letsencrypt+nginx+tomcat 免費https搭建

letsencrypt+nginx+tomcat

 

一、NGINX安裝

參考：https://blog.csdn.net/luckyzsion/article/details/76473039

 

二、安裝certbot工具

yum install -y epel-release

yum install -y certbot

 

三、初次申請證書

1、配置nginx，主要新增location ~ /.well-known/acme-challenge，獲取證書時，需要驗證域名有效性。修改完nginx.conf後，執行命令nginx -s reload

server {

        listen       80;

        server_name  119.23.24.173;

 

        location / {

proxy_pass http://servers2.mydomain.com;

            proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        }

   location ~ /.well-known/acme-challenge {

            root /usr/local/nginx/html;

            allow all;

     }

    }

 

2、獲取證書

# 使用方法：certbot certonly --webroot -w [Web站點目錄] -d [站點域名] -m [聯繫人email地址] --agree-tos

certbot certonly --webroot -w /usr/local/nginx/html -d www.xxx.com -m xx@qq.com --agree-tos

 

獲取成功後，證書保存位置：

/etc/letsencrypt/live/www.xxx.com/

查看證書有效期

openssl x509 -noout -dates -in /etc/letsencrypt/live/www.xxx.com/fullchain.pem

 

四、配置nginx、tomcat

     服務器部署採用nginx作爲反向代理、或負載均衡，外面訪問採用https,nginx訪問tomcat採用http,這樣好處是tomcat不需要配置證書，只需要nginx配置即可。

1、nginx證書配置，新增以下內容。

upstream tomcat {

server 127.0.0.1:8080;

}

server {

        listen       443 ssl;

        server_name  www.xxx.com;

        ssl_certificate      /etc/letsencrypt/live/www.xxx.com/fullchain.pem;

        ssl_certificate_key  /etc/letsencrypt/live/www.xxx.com/privkey.pem;

        ssl on;

ssl_session_timeout 5m;

        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_prefer_server_ciphers on;

  

location / {

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Host $http_host;

proxy_set_header X-Forwarded-Proto https;

proxy_redirect off;

proxy_connect_timeout 240;

proxy_send_timeout 240;

proxy_read_timeout 240;

proxy_pass http://tomcat;

        }

    }

重啓時可能報錯，提示https錯誤，請查看附錄1

2、tomcat主要配置如下，proxyPort配置爲nginx https所監聽的端口號

<Connector connectionTimeout="20000" port="8080"  executor="tomcatThreadPool"  acceptCount="600"  protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="8443" scheme="https" proxyPort="443"/>

 

 

五、定時更新證書

執行命令 crontab -e

0 00 01 * * certbot  renew --quiet --pre-hook "/usr/local/nginx/sbin/nginx -s stop" --post-hook "/usr/local/nginx/sbin/nginx"

每月1號0點更新  --quiet不返回信息

附錄1   Nginx如果未開啓SSL模塊，配置Https時提示錯誤

原文：https://www.cnblogs.com/ghjbk/p/6744131.html

原因也很簡單，nginx缺少http_ssl_module模塊，編譯安裝的時候帶上--with-http_ssl_module配置就行了，但是現在的情況是我的nginx已經安裝過了，怎麼添加模塊，其實也很簡單，往下看： 做個說明：我的nginx的安裝目錄是/usr/local/nginx這個目錄，我的源碼包在/usr/local/src/nginx-1.6.2目錄

nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37

1.2 Nginx開啓SSL模塊

切換到源碼包：

cd /usr/local/src/nginx-1.11.3

查看nginx原有的模塊

/usr/local/nginx/sbin/nginx -V

在configure arguments:後面顯示的原有的configure參數如下：

--prefix=/usr/local/nginx --with-http_stub_status_module

那麼我們的新配置信息就應該這樣寫：

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

運行上面的命令即可，等配置完

配置完成後，運行命令

make

這裏不要進行make install，否則就是覆蓋安裝

然後備份原有已安裝好的nginx

 

cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak

然後將剛剛編譯好的nginx覆蓋掉原有的nginx（這個時候nginx要停止狀態）

cp ./objs/nginx /usr/local/nginx/sbin/

然後啓動nginx，仍可以通過命令查看是否已經加入成功

/usr/local/nginx/sbin/nginx -V　

 

附錄2  cer或者pem轉換爲jks證書，tomcat配置證書

原文：https://www.iyunw.cn/archives/cer-huo-zhe-pem-zhuan-huan-wei-jks-zheng-shu-tomcat-pei-zhi-zheng-shu/

1.       默認pem證書轉換爲Tomcat需要的jks

①pem或者cer文件轉換爲pfx文件，會讓設置密碼我這裏設置的全部爲password

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.pem

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.pem

②pfx文件轉換爲jks文件

keytool -importkeystore -srckeystore server.pfx -destkeystore server.jks -srcstoretype PKCS12 -deststoretype JKS

keytool -importkeystore -srckeystore server.pfx -destkeystore server.jks -srcstoretype PKCS12 -deststoretype JKS

 

2.       配置Tomcat配置文件server.xml文件，會讓設置密碼我這裏設置的全部爲password

Shell

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

                  port="8443" SSLEnabled="true"

                   maxThreads="150" scheme="https" secure="true"

               keystoreFile="/root/key/server.jks" keystorePass="password"

               clientAuth="false" sslProtocol="TLS"

 ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"  />

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

                  port="8443" SSLEnabled="true"

                   maxThreads="150" scheme="https" secure="true"

               keystoreFile="/root/key/server.jks" keystorePass="password"

               clientAuth="false" sslProtocol="TLS"

 ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"  />

3.重啓Tomcat

 

附錄3： springboot 2.0配置內置tomcat

原文：https://blog.csdn.net/wd2014610/article/details/79587161

1、之前老的版本TomcatEmbeddedServletContainerFactory取的是這個類

2、在SpringBoot 2.0.0框架中，已經沒有類TomcatEmbeddedServletContainerFactory了

3、在老版本的Tomcat配置中，構造tomcatFactory的bean

    @Bean

    public TomcatEmbeddedServletContainerFactory tomcatFactory() {

        TomcatEmbeddedServletContainerFactory tomcatFactory = new TomcatEmbeddedServletContainerFactory();

        tomcatFactory.addConnectorCustomizers(new GwsTomcatConnectionCustomizer());

        return tomcatFactory;

    }

4、那麼早SpringBoot 2.0.0中該怎麼構建呢？

去到SpringBoot官方文檔這裏寫鏈接內容、找到Tomcat配置

5、最新的已經有了全新的類了

6、事例

7、那麼就可以用全新的ServletWebServerFactory類來構造Tomcat的配置了

    @Bean

    public ServletWebServerFactory servletContainer() {

        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();

        tomcat.addConnectorCustomizers(new GwsTomcatConnectionCustomizer());

        return tomcat;

    }

8、最後附上全新的Tomcat配置

 

package com.gws.configuration;

 

import org.apache.catalina.connector.Connector;

import org.springframework.beans.factory.annotation.Value;

import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;

import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;

import org.springframework.boot.web.servlet.MultipartConfigFactory;

import org.springframework.boot.web.servlet.server.ServletWebServerFactory;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

 

import javax.servlet.MultipartConfigElement;

 

 

/**

 * 使用tomcat配置

 *

 * @version

 * @author

 *

 */

@Configuration

public class TomcatConfig {

 

    @Value("${spring.server.port}")

    private String port;

    @Value("${spring.server.acceptorThreadCount}")

    private String acceptorThreadCount;

    @Value("${spring.server.minSpareThreads}")

    private String minSpareThreads;

    @Value("${spring.server.maxSpareThreads}")

    private String maxSpareThreads;

    @Value("${spring.server.maxThreads}")

    private String maxThreads;

    @Value("${spring.server.maxConnections}")

    private String maxConnections;

    @Value("${spring.server.protocol}")

    private String protocol;

    @Value("${spring.server.redirectPort}")

    private String redirectPort;

    @Value("${spring.server.compression}")

    private String compression;

    @Value("${spring.server.connectionTimeout}")

    private String connectionTimeout;

 

    @Value("${spring.server.MaxFileSize}")

    private String MaxFileSize;

    @Value("${spring.server.MaxRequestSize}")

    private String MaxRequestSize;

 

    @Bean

    public ServletWebServerFactory servletContainer() {

        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();

        tomcat.addConnectorCustomizers(new GwsTomcatConnectionCustomizer());

        return tomcat;

    }

 

    @Bean

    public MultipartConfigElement multipartConfigElement() {

        MultipartConfigFactory factory = new MultipartConfigFactory();

        //  單個數據大小

        factory.setMaxFileSize(MaxFileSize); // KB,MB

        /// 總上傳數據大小

        factory.setMaxRequestSize(MaxRequestSize);

        return factory.createMultipartConfig();

    }

 

    /**

     *

     * 默認http連接

     *

     * @version

     * @author liuyi  2016年7月20日 下午7:59:41

     *

     */

    public class GwsTomcatConnectionCustomizer implements TomcatConnectorCustomizer {

 

        public GwsTomcatConnectionCustomizer() {

        }

 

        @Override

        public void customize(Connector connector) {

           connector.setPort(Integer.valueOf(port));

            connector.setAttribute("connectionTimeout", connectionTimeout);

            connector.setAttribute("acceptorThreadCount", acceptorThreadCount);

            connector.setAttribute("minSpareThreads", minSpareThreads);

            connector.setAttribute("maxSpareThreads", maxSpareThreads);

            connector.setAttribute("maxThreads", maxThreads);

            connector.setAttribute("maxConnections", maxConnections);

            connector.setAttribute("protocol", protocol);

            connector.setAttribute("redirectPort", "redirectPort");

            connector.setAttribute("compression", "compression");

            connector.setAttribute("scheme", "https");

            connector.setAttribute("proxyPort", 9092);

        }

    }

}

9、最後在application.properties，進行配置

 

#嵌入tomcat配置

spring.server.port=8095

#和CPU數

spring.server.acceptorThreadCount=4

spring.server.minSpareThreads=50

spring.server.maxSpareThreads=50

spring.server.maxThreads=1000

spring.server.maxConnections=10000

#10秒超時

spring.server.connectionTimeout=10000

spring.server.protocol=org.apache.coyote.http11.Http11Nio2Protocol

spring.server.redirectPort=443

spring.server.compression=on

#文件請求大小

spring.server.MaxFileSize=300MB

spring.server.MaxRequestSize=500MB