大佬教程收集整理的这篇文章主要介绍了Tomcat 实现 HTTPS 访问,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
本文转载自:https://blog.51cto.com/guoxh/2103315
httpS,在http下加了一层SSL,用于安全的http数据传输,对于数据敏感的网址必须要使用httpS协议,本文将介绍如何快速安装tomcat,并实现httpS访问。
安装tomcat必须得有java环境,所以先安装JDK;
[root@node1 ~]# rpm -ivh jdk-8u161-linux-x64.rpm
Preparing... ########################################### [100%]
1:jdk1.8 ########################################### [100%]
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
[root@node1 ~]#
[root@node1 ~]# cat /etc/profile.d/java.sh
export JAVA_HOME=/usr/java/latest
export PATH=$JAVE_HOME/bin:$PATH
[root@node1 ~]#
[root@node1 ~]# . /etc/profile.d/java.sh
[root@node1 ~]# java -version
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12,mixed modE)
[root@node1 ~]#
[root@node1 ~]# tar -zxf apache-tomcat-8.0.50.tar.gz -C /usr/local/
[root@node1 ~]# ln -s /usr/local/apache-tomcat-8.0.50/ /usr/local/tomcat
[root@node1 ~]# cat /etc/profile.d/tomcat.sh
export CATALINA_HOME=/usr/local/tomcat
export PATH=$CATALINA_HOME/bin:$PATH
[root@node1 ~]# . /etc/profile.d/tomcat.sh
[root@node1 ~]# catalina.sh version
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/java/latest
Using CLAsspATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Server version: Apache tomcat/8.0.50
Server built: Feb 7 2018 20:06:05 UTC
Server number: 8.0.50.0
OS Name: Linux
OS Version: 2.6.32-642.6.2.el6.x86_64
Architecture: amd64
JVM Version: 1.8.0_161-b12
JVM vendor: Oracle Corporation
[root@node1 ~]#
[root@node1 ~]# catalina.sh start
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/java/latest
Using CLAsspATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
tomcat started.
tomcat默认端口为8080,所以访问时使用IP+8080访问即可;
★ 到这里,tomcat就安装完成了,但是只是默认环境,还需要根据需求自定义配置;
到自己的域名解析商处,添加一条A记录指向你的服务器IP即可;
使用刚才添加的域名申请一个SSL证书;
这边介绍一个生产开发环境证书的方式:使用 Java 提供的工具:keytool
keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore "d:\tomcat.keystore"
在tomcat目录新建一个ssl目录,将证书文件上传到这个目录;
[root@node1 ~]# cd /usr/local/tomcat/
[root@node1 tomcat]# mkdir ssl
[root@node1 tomcat]# rz
VIM打开server.xml,添加ssl连接器,在8080端口连接器下面添加如下配置:
<Connector port="443" protocol="http/1.1" SSLEnabled="true"
maxThreads="150" scheR_216_11845@e="https" secure="true"
keystoreFile="/usr/local/tomcat/ssl/YourDomain.jks"
keystorePass="SSLPass"
clientAuth="false" sslProtocol="TLS" />
注意:
keystoreFile :证书存放目录,可以写绝对路径或tomcat相对路径;
keystorePass:证书私钥密码;
<ENGIne name="Catalina" defaultHost="localhost">
## 这里指定的localhost是默认HOST的名称,修改为证书绑定的域名即可
<!--For clustering,please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourcename="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
### 将这里的localhost修改Wie刚才添加解析的域名即可,且必须与证书的通用名称保持一致
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve,share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
★这里只需要将里两个localhost修改为证书绑定域名即可,也就是是将该域名与此HOST绑定;
[root@node1 tomcat]# catalina.sh stop
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/java/latest
Using CLAsspATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
[root@node1 tomcat]# catalina.sh start
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/java/latest
Using CLAsspATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
tomcat started.
[root@node1 tomcat]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 1 127.0.0.1:8005 *:*
LISTEN 0 100 *:8009 *:*
LISTEN 0 100 *:8080 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 100 *:443 *:*
[root@node1 tomcat]#
使用https://YourDomain/ 来访问;
上面我们实现了httpS访问,但是客户使用http访问,还是会走http协议,依然是不安全的,没有达到我们的需求,下面配置http自动跳转到httpS;
在后面,也就是倒数第二行里,加上如下配置:
<login-config>
<!-- Authorization setTing for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-consTraint>
<!-- Authorization setTing for SSL -->
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-consTraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-consTraint>
</security-consTraint>
修改非SSL连接器的请求跳转到SSL连接器上,修改如下配置:
原来为:
<Connector port="8080" protocol="http/1.1"
connectionTimeout="20000"
redirectPort="8443" />
修改为:
<Connector port="80" protocol="http/1.1"
connectionTimeout="20000"
redirectPort="443" />
★将默认8080端口修改为80端口,访问时就不需要加8080端口了,因为http协议默认走的是80端口;
★将8443端口修改为443端口,意思是来自80端口的请求都跳转至443端口;
[root@node1 conf]# catalina.sh stop
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/java/latest
Using CLAsspATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
[root@node1 conf]# catalina.sh start
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/java/latest
Using CLAsspATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
tomcat started.
查看端口,发现原来监听的8080端口已经没在了,而是监听的我们上面修改的80端口;
[root@node1 conf]# ss -nlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 *:8009 *:*
LISTEN 3 100 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 100 *:443 *:*
[root@node1 conf]#
这里我们使用linux下的curl命令测试,能更直观的看到跳转效果;
[root@node1 ~]# curl http://YourDomain/ -I
http/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu,01 Jan 1970 08:00:00 CST
LOCATIOn: https://YourDomain/
transfer-encoding: chunked
Date: Fri,13 Apr 2018 16:06:04 GMT
★ 到这里,tomcat配置http自动跳转httpS就已经完成了~
以上是大佬教程为你收集整理的Tomcat 实现 HTTPS 访问全部内容,希望文章能够帮你解决Tomcat 实现 HTTPS 访问所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。