• Tomcat 实现 HTTPS 访问


    本文转载自:https://blog.51cto.com/guoxh/2103315

    HTTPS,在HTTP下加了一层SSL,用于安全的HTTP数据传输,对于数据敏感的网址必须要使用HTTPS协议,本文将介绍如何快速安装Tomcat,并实现HTTPS访问。

    安装Tomcat

    安装tomcat必须得有java环境,所以先安装JDK;

    1、安装JDK

    [root@node1 ~]# rpm -ivh jdk-8u161-linux-x64.rpm 
    Preparing...                ########################################### [100%]
       1:jdk1.8                 ########################################### [100%]
    Unpacking JAR files...
            tools.jar...
            plugin.jar...
            javaws.jar...
            deploy.jar...
            rt.jar...
            jsse.jar...
            charsets.jar...
            localedata.jar...
    [root@node1 ~]# 
    

    2、添加Java系统环境变量

    [root@node1 ~]# cat /etc/profile.d/java.sh 
    export JAVA_HOME=/usr/java/latest
    export PATH=$JAVE_HOME/bin:$PATH
    [root@node1 ~]# 
    

    3、加载环境变量

    [root@node1 ~]# . /etc/profile.d/java.sh
    

    4、查看JDK是否安装成功

    [root@node1 ~]# java -version
    java version "1.8.0_161"
    Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
    Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)
    [root@node1 ~]# 
    

    5、安装Tomcat

    [root@node1 ~]# tar  -zxf apache-tomcat-8.0.50.tar.gz  -C /usr/local/
    

    6、创建软连接

    [root@node1 ~]# ln -s /usr/local/apache-tomcat-8.0.50/ /usr/local/tomcat
    

    7、添加Tomcat系统环境变量

    [root@node1 ~]# cat /etc/profile.d/tomcat.sh 
    export CATALINA_HOME=/usr/local/tomcat
    export PATH=$CATALINA_HOME/bin:$PATH
    

    8、加载环境变量

    [root@node1 ~]# . /etc/profile.d/tomcat.sh
    

    9、测试是否生效

    [root@node1 ~]# catalina.sh version
    Using CATALINA_BASE:   /usr/local/tomcat
    Using CATALINA_HOME:   /usr/local/tomcat
    Using CATALINA_TMPDIR: /usr/local/tomcat/temp
    Using JRE_HOME:        /usr/java/latest
    Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
    Server version: Apache Tomcat/8.0.50
    Server built:   Feb 7 2018 20:06:05 UTC
    Server number:  8.0.50.0
    OS Name:        Linux
    OS Version:     2.6.32-642.6.2.el6.x86_64
    Architecture:   amd64
    JVM Version:    1.8.0_161-b12
    JVM Vendor:     Oracle Corporation
    [root@node1 ~]# 
    

    10、启动Tomcat服务

    [root@node1 ~]# catalina.sh  start
    Using CATALINA_BASE:   /usr/local/tomcat
    Using CATALINA_HOME:   /usr/local/tomcat
    Using CATALINA_TMPDIR: /usr/local/tomcat/temp
    Using JRE_HOME:        /usr/java/latest
    Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
    Tomcat started.
    

    11、测试访问

    Tomcat默认端口为8080,所以访问时使用IP+8080访问即可;
    快速安装Tomcat 并实现HTTPS访问

    ★ 到这里,Tomcat就安装完成了,但是只是默认环境,还需要根据需求自定义配置;

    实现HTTPS访问

    1、添加域名解析

    到自己的域名解析商处,添加一条A记录指向你的服务器IP即可;

    2、申请证书

    使用刚才添加的域名申请一个SSL证书;

    这边介绍一个生产开发环境证书的方式:使用 Java 提供的工具:keytool

    keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore "d:	omcat.keystore" 
    

    3、上传证书

    在tomcat目录新建一个ssl目录,将证书文件上传到这个目录;

    [root@node1 ~]# cd /usr/local/tomcat/
    [root@node1 tomcat]# mkdir ssl
    [root@node1 tomcat]# rz
    

    4、修改server.xml

    VIM打开server.xml,添加ssl连接器,在8080端口连接器下面添加如下配置:

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        keystoreFile="/usr/local/tomcat/ssl/YourDomain.jks"
        keystorePass="SSLPass"
        clientAuth="false" sslProtocol="TLS" />
    注意:
        keystoreFile :证书存放目录,可以写绝对路径或Tomcat相对路径;
        keystorePass:证书私钥密码;
    

    5、修改HOST配置

        <Engine name="Catalina" defaultHost="localhost">   
    ## 这里指定的localhost是默认HOST的名称,修改为证书绑定的域名即可
    
          <!--For clustering, please take a look at documentation at:
              /docs/cluster-howto.html  (simple how to)
              /docs/config/cluster.html (reference documentation) -->
          <!--
          <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
          -->
    
          <!-- Use the LockOutRealm to prevent attempts to guess user passwords
               via a brute-force attack -->
          <Realm className="org.apache.catalina.realm.LockOutRealm">
            <!-- This Realm uses the UserDatabase configured in the global JNDI
                 resources under the key "UserDatabase".  Any edits
                 that are performed against this UserDatabase are immediately
                 available for use by the Realm.  -->
            <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                   resourceName="UserDatabase"/>
          </Realm>
          <Host name="localhost"  appBase="webapps"  
    ### 将这里的localhost修改Wie刚才添加解析的域名即可,且必须与证书的通用名称保持一致
                unpackWARs="true" autoDeploy="true">
    
            <!-- SingleSignOn valve, share authentication between web applications
                 Documentation at: /docs/config/valve.html -->
            <!--
            <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
            -->
    
            <!-- Access log processes all example.
                 Documentation at: /docs/config/valve.html
                 Note: The pattern used is equivalent to using pattern="common" -->
            <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
                   prefix="localhost_access_log" suffix=".txt"
                   pattern="%h %l %u %t "%r" %s %b" />
    
          </Host>
    

    ★这里只需要将里两个localhost修改为证书绑定域名即可,也就是是将该域名与此HOST绑定;

    6、重启Tomcat服务

    [root@node1 tomcat]# catalina.sh stop
    Using CATALINA_BASE:   /usr/local/tomcat
    Using CATALINA_HOME:   /usr/local/tomcat
    Using CATALINA_TMPDIR: /usr/local/tomcat/temp
    Using JRE_HOME:        /usr/java/latest
    Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
    [root@node1 tomcat]# catalina.sh start
    Using CATALINA_BASE:   /usr/local/tomcat
    Using CATALINA_HOME:   /usr/local/tomcat
    Using CATALINA_TMPDIR: /usr/local/tomcat/temp
    Using JRE_HOME:        /usr/java/latest
    Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
    Tomcat started.
    

    7、查询端口是否监听

    [root@node1 tomcat]# ss -ntl
    State      Recv-Q Send-Q                                                  Local Address:Port                                                    Peer Address:Port 
    LISTEN     0      1                                                           127.0.0.1:8005                                                               *:*     
    LISTEN     0      100                                                                 *:8009                                                               *:*     
    LISTEN     0      100                                                                 *:8080                                                               *:*     
    LISTEN     0      128                                                                 *:22                                                                 *:*     
    LISTEN     0      100                                                         127.0.0.1:25                                                                 *:*     
    LISTEN     0      100                                                                 *:443                                                                *:*     
    [root@node1 tomcat]# 
    

    8、测试访问

    使用https://YourDomain/ 来访问;
    快速安装Tomcat 并实现HTTPS访问
    ★用浏览器访问显示小绿锁,F12查看,提示:This is secure (valid HTTPS),说明证书已经配置成功;

    配置HTTP自动跳转到HTTPS

    上面我们实现了HTTPS访问,但是客户使用http访问,还是会走http协议,依然是不安全的,没有达到我们的需求,下面配置HTTP自动跳转到HTTPS;

    1、修改web.xml

    在后面,也就是倒数第二行里,加上如下配置:

    <login-config>
        <!-- Authorization setting for SSL -->
        <auth-method>CLIENT-CERT</auth-method>
        <realm-name>Client Cert Users-only Area</realm-name>
        </login-config>
        <security-constraint>
        <!-- Authorization setting for SSL -->
        <web-resource-collection>
        <web-resource-name>SSL</web-resource-name>
        <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
        </security-constraint>
    

    2、修改sever.xml

    修改非SSL连接器的请求跳转到SSL连接器上,修改如下配置:

    原来为:
        <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8443" />
    修改为:
        <Connector port="80" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="443" />
    

    ★将默认8080端口修改为80端口,访问时就不需要加8080端口了,因为HTTP协议默认走的是80端口;
    ★将8443端口修改为443端口,意思是来自80端口的请求都跳转至443端口;

    3、重启服务

    [root@node1 conf]# catalina.sh  stop
    Using CATALINA_BASE:   /usr/local/tomcat
    Using CATALINA_HOME:   /usr/local/tomcat
    Using CATALINA_TMPDIR: /usr/local/tomcat/temp
    Using JRE_HOME:        /usr/java/latest
    Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
    [root@node1 conf]# catalina.sh  start
    Using CATALINA_BASE:   /usr/local/tomcat
    Using CATALINA_HOME:   /usr/local/tomcat
    Using CATALINA_TMPDIR: /usr/local/tomcat/temp
    Using JRE_HOME:        /usr/java/latest
    Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
    Tomcat started.
    

    4、检测端口

    查看端口,发现原来监听的8080端口已经没在了,而是监听的我们上面修改的80端口;

    [root@node1 conf]# ss -nlt
    State      Recv-Q Send-Q                                                  Local Address:Port                                                    Peer Address:Port 
    LISTEN     0      100                                                                 *:8009                                                               *:*     
    LISTEN     3      100                                                                 *:80                                                                 *:*     
    LISTEN     0      128                                                                 *:22                                                                 *:*     
    LISTEN     0      100                                                         127.0.0.1:25                                                                 *:*     
    LISTEN     0      100                                                                 *:443                                                                *:*     
    [root@node1 conf]# 
    

    5、测试访问

    这里我们使用linux下的curl命令测试,能更直观的看到跳转效果;

    [root@node1 ~]# curl  http://YourDomain/  -I 
    HTTP/1.1 302 Found
    Server: Apache-Coyote/1.1
    Cache-Control: private
    Expires: Thu, 01 Jan 1970 08:00:00 CST
    Location: https://YourDomain/
    Transfer-Encoding: chunked
    Date: Fri, 13 Apr 2018 16:06:04 GMT
    

    ★ 到这里,Tomcat配置HTTP自动跳转HTTPS就已经完成了~

    人生的主旋律其实是苦难,快乐才是稀缺资源。在困难中寻找快乐,才显得珍贵~
  • 相关阅读:
    bzoj 1004 burnside 引理+DP
    bzoj 3453 数论
    HDU 2899 三分
    HDU 2199 二分
    bzoj 3450 DP
    bzoj 1197 DP
    bzoj 2121 DP
    bzoj 2258 splay
    bzoj 1296 DP
    Memcached的限制和使用建议
  • 原文地址:https://www.cnblogs.com/54chensongxia/p/13754839.html
Copyright © 2020-2023  润新知