网站SSL证书部署
一、前言
在日常开发中免不了要上线网站,那么上线网站也就免不了跟SSL证书打交道,本篇博客以简短的语言,来记录如何使用以及给网站部署SSL证书。
环境:
服务器:Centos7
Nginx:1.18.0
Tomcat:9.x
应用:一个能正常访问的SpringBoot项目
JDK:JDK8
网站域名:www.zhangzhixi.top(需要你自己申请自己的域名,然后进行网站备案,这里不详细说,自行百度)
SSL证书:使用阿里云的免费SSL证书,获取方式见:
获取阿里云免费SSL证书
申请SSL免费证书的前提下是先有个域名,然后正常解析备案。
申请阿里云SSL免费证书地址:https://yundun.console.aliyun.com/?spm=0.2020520163.top-nav.3.47daaGKxaGKxgl&p=cas#/overview
二、Tomcat部署SSL证书
jks格式证书
https://www.cnblogs.com/zhangzhixi/p/15193844.html
pfx格式证书
1、将证书上传到服务器(位置随意)
2、配置Tomcat的server.xml
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="证书路径" keystoreType="PKCS12" keystorePass="证书密码" clientAuth="false" SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
我的完整server.xml配置文件:
<?xml version="1.0" encoding="UTF-8"?> <Server port="8005" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.startup.VersionLoggerListener" /> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <Service name="Catalina"> <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/mnt/cert/7919092_www.zhangzhixi.top.pfx" keystoreType="PKCS12" keystorePass="E1HKg533" clientAuth="false" SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/> <Engine name="Catalina" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <Host name="localhost" appBase="" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> <Context docBase="/usr/local/application/adopt" path="/" reloadable="true"/> </Host> </Engine> </Service> </Server>
3、配置Http强转Https(可选)
什么意思呢,就是如果通过上面的配置可以达到访问https访问项目的功能,但是同时呢,使用http也是可以访问的,这通常是我们不太愿意看到的。我们只想要通过https进行访问。
只需要在$CATALINA_HOME/conf/web.xml,最后添加以下配置即可:
<login-config> <!-- Authorization setting for SSL --> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config> <security-constraint> <!-- Authorization setting for SSL --> <web-resource-collection > <web-resource-name >SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
三、Nginx部署SSL证书
1、演示(这里演示一个没有加上SSL的普通项目)
nohup java -jar my-site-1.0.2.nossl.RELEASE.jar --server.port=9090 > nohup.out 2>&1 &
2、将下载好的Nginx文件放在服务器上面
nginx的默认安装地址是:/usr/local/nginx/
我将Nginx部署SSL使用到的文件,放到了:/usr/local/nginx/conf/cert下
3、修改Nginx配置文件
修改以下我标注的地方即可
server {
#SSL 访问端口号为 443
listen 443 ssl;
#填写绑定证书的域名(1)
server_name www.zhangzhixi.top;
#证书文件名称(2)
ssl_certificate cert/8706500_www.zhangzhixi.top.pem;
#私钥文件名称(3)
ssl_certificate_key cert/8706500_www.zhangzhixi.top.key;
ssl_session_timeout 5m;
#请按照以下协议配置
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
# 本地访问项目的路径(4)
proxy_pass http://localhost:9090;
}
}
成功访问:
4、配置Http转Https(可选)
添加配置后重新加载Nginx即可生效:./nginx -s reload
server {
listen 80;
server_name www.zhangzhixi.top; #需要将yourdomain替换成证书绑定的域名。
rewrite ^(.*)$ https://$host$1; #将所有HTTP请求通过rewrite指令重定向到HTTPS。
location / {
index index.html index.htm;
}
}
四、SpringBoot部署SSL证书
这里需要用到的就是下载的JKS证书了。
参考博客链接:https://cloud.tencent.com/developer/article/2022931
1、将证书放在resource目录下
2、编写application.yml配置文件
server:
port: 443
ssl:
key-store: classpath:www.zhangzhixi.top.jks
key-store-password: 1XwIUOHS
keyStoreType: JKS
3、在SpringBoot启动类中添加以下代码
@Bean
public Connector connector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setScheme("http");
connector.setSecure(false);
connector.setPort(80);
connector.setRedirectPort(443);
return connector;
}
@Bean
public TomcatServletWebServerFactory tomcatServletWebServerFactory(Connector connector) {
TomcatServletWebServerFactory webServerFactory = new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection securityCollection = new SecurityCollection();
securityCollection.addPattern("/*");
securityConstraint.addCollection(securityCollection);
context.addConstraint(securityConstraint);
}
};
webServerFactory.addAdditionalTomcatConnectors(connector);
return webServerFactory;
}
4、打包发布即可
