resin4.0 pro下配置http和https双协议协同访问
按照项目需求进行的相关试验。
总结下来总体步骤分为3步:
一、证书生成;
二、代码处理;
三、发布配置。
一、证书生成。
加密方式使用openssl。所有生成及配置过程按照resin4官网的介绍来做的,没有任何技术含量。
照贴下来:
OpenSSL
OpenSSL is the same SSL implementation that Apache's mod_ssl uses. Since OpenSSL uses the same certificate as Apache, you can get signed certificates using the same method as for Apache's mod_ssl or following the OpenSSL instructions.
Linking to the OpenSSL Libraries on Unix
On Unix systems, Resin's libexec/libresinssl.so JNI library supports SSL using the OpenSSL libraries. Although the ./configure script will detect many configurations, you can specify the openssl location directly:
resin> ./configure --with-openssl=/usr/local/ssl
Obtaining the OpenSSL Libraries on Windows
On Windows systems, the resinssl.dll includes JNI code to use OpenSSL libraries (it was in resin.dll in versions before 3.0). All you need to do is to obtain an OpenSSL binary distribution and install it.
Resin on Windows 32 is compiled against the Win32 binary, you can obtain an installation package http://www.slproweb.com (Shining Light Productions).
Resin on Windows 64 is compiled against a Win64 binary, you can obtain an installation package Dean Lee: /dev/blog.
Once you have run the installation package, you can copy the necessary dll libraries into $RESIN_HOME:
Copying the Windows SSL libraries into $RESIN_HOME
C:\> cd %RESIN_HOME%
C:\resin-4.0.x> copy "C:\Program Files\GnuWin32\bin\libssl32.dll" .\libssl32.dll
C:\resin-4.0.x> copy "C:\Program Files\GnuWin32\bin\libeay32.dll" .\libeay32.dll
Preparing to use OpenSSL for making keys
You can make a keys/ subdirectory of $RESIN_HOME to do your work from and as a place to store your generated keys.
$RESIN_HOME/keys
unix> cd $RESIN_HOME
unix> mkdir keys
unix> cd keys
win> cd %RESIN_HOME%
win> mkdir keys
win> cd keys
Using OpenSSL requires a configuration file. Unix users might find the default configuration file in /usr/ssl/openssl.cnf or /usr/share/ssl/openssl.cnf. Windows users may not have received one with their package.
Either way, it can be valuable to make your own openssl.cnf that is used just for generating the keys to use with Resin. You can use the following as a template for a file $RESIN_HOME/keys/openssl.cnf. You may want to fill in the _default values so you don't have to type them in every time.
$RESIN_HOME/keys/openssl.cnf
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = 2 letter Country Code, for example US
C_default =
ST = State or Province
ST_default =
L = City
L_default =
O = Organization Name
O_default =
OU = Organizational Unit Name, for example 'Marketing'
OU_default =
CN = your domain name, for example www.hogwarts.com
CN_default =
emailAddress = an email address
emailAddress_default =
Creating a private key
Create a private key for the server. You will be asked for a password - don't forget it! You will need this password anytime you want to do anything with this private key. But don't pick something you need to keep secret, you will need to put this password in the Resin configuration file.
creating the private key gryffindor.key
unix> openssl genrsa -des3 -out gryffindor.key 1024
win> "C:\Program Files\GnuWin32\bin\openssl.exe" \
genrsa -des3 -out gryffindor.key 1024
Creating a certificate
OpenSSL works by having a signed public key that corresponds to your private key. This signed public key is called a certificate. A certificate is what is sent to the browser.
You can create a self-signed certificate, or get a certificate that is signed by a certificate signer (CA).
Creating a self-signed certificate
You can create a certificate that is self-signed, which is good for testing or for saving you money. Since it is self-signed, browsers will not recognize the signature and will pop up a warning to browser users. Other than this warning, self-signed certificates work well. The browser cannot confirm that the server is who it says it is, but the data between the browser and the client is still encrypted.
creating a self-signed certificate gryffindor.crt
unix> openssl req -config ./openssl.cnf -new -key gryffindor.key \
-x509 -out gryffindor.crt
win> "C:\Program Files\GnuWin32\bin\openssl.exe" req -config ./openssl.cnf \
-new -key gryffindor.key -x509 -out gryffindor.crt
You will be asked to provide some information about the identity of your server, such as the name of your Organization etc. Common Name (CN) is your domain name, like: "www.gryffindor.com".
Creating a certificate request
To get a certificate that is signed by a CA, first you generate a certificate signing request (CSR).
creating a certificate request gryffindor.csr
unix> openssl req -new -config ./openssl.cnf -key gryffindor.key \
-out gryffindor.csr
win> "C:\Program Files\GnuWin32\bin\openssl.exe" req -new \
-config ./openssl.cnf -key gryffindor.key -out gryffindor.csr
You will be asked to provide some information about the identity of your server, such as the name of your Organization etc. Common Name (CN) is your domain name, like: "www.gryffindor.com".
Send the CSR to a certificate signer (CA). You'll use the CA's instructions for Apache because the certificates are identical. Some commercial signers include:
Verisign
Thawte Consulting
You'll receive a gryffindor.crt file.
Most browsers are configured to recognize the signature of signing authorities. Since they recognize the signature, they will not pop up a warning message the way they will with self-signed certificates. The browser can confirm that the server is who it says it is, and the data between the browser and the client is encrypted.
resin.xml - Configuring Resin to use your private key and certificate
The OpenSSL configuration has two tags certificate-file and certificate-key-file. These correspond exactly to mod_ssl's SSLCertificateFile and SSLCertificateKeyFile. So you can use the same certificates (and documentation) from mod_ssl for Resin.
The full set of parameters is in the port configuration.
resin.xml
<resin xmlns="http://caucho.com/ns/resin">
<cluster id="http-tier">
<server id="a" address="192.168.1.12">
<http port="443">
<openssl>
<certificate-file>keys/gryffindor.crt</certificate-file>
<certificate-key-file>keys/gryffindor.key</certificate-key-file>
<password>my-password</password>
</openssl>
</http>
</server>
...
</resin>
The default resin configuration allows you to setup open-ssl in resin.properties.
Setting up open ssl in resin.properties
# OpenSSL certificate configuration
openssl_file : key/gryffindor.crt
openssl_key : keys/gryffindor.key
openssl_password : my-password
Testing SSL with the browser
A quick test is the following JSP.
Secure? <%= request.isSecure() %>
Testing with openssl to test the server
The openssl tool can be used as a client, showing some interesting information about the conversation between the client and the server:
unix$ openssl s_client -connect www.some.host:443 -prexit
Certificate Chains
A certificate chain is used when the signing authority is not an authority trusted by the browser. In this case, the signing authority uses a certificate which is in turn signed by a trusted authority, giving a chain of [your certificate] <-- signed by -- [untrusted signer] <-- signed by -- [trusted signer].
The Resin config parameter certificate-chain-file is used to specify a certificate chain. It is used to reference a file that is a concatenation of:
your certificate file
the intermediate (untrusted) certificate
the root (trusted) certificate.
The certificates must be in that order, and must be in PEM format.
Example certificate chain for Instant SSL
Comodo (http://instantssl.com) is a signing authority that is untrusted by most browsers. Comodo has their certificate signed by GTECyberTrust.
Comodo gives you three certificates:
your_domain.crt (signed by Comodo)
ComodoSecurityServicesCA.crt (signed by GTE CyberTrust)
GTECyberTrustRoot.crt (universally known root)
In addition to this, you have your key, your_domain.key. The contents of the file referred to by certificate-chain-file is a concatenation of the three certificates, in the correct order.
Creating a certificate chain file
$ cat your_domain.crt ComodoSecurityServicesCA.crt GTECyberTrustRoot.crt > chain.txt
resin.xml using a certificate chain file
<http port="443">
<openssl>
<certificate-key-file>keys/your_domain.key</certificate-key-file>
<certificate-file>keys/your_domain.crt</certificate-file>
<certificate-chain-file>keys/chain.txt</certificate-chain-file>
<password>test123</password>
</openssl>
</http>
用中文简单说下步骤:
1、安装openssl(下载链接看这里http://slproweb.com/products/Win32OpenSSL.html,想进一步研究去http://www.openssl.org/source/),需要注意的是分32bit和64bit,不过我在64bit的win7旗舰版下使用32bit版本,也正常。
安装完成后,将安装目录下的libeay32.dll和libssl32.dll放到你resin服务器根目录去。
2、通过敲命令行进入你的resin服务器根目录下keys文件夹 ;
unix> cd $RESIN_HOME
unix> mkdir keys
unix> cd keys
win> cd %RESIN_HOME%
win> mkdir keys
win> cd keys
3、建立一个openssl.cnf文件,按照如下格式:
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = 2 letter Country Code, for example US
C_default =
ST = State or Province
ST_default =
L = City
L_default =
O = Organization Name
O_default =
OU = Organizational Unit Name, for example 'Marketing'
OU_default =
CN = your domain name, for example www.hogwarts.com
CN_default =
emailAddress = an email address
emailAddress_default =
default_bits = 1024
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = 2 letter Country Code, for example US
C_default =
ST = State or Province
ST_default =
L = City
L_default =
O = Organization Name
O_default =
OU = Organizational Unit Name, for example 'Marketing'
OU_default =
CN = your domain name, for example www.hogwarts.com
CN_default =
emailAddress = an email address
emailAddress_default =
并放置在$RESIN_HOME/keys/目录下。
4、创建一个私钥。
unix> openssl genrsa -des3 -out gryffindor.key 1024
win> "openssl安装目录\bin\openssl.exe" genrsa -des3 -out gryffindor.key 1024
5、创建签名凭证。
unix> openssl req -config ./openssl.cnf -new -key gryffindor.key -x509 -out gryffindor.crt
win> "openssl安装目录\bin\openssl.exe" req -config ./openssl.cnf -new -key gryffindor.key -x509 -out gryffindor.crt
win> "openssl安装目录\bin\openssl.exe" req -config ./openssl.cnf -new -key gryffindor.key -x509 -out gryffindor.crt
6、创建凭证申请。
unix> openssl req -new -config ./openssl.cnf -key gryffindor.key -out gryffindor.csr
win> "openssl安装目录\bin\openssl.exe" req -new -config ./openssl.cnf -key gryffindor.key -out gryffindor.csr
win> "openssl安装目录\bin\openssl.exe" req -new -config ./openssl.cnf -key gryffindor.key -out gryffindor.csr
7、将生成的文件全部放到resin根目录\conf\keys\下。
二、代码处理。
这里的处理主要是为了完成由https向http跳转的需求。因为相对于http协议,https访问的开销较大,所以对于一些没必要加密的访问,强制使用http协议。
这里的实现方式很多,我使用的Filter,在web.xml中将不需要使用https协议的url全部强制转到http信道。
xml的代码不贴了,跟别的过滤放在一起的(原理就是将匹配的url-pattern通过该滤镜)。
简单贴下java里面做判断的代码,写的很简单,是否会有问题暂未验证。
if ("https".equals(request.getRequestURL().substring(0, 5))) {
response.sendRedirect("http"
+ request.getRequestURL().replace(0, 5, ""));
return;
response.sendRedirect("http"
+ request.getRequestURL().replace(0, 5, ""));
return;
}
三、发布配置。
主要是这一段配置,加入web.xml中的
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>*/login.do*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> </security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>*/login.do*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> </security-constraint>
这是强制匹配的url-pattern通过https方式进行访问,这里大家可以根据需要自己配了。
resin服务期部分的,因为我使用的是默认配置,所以只改了conf/resin.properties中的
# Set HTTP and HTTPS ports.
# Use overrides for individual server control, for example: app-0.http : 8081
app.http : 80
app.https : 443
web.http : 80
web.https : 443
# Use overrides for individual server control, for example: app-0.http : 8081
app.http : 80
app.https : 443
web.http : 80
web.https : 443
打开了80和443,及http和https的默认访问端口。
# OpenSSL certificate configuration
# Keys are typically stored in the resin configuration directory.
openssl_file : keys/gryffindor.crt
openssl_key : keys/gryffindor.key
openssl_password : 你的密码
# Keys are typically stored in the resin configuration directory.
openssl_file : keys/gryffindor.crt
openssl_key : keys/gryffindor.key
openssl_password : 你的密码
配置证书。
提供配置好的文件及localhost的证书供大家测试
http://download.csdn.net/detail/yeahking1981/4570721
至此完成所有相关操作。
附上国际友人提供的http和https协议协同工作,相互跳转的解决方法。
http://stackoverflow.com/questions/12401292/how-do-i-redirect-https-requests-to-http-in-resin4-0
