獲取並安裝服務器證書
公司是上線項目所以在CA機構申請了SSL證書,一次申請會有多個環境證書,apache,nginx,tomcat,IIS等。公司使用的是tomcat8做項目佈置
導入證書
通過工具將證書上傳到服務器目錄, 存放目錄爲 /www/server/tomcat/conf
修改配置文件server.xml
- 找到以下代碼將訪問端口修改成80 把redirectPort修改成443
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
- 再找到下面代碼將註釋去掉把證書路徑添加上去
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
修改爲
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="domain.net">
<SSLHostConfig hostName="domain.net">
<Certificate certificateKeystoreFile="conf/domain_net.jks"
certificateKeystorePassword="a75wRsB7T837r7R7"
type="RSA" />
</SSLHostConfig>
</Connector>
保存退出重啓tomcat即可
查看日誌及端口看啓動情況
netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4060/java
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 4060/java
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 4060/java
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4060/java
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1246/pure-ftpd (SER
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2080/sshd
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 1722/python
tcp6 0 0 :::33060 :::* LISTEN 1907/mysqld
tcp6 0 0 :::3306 :::* LISTEN 1907/mysqld
tcp6 0 0 :::21 :::* LISTEN 1246/pure-ftpd (SER
防火牆開放443 端口
firewall-cmd --list-all
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload
強制用戶訪問時爲https,用戶使用http時可以自動跳轉爲https
修改conf/web.xml文件,到文件最後
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
在下面添加如下代碼
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
到此所有的配置完成,這樣就可以使用證書訪問並強制使用HTTPS了