HTTPS

2017/7/30 posted in  运维

  • 配置自签发证书

    1. 运行如下命令,生成keystore文件

       keytool -genkey -alias tomcat -keyalg RSA

      这样就可以在用户家目录下生成一个.keystore文件。在生成过程中需要设置一些必要的信息,其中密码信息一定要记住。

    1. 修改server.xml,配置证书。

      找到如下配置部分

       <!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" />
-->

      取消注释,修改成如下内容

       <Connector SSLEnabled="true" 
            acceptCount="100" 
            clientAuth="false"
            disableUploadTimeout="true"         
            enableLookups="false"
            maxThreads="25"
            port="8443" 
            keystoreFile="~/.keystore"
            keystorePass="password"
            protocol="org.apache.coyote.http11.Http11NioProtocol" 
            scheme="https"
            secure="true" 
            sslProtocol="TLS" 
 />

      注: password请设置成上一步输入的密码

    2. 重启apache-tomcat,访问 https://localhost:8443 查看效果。

    根据url配置https

    编辑web.xml文件

    1. 设置所有路径都走https

          <security-constraint>
        <web-resource-collection>
            <web-resource-name>HTTPSOnly</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    2. 设置部分路径走https

          <security-constraint>
        <web-resource-collection>
            <web-resource-name>HTTPSOnly</web-resource-name>
            <url-pattern>/api/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HTTPSOrHTTP</web-resource-name>
            <url-pattern>*.ico</url-pattern>
            <url-pattern>/img/*</url-pattern>
            <url-pattern>/css/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    生成cer证书文件

    1. 查看keystore信息

       april@client:~$ keytool -list -v -keystore .keystore -storepass 123456
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: tomcat
Creation date: Jan 16, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Z, OU=4YT, O=Unknown, L=hz, ST=zj, C=CN
Issuer: CN=Z, OU=4YT, O=Unknown, L=hz, ST=zj, C=CN
Serial number: 1822278c
Valid from: Mon Jan 16 16:44:46 CST 2017 until: Sun Apr 16 16:44:46 CST 2017
Certificate fingerprints:
         MD5:  14:6B:D9:2B:90:D7:AA:E7:5A:CC:8E:9A:A1:FD:0E:7B

      可以看到我们需要导出的证书alias=tomcat

    2. 生成cer文件

      april@client:~$   keytool -export -alias tomcat -keystore .keystore -storepass 123456 -rfc -file client.cer
Certificate stored in file <client.cer>

      这样我们就生成了一个cer文件,可以内置到app中,实现app开启https访问。

    参考链接:5分钟内搞定Tomcat的SSL配置
    参考链接:SSL/TLS Configuration HOW-TO
    参考链接:A Simple Step-By-Step Guide To Apache Tomcat SSL Configuration
    参考链接:How to configure Tomcat to always require HTTPS

    • « MySQL中文乱码

    OSS »

    Copyright © 2015 Powered by MWeb,  Theme used GitHub CSS.