Apache Tomcat/9.0.35 配置https
前言:
JSSE: Java Secure Socket Extension 它包含了实现Internet安全通信的一系列包的集合,是SSL和TLS的纯 Java实现。
SSL是基于表准的TCP/IP socket协议的安全增加用于网络通信。
[root@yxaj ~]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA \ -keystore /home/apache-tomcat-9.0.35/conf/tomcat.keystore
keytool -genkeypair -alias [user] -keyalg [认证类型] -keystore [file]
JDK中Keytool常见命令选项如下:
keytool -genkey:自动使用默认的算法生成公钥和私钥
-alias[名称]:给证书取个别名
-keyalg:制定密钥的算法,如果需要制定密钥的长度,可以再加上keysize参数,密钥长度默认为1024位,使用DSA算法时,密钥长度必须在512到1024之间,并且是64的整数倍
-keystore:参数可以指定密钥库的名称。密钥库其实是存放迷药和证书文件,密钥库对应的文件如果不存在会自动创建。
-validity:证书的有效日期,默认是90天
-keypass changeit:不添加证书密码
-storepass changeit:不添加存储证书的密码
tomcat中server.xml配置文件中几个port 的作用和区别(重点)
1.<Server port="8105" shutdown="SHUTDOWN"> #是tomcat监听的关闭端口。 2.<Connector port="8667" protocol="HTTP/1.1" connectionTimeout="30000" KeepAliveTimeout="30000" maxThreads="150" acceptCount="150" maxConnections="150" minSpareThreads="25" maxSpareTHreads="75" enableLookups="false" redirectPort="8666" />
protocol: http协议;connectionTimeout: 连接超时时间;
port:监听浏览器发送请求,该端口设置为 80后在访问的时候就可以省略端口(http://localhost);
redirectPort: 重定向端口,当用户用http请求某个资源,而该资源本身又被设置了必须要 https方式访问,
此时tomcat会自动重定向到这个redirectPport设置的https端口,即处理https请求的端口。
3.<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
#这个是接收其他服务转发过来的请求。
4.<Context path="/yxajapp/upload" docBase="/home/webFile/yxaj/upload" reloadable="true" ></Context>
-
path:指定访问该 Web 应用的 URL 入口
-
docBase:指定 Web 应用的文件路径,可以给定绝对路径,也可以给定相对于<Host>的appBase 属性的相对路径,如果 Web 应用采用开放目录结构,则指定 Web 应用的根目录,如果 Web 应用是个 war 文件,则指定 war 文件的路径。(指定项目所在地址)
-
reloadable:如果这个属性设为 true,tomcat 服务器在运行状态下会监视在WEB-INF/classes 和 WEB-INF/lib 目录下 class 文件的改动,如果监测到有 class 文件被更新的,服务器会自动重新加载 Web 应用。
-
crossContext:如果想在应用内调用 ServletContext.getContext()来返回在该虚拟主机上运行的其他 web application 的 request dispatcher,设为 true。在安全性很重要的环境中设为 false,使得 getContext()总是返回 null。缺省值为 false。
-
Debug:与这个 Engine 关联的 Logger 记录的调试信息的详细程度。数字越大,输出越详细。如果没有指定,缺省为 0。
完整server.xml的配置文件如下:
<?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!-- Note: A "Server" is not itself a "Container", so you may not define subcomponents such as "Valves" at this level. Documentation at /docs/config/server.html --> <Server port="8105" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.startup.VersionLoggerListener" /> <!-- Security listener. Documentation at /docs/config/listeners.html <Listener className="org.apache.catalina.security.SecurityListener" /> --> <!--APR library loader. Documentation at /docs/apr.html --> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> <!-- Prevent memory leaks due to use of particular java/javax APIs--> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> <!-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html --> <GlobalNamingResources> <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share a single "Container" Note: A "Service" is not itself a "Container", so you may not define subcomponents such as "Valves" at this level. Documentation at /docs/config/service.html --> <Service name="Catalina"> <!--The connectors can use a shared executor, you can define one or more named thread pools--> <!-- <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" maxThreads="150" minSpareThreads="4"/> --> <!-- A "Connector" represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> <Connector port="8667" protocol="HTTP/1.1" connectionTimeout="30000" KeepAliveTimeout="30000" maxThreads="150" acceptCount="150" maxConnections="150" minSpareThreads="25" maxSpareTHreads="75" enableLookups="false" redirectPort="8666" /> <!-- A "Connector" using the shared thread pool--> <!-- <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> --> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation. The default SSLImplementation will depend on the presence of the APR/native library and the useOpenSSL attribute of the AprLifecycleListener. Either JSSE or OpenSSL style configuration may be used regardless of the SSLImplementation selected. JSSE style configuration is used below. --> <Connector port="8666" protocol="org.apache.coyote.http11.Http11NioProtocol" KeepAliveTimeout="30000" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" scheme="https" secure="true" acceptCount="100" maxConnections="100" enableLookups="false" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/tomcat.keystore" certificateKeyAlias="tomcat" certificateKeystorePassword="123456" type="RSA" sslProtocol="TLSv1.3"/> </SSLHostConfig> </Connector> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 This connector uses the APR/native implementation which always uses OpenSSL for TLS. Either JSSE or OpenSSL style configuration may be used. OpenSSL style configuration is used below. --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" certificateFile="conf/localhost-rsa-cert.pem" certificateChainFile="conf/localhost-rsa-chain.pem" type="RSA" /> </SSLHostConfig> </Connector> --> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector protocol="AJP/1.3" address="::1" port="8009" redirectPort="8443" /> --> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html --> <!-- You should set jvmRoute to support load-balancing via AJP ie : <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> --> <Engine name="Catalina" defaultHost="localhost"> <!--For clustering, please take a look at documentation at: /docs/cluster-howto.html (simple how to) /docs/config/cluster.html (reference documentation) --> <!-- <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> --> <!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack --> <Realm className="org.apache.catalina.realm.LockOutRealm"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <!-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host> </Engine> </Service> </Server>