
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/root/key/server.jks" keystorePass="password"
clientAuth="false" sslProtocol="TLS"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256" />
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/root/key/server.jks" keystorePass="password"
clientAuth="false" sslProtocol="TLS"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256" />
3.重啓Tomcat
附錄3: springboot 2.0配置內置tomcat
原文:https://blog.csdn.net/wd2014610/article/details/79587161
1、之前老的版本TomcatEmbeddedServletContainerFactory取的是這個類
2、在SpringBoot 2.0.0框架中,已經沒有類TomcatEmbeddedServletContainerFactory了
3、在老版本的Tomcat配置中,構造tomcatFactory的bean
@Bean
public TomcatEmbeddedServletContainerFactory tomcatFactory() {
TomcatEmbeddedServletContainerFactory tomcatFactory = new TomcatEmbeddedServletContainerFactory();
tomcatFactory.addConnectorCustomizers(new GwsTomcatConnectionCustomizer());
return tomcatFactory;
}
4、那麼早SpringBoot 2.0.0中該怎麼構建呢?
去到SpringBoot官方文檔這裏寫鏈接內容、找到Tomcat配置
5、最新的已經有了全新的類了
6、事例
7、那麼就可以用全新的ServletWebServerFactory類來構造Tomcat的配置了
@Bean
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
tomcat.addConnectorCustomizers(new GwsTomcatConnectionCustomizer());
return tomcat;
}
8、最後附上全新的Tomcat配置
package com.gws.configuration;
import org.apache.catalina.connector.Connector;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.servlet.MultipartConfigFactory;
import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.MultipartConfigElement;
/**
* 使用tomcat配置
*
* @version
* @author
*
*/
@Configuration
public class TomcatConfig {
@Value("${spring.server.port}")
private String port;
@Value("${spring.server.acceptorThreadCount}")
private String acceptorThreadCount;
@Value("${spring.server.minSpareThreads}")
private String minSpareThreads;
@Value("${spring.server.maxSpareThreads}")
private String maxSpareThreads;
@Value("${spring.server.maxThreads}")
private String maxThreads;
@Value("${spring.server.maxConnections}")
private String maxConnections;
@Value("${spring.server.protocol}")
private String protocol;
@Value("${spring.server.redirectPort}")
private String redirectPort;
@Value("${spring.server.compression}")
private String compression;
@Value("${spring.server.connectionTimeout}")
private String connectionTimeout;
@Value("${spring.server.MaxFileSize}")
private String MaxFileSize;
@Value("${spring.server.MaxRequestSize}")
private String MaxRequestSize;
@Bean
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
tomcat.addConnectorCustomizers(new GwsTomcatConnectionCustomizer());
return tomcat;
}
@Bean
public MultipartConfigElement multipartConfigElement() {
MultipartConfigFactory factory = new MultipartConfigFactory();
// 單個數據大小
factory.setMaxFileSize(MaxFileSize); // KB,MB
/// 總上傳數據大小
factory.setMaxRequestSize(MaxRequestSize);
return factory.createMultipartConfig();
}
/**
*
* 默認http連接
*
* @version
* @author liuyi 2016年7月20日 下午7:59:41
*
*/
public class GwsTomcatConnectionCustomizer implements TomcatConnectorCustomizer {
public GwsTomcatConnectionCustomizer() {
}
@Override
public void customize(Connector connector) {
connector.setPort(Integer.valueOf(port));
connector.setAttribute("connectionTimeout", connectionTimeout);
connector.setAttribute("acceptorThreadCount", acceptorThreadCount);
connector.setAttribute("minSpareThreads", minSpareThreads);
connector.setAttribute("maxSpareThreads", maxSpareThreads);
connector.setAttribute("maxThreads", maxThreads);
connector.setAttribute("maxConnections", maxConnections);
connector.setAttribute("protocol", protocol);
connector.setAttribute("redirectPort", "redirectPort");
connector.setAttribute("compression", "compression");
connector.setAttribute("scheme", "https");
connector.setAttribute("proxyPort", 9092);
}
}
}
9、最後在application.properties,進行配置
#嵌入tomcat配置
spring.server.port=8095
#和CPU數
spring.server.acceptorThreadCount=4
spring.server.minSpareThreads=50
spring.server.maxSpareThreads=50
spring.server.maxThreads=1000
spring.server.maxConnections=10000
#10秒超時
spring.server.connectionTimeout=10000
spring.server.protocol=org.apache.coyote.http11.Http11Nio2Protocol
spring.server.redirectPort=443
spring.server.compression=on
#文件請求大小
spring.server.MaxFileSize=300MB
spring.server.MaxRequestSize=500MB