tomcat Https配置
本内容收集自网络
1、生成证书
keytool -genkey -alias tomcat -keyalg RSA -keystore /work/software/tomcat.keystore
keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keypass wxjadm -validity 365 -keystore /work/software/tomcat.keystore
-storepass wxjadm
【说明】:-alias后面的别名可以自定义,-keypass指定证书密钥库的密码, -storepass和前面keypass密码相同,否则下面tomcat 配置https 会访问失败 -keystore指定证书的位置,密钥库名称可以自定义,这里是tomcat.keystore 3. 命令输入完成,回车之后,会提示你输入一些资料,见下图:
注意:第一个让你输入的“您的名字与姓氏是什么”,请必须输入在的服务端的域名
20171126013007961.png
密钥库口令:123456(这个密码非常重要)
名字与姓氏:192.168.0.110(以后访问的域名或IP地址,非常重要,证书和域名或IP绑定)
组织单位名称:anything(随便填)
组织名称:anything(随便填)
城市:anything(随便填)
省市自治区:anything(随便填)
国家地区代码:anything(随便填)
2、导出证书
keytool -export -alias tomcat -keystore /work/software/tomcat.keystore -file /work/software/tomcat.crt -storepass wxjadm
【说明】:-alias后面的名称要与生成证书的命令里面的alias的名称一致. –keystore后面指定证书存放的位置,这里我放在C盘根目录,同时证书名称要与【生成证书】对应的命令里的keystore名称一致.这里是tomcat.keystore,-file后面才crt路径,我也指定在c盘根目录. –storepass的证书密码要与上面输入的密码一致.
另:客户端导入证书
keytool -import -keystore %JAVA_HOME%\jre\lib\security\cacerts -file c:\tomcat.crt -alias tomcat
【说明】:-file指定证书的位置,也就是上一步导出证书的位置,即c:\ tomcat.crt 命令中指定了JAVA_HOME,意思是将证书导入到客户端证书库,也就是jdk证书库中.因为客户端应用运行在本地,需要jdk的支持。
回车之后,会让你输入密钥库口令,注意,这里的密码必须要输入changeit,不能输入上面指定的密码wxjadm,切记,否则导入客户端证书会有问题,如果是多台机器演示,需要在每一台客户端导入该证书,步骤都是一样的。当看到提示“是否信任此证书”,输入y回车即可,见下图:(说明,命令中的-alias后面的别名可以自定义,如果出现【证书未导入,别名<***>已经存在】的错误,该意思是说客户端的密钥库中已经存在该别名证书了,重新指定其他别名即可.)
3、配置server.xml
<!--
<Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
-->
<!--注释之前的配置-->
<!--
<Connector port="7182" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<Connector port="7182" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/work/software/tomcat.keystore"
keystorePass="wxjadm" />
其他方式:
<!--老版本tomcat的配置,在tomcat8下测试成功-->
<Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1" redirectPort="443"/>
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/conf/test.keystore"
keystorePass="123456"/>
<!--新版本tomcat的配置,在tomcat9下测试成功-->
<Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1" redirectPort="443" />
<Connector port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/test.keystore" certificateKeystorePassword="123456" />
</SSLHostConfig>
</Connector>
Nginx 配置
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
##cache##
proxy_connect_timeout 5;
proxy_read_timeout 60;
proxy_send_timeout 5;
proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_temp_path /home/temp_dir;
proxy_cache_path /home/cache levels=1:2 keys_zone=cache_one:200m inactive=1d max_size=30g;
##end##
#服务器的集群
upstream mp.com{ #服务器集群名字
#ip_hash;
server 172.20.55.97:7182 weight=10;#服务器配置 weight是权重的意思,权重越大,分配的概率越大。
#server 172.20.55.97:8080 weight=2;
}
server {
listen 7001;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
#location / {
# root html;
# index index.html index.htm;
#}
location /mp {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
index index.html;
proxy_pass http://mp.com;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
Nginx Https配置
简单步骤
首先执行如下命令生成一个key
openssl genrsa -des3 -out ssl.key 1024
然后他会要求你输入这个key文件的密码。不推荐输入。因为以后要给nginx使用。每次reload nginx配置时候都要你验证这个PAM密码的。
由于生成时候必须输入密码。你可以输入后 再删掉。
mv ssl.key xxx.key
openssl rsa -in xxx.key -out ssl.key
rm xxx.key
然后根据这个key文件生成证书请求文件
openssl req -new -key ssl.key -out ssl.csr
以上命令生成时候要填很多东西 一个个看着写吧(可以随便,毕竟这是自己生成的证书)
最后根据这2个文件生成crt证书文件
openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt
这里365是证书有效期 推荐3650哈哈。这个大家随意。最后使用到的文件是key和crt文件。
如果需要用pfx 可以用以下命令生成
openssl pkcs12 -export -inkey ssl.key -in ssl.crt -out ssl.pfx
在需要使用证书的nginx配置文件的server节点里加入以下配置就可以了。
ssl on;
ssl_certificate /home/ssl.crt;
ssl_certificate_key /home/ssl.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
然后重启nginx就大功告成了
https://www.cnblogs.com/lihuang/articles/4205540.html
1、生成自签名证书 需安装OpenSSL
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
说明:需要依次输入国家,地区,城市,组织,组织单位,Common Name和Email。其中Common Name,可以写自己的名字或者域名,如果要支持https,Common Name应该与域名保持一致,否则会引起浏览器警告。
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tomcat
Organizational Unit Name (eg, section) []:info technology
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:xxx@163.com
删除私钥中的密码
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
生成
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Nginx开启SSL模块
#未开启
nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37
查看是否已开启
./sbin/nginx -V
#默认不开启
--prefix=/usr/local/nginx --with-http_stub_status_module
新配置、并示例使用普通用户安装nginx
./configure \
--prefix=/work/software/nginx \
--user=appadmin \#普通用户
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_realip_module \
然后make
make
这里不要进行make install,否则就是覆盖安装
因为使用的是普通用户方式安装,需要进行如下操作
cd /work/software/nginx/sbin
sudo chown root nginx
sudo chmod +s nginx
配置nginx.conf
server {
# listen 7001 default ssl;
listen 7001;
server_name localhost;
#ssl on;把ssl on;这行去掉,ssl写在443端口后面。这样http和https的链接都可以用
ssl_certificate /work/software/server.crt;
ssl_certificate_key /work/software/server.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#charset koi8-r;
#access_log logs/host.access.log main;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
#location / {
# root html;
# index index.html index.htm;
#}
location /mp {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
index index.html;
proxy_pass https://mp.com;
#proxy_pass http://mp;
}
参考配置:
...
#服务器的集群
upstream tomcats { #服务器集群名字
server 127.0.0.1:8080 weight=10;#服务器配置 weight是权重的意思,权重越大,分配的概率越大。
#server 127.0.0.1:28080 weight=2;
}
server {
listen 443;
server_name www.xxx.com;
ssl on;
ssl_certificate /usr/local/cert/证书名.pem;
ssl_certificate_key /usr/local/cert/证书名.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#添加下面这条代码
#rewrite ^(.*)$ https://$host$1 permanent; #用于将http页面重定向到https页面
location / {
root html;
proxy_pass http://tomcats;
index index.html index.htm;
}
}
...
Nginx SSL性能调优
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
报错:
