zoukankan html css js c++ java

Tomcat8容器下SSL证书布置及强制https

获取并安装服务器证书

公司是上线项目所以在CA机构申请了SSL证书，一次申请会有多个环境证书，apache,nginx,tomcat,IIS等。公司使用的是tomcat8做项目布置

导入证书

通过工具将证书上传到服务器目录, 存放目录为 /www/server/tomcat/conf

修改配置文件server.xml

找到以下代码将访问端口修改成80 把redirectPort修改成443

<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

再找到下面代码将注释去掉把证书路径添加上去

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

修改为

 <Connector port="443"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="domain.net">
 <SSLHostConfig hostName="domain.net">
            <Certificate certificateKeystoreFile="conf/domain_net.jks"
                certificateKeystorePassword="a75wRsB7T837r7R7"
                type="RSA" />
        </SSLHostConfig>
</Connector>

保存退出重启tomcat即可
查看日志及端口看启动情况

netstat -ntlp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      1246/pure-ftpd (SER 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2080/sshd           
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      1722/python         
tcp6       0      0 :::33060                :::*                    LISTEN      1907/mysqld         
tcp6       0      0 :::3306                 :::*                    LISTEN      1907/mysqld         
tcp6       0      0 :::21                   :::*                    LISTEN      1246/pure-ftpd (SER

防火墙开放443 端口

firewall-cmd --list-all
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload

强制用户访问时为https,用户使用http时可以自动跳转为https

修改conf/web.xml文件，到文件最后

<welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>

在下面添加如下代码

<welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<login-config>
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>Client Cert Users-only Area</realm-name> 
</login-config> 
<security-constraint> 
    <web-resource-collection > 
        <web-resource-name >SSL</web-resource-name> 
        <url-pattern>/*</url-pattern> 
    </web-resource-collection> 
    <user-data-constraint> 
        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
    </user-data-constraint> 
</security-constraint>

到此所有的配置完成，这样就可以使用证书访问并强制使用HTTPS了

查看全文

相关阅读:
Codechef EDGEST 树套树树状数组线段树 LCA 卡常
 BZOJ4319 cerc2008 Suffix reconstruction 字符串 SA
Codechef STMINCUT S-T Mincut (CodeChef May Challenge 2018) kruskal
Codeforces 316G3 Good Substrings 字符串 SAM
Codechef CHSIGN Change the Signs(May Challenge 2018) 动态规划
 BZOJ1396 识别子串字符串 SAM 线段树
 CodeForces 516C Drazil and Park 线段树
 CodeForces 516B Drazil and Tiles 其他
 CodeForces 516A Drazil and Factorial 动态规划
 SPOJ LCS2

原文地址：https://www.cnblogs.com/liuyishi/p/13475475.html