Loading

Tomcat 实现 HTTPS 访问

本文转载自:https://blog.51cto.com/guoxh/2103315

HTTPS,在HTTP下加了一层SSL,用于安全的HTTP数据传输,对于数据敏感的网址必须要使用HTTPS协议,本文将介绍如何快速安装Tomcat,并实现HTTPS访问。

安装Tomcat

安装tomcat必须得有java环境,所以先安装JDK;

1、安装JDK

[root@node1 ~]# rpm -ivh jdk-8u161-linux-x64.rpm 
Preparing...                ########################################### [100%]
   1:jdk1.8                 ########################################### [100%]
Unpacking JAR files...
        tools.jar...
        plugin.jar...
        javaws.jar...
        deploy.jar...
        rt.jar...
        jsse.jar...
        charsets.jar...
        localedata.jar...
[root@node1 ~]# 

2、添加Java系统环境变量

[root@node1 ~]# cat /etc/profile.d/java.sh 
export JAVA_HOME=/usr/java/latest
export PATH=$JAVE_HOME/bin:$PATH
[root@node1 ~]# 

3、加载环境变量

[root@node1 ~]# . /etc/profile.d/java.sh

4、查看JDK是否安装成功

[root@node1 ~]# java -version
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)
[root@node1 ~]# 

5、安装Tomcat

[root@node1 ~]# tar  -zxf apache-tomcat-8.0.50.tar.gz  -C /usr/local/

6、创建软连接

[root@node1 ~]# ln -s /usr/local/apache-tomcat-8.0.50/ /usr/local/tomcat

7、添加Tomcat系统环境变量

[root@node1 ~]# cat /etc/profile.d/tomcat.sh 
export CATALINA_HOME=/usr/local/tomcat
export PATH=$CATALINA_HOME/bin:$PATH

8、加载环境变量

[root@node1 ~]# . /etc/profile.d/tomcat.sh

9、测试是否生效

[root@node1 ~]# catalina.sh version
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /usr/java/latest
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Server version: Apache Tomcat/8.0.50
Server built:   Feb 7 2018 20:06:05 UTC
Server number:  8.0.50.0
OS Name:        Linux
OS Version:     2.6.32-642.6.2.el6.x86_64
Architecture:   amd64
JVM Version:    1.8.0_161-b12
JVM Vendor:     Oracle Corporation
[root@node1 ~]# 

10、启动Tomcat服务

[root@node1 ~]# catalina.sh  start
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /usr/java/latest
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat started.

11、测试访问

Tomcat默认端口为8080,所以访问时使用IP+8080访问即可;
快速安装Tomcat 并实现HTTPS访问

★ 到这里,Tomcat就安装完成了,但是只是默认环境,还需要根据需求自定义配置;

实现HTTPS访问

1、添加域名解析

到自己的域名解析商处,添加一条A记录指向你的服务器IP即可;

2、申请证书

使用刚才添加的域名申请一个SSL证书;

这边介绍一个生产开发环境证书的方式:使用 Java 提供的工具:keytool

keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore "d:\tomcat.keystore" 

3、上传证书

在tomcat目录新建一个ssl目录,将证书文件上传到这个目录;

[root@node1 ~]# cd /usr/local/tomcat/
[root@node1 tomcat]# mkdir ssl
[root@node1 tomcat]# rz

4、修改server.xml

VIM打开server.xml,添加ssl连接器,在8080端口连接器下面添加如下配置:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    keystoreFile="/usr/local/tomcat/ssl/YourDomain.jks"
    keystorePass="SSLPass"
    clientAuth="false" sslProtocol="TLS" />
注意:
    keystoreFile :证书存放目录,可以写绝对路径或Tomcat相对路径;
    keystorePass:证书私钥密码;

5、修改HOST配置

    <Engine name="Catalina" defaultHost="localhost">   
## 这里指定的localhost是默认HOST的名称,修改为证书绑定的域名即可

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>
      <Host name="localhost"  appBase="webapps"  
### 将这里的localhost修改Wie刚才添加解析的域名即可,且必须与证书的通用名称保持一致
            unpackWARs="true" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t "%r" %s %b" />

      </Host>

★这里只需要将里两个localhost修改为证书绑定域名即可,也就是是将该域名与此HOST绑定;

6、重启Tomcat服务

[root@node1 tomcat]# catalina.sh stop
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /usr/java/latest
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
[root@node1 tomcat]# catalina.sh start
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /usr/java/latest
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat started.

7、查询端口是否监听

[root@node1 tomcat]# ss -ntl
State      Recv-Q Send-Q                                                  Local Address:Port                                                    Peer Address:Port 
LISTEN     0      1                                                           127.0.0.1:8005                                                               *:*     
LISTEN     0      100                                                                 *:8009                                                               *:*     
LISTEN     0      100                                                                 *:8080                                                               *:*     
LISTEN     0      128                                                                 *:22                                                                 *:*     
LISTEN     0      100                                                         127.0.0.1:25                                                                 *:*     
LISTEN     0      100                                                                 *:443                                                                *:*     
[root@node1 tomcat]# 

8、测试访问

使用https://YourDomain/ 来访问;
快速安装Tomcat 并实现HTTPS访问
★用浏览器访问显示小绿锁,F12查看,提示:This is secure (valid HTTPS),说明证书已经配置成功;

配置HTTP自动跳转到HTTPS

上面我们实现了HTTPS访问,但是客户使用http访问,还是会走http协议,依然是不安全的,没有达到我们的需求,下面配置HTTP自动跳转到HTTPS;

1、修改web.xml

在后面,也就是倒数第二行里,加上如下配置:

<login-config>
    <!-- Authorization setting for SSL -->
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>Client Cert Users-only Area</realm-name>
    </login-config>
    <security-constraint>
    <!-- Authorization setting for SSL -->
    <web-resource-collection>
    <web-resource-name>SSL</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>

2、修改sever.xml

修改非SSL连接器的请求跳转到SSL连接器上,修改如下配置:

原来为:
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
修改为:
    <Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

★将默认8080端口修改为80端口,访问时就不需要加8080端口了,因为HTTP协议默认走的是80端口;
★将8443端口修改为443端口,意思是来自80端口的请求都跳转至443端口;

3、重启服务

[root@node1 conf]# catalina.sh  stop
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /usr/java/latest
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
[root@node1 conf]# catalina.sh  start
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /usr/java/latest
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat started.

4、检测端口

查看端口,发现原来监听的8080端口已经没在了,而是监听的我们上面修改的80端口;

[root@node1 conf]# ss -nlt
State      Recv-Q Send-Q                                                  Local Address:Port                                                    Peer Address:Port 
LISTEN     0      100                                                                 *:8009                                                               *:*     
LISTEN     3      100                                                                 *:80                                                                 *:*     
LISTEN     0      128                                                                 *:22                                                                 *:*     
LISTEN     0      100                                                         127.0.0.1:25                                                                 *:*     
LISTEN     0      100                                                                 *:443                                                                *:*     
[root@node1 conf]# 

5、测试访问

这里我们使用linux下的curl命令测试,能更直观的看到跳转效果;

[root@node1 ~]# curl  http://YourDomain/  -I 
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 08:00:00 CST
Location: https://YourDomain/
Transfer-Encoding: chunked
Date: Fri, 13 Apr 2018 16:06:04 GMT

★ 到这里,Tomcat配置HTTP自动跳转HTTPS就已经完成了~

posted @ 2020-09-30 15:36  程序员自由之路  阅读(10328)  评论(0编辑  收藏  举报