近日,帮一个朋友配置一台服务器,在该服务器上启动一个Tomcat运行两个应用,分别对应两个域名:www.domain1.com 和 www.domain2.cn ,对于http协议(80端口),只要配置Tomcat的虚拟主机就可以了。
但朋友为了数据的安全性,分别为每个域名购买了一个CA证书。这就要求在一个Tomcat上配置两个证书。在网上搜了好久,没见有相同的案例。只查到有人说了两种办法:
一、两个域名使用不同的HTTPS端口,比如:www.domain1.com使用443端口,www.domain2.cn 使用8443端口,这种方式对于测试可以,但用于生产环境,要求普通用户在输入地址时还要输入端口8443,不方便不说,有些用户还不懂。所以这种方案只能暂时放弃。
二、使用两个公网IP,每个域名对应一个IP,这样就可以使每个域名都使用443作为HTTPS的端口,方便用户使用。但没有查到实际的配置案例。
既然没有案例,那就自己动手,开始尝试。经过N次尝试之后,终于配置成功。为了防止忘记,也为了方便别人,把配置文件贴出来。为了减少篇幅,把大部分注释删除了。
- <?xml version="1.0" encoding="UTF-8"?>
- <Server port="8005" shutdown="SHUTDOWN">
- <!-- Comment these entries out to disable JMX MBeans support used for the administration web application -->
- <Listener className="org.apache.catalina.core.AprLifecycleListener" />
- <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
- <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
- <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
- <!-- Global JNDI resources -->
- <GlobalNamingResources>
- <!-- Test entry for demonstration purposes -->
- <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
- <!-- Editable user database that can also be used by
- UserDatabaseRealm to authenticate users -->
- <Resource name="UserDatabase" auth="Container"
- type="org.apache.catalina.UserDatabase"
- description="User database that can be updated and saved"
- factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
- pathname="conf/tomcat-users.xml" />
- </GlobalNamingResources>
- <!-- Define the Tomcat Stand-Alone Service -->
- <Service name="Catalina">
- <!-- Define a non-SSL HTTP/1.1 Connector on port 80 -->
- <Connector port="80" maxHttpHeaderSize="8192"
- maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
- enableLookups="false" redirectPort="8443" acceptCount="100"
- connectionTimeout="20000" disableUploadTimeout="true" />
- <!-- Define a SSL HTTP/1.1 Connector on port 443 -->
- <Connector port="443" maxHttpHeaderSize="8192"
- maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
- enableLookups="false" disableUploadTimeout="true"
- acceptCount="100" scheme="https" secure="true"
- clientAuth="false" sslProtocol="TLS"
- keystoreFile ="D:/certs/mydomain1.com_keystore.jks" keystorePass="www.mydomain1.com" keystoreType="JKS"
- truststoreFile="D:/certs/mydomain1.com_keystore.jks" truststorePass="www.mydomain1.com" truststoreType="JKS"
- address="xxx.xxx.2.83"
- />
- <Connector port="443" maxHttpHeaderSize="8192"
- maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
- enableLookups="false" disableUploadTimeout="true"
- acceptCount="100" scheme="https" secure="true"
- clientAuth="false" sslProtocol="TLS"
- keystoreFile ="D:/certs/mydomain2.cn_keystore.jks" keystorePass="www.mydomain2.cn" keystoreType="JKS"
- truststoreFile="D:/certs/mydomain2.cn_keystore.jks" truststorePass="www.mydomain2.cn" truststoreType="JKS"
- address="xxx.xxx.2.81"
- />
- <!-- Define an AJP 1.3 Connector on port 8009 -->
- <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
- <!-- Define the top level container in our container hierarchy -->
- <Engine name="Catalina" defaultHost="localhost">
- <!-- This Realm uses the UserDatabase configured in the global JNDI
- resources under the key "UserDatabase". Any edits
- that are performed against this UserDatabase are immediately
- available for use by the Realm. -->
- <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
- <!-- Define the default virtual host
- Note: XML Schema validation will not work with Xerces 2.2.
- -->
- <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
- </Host>
- <Host name="xxx.xxx.2.81" appBase="D:/mydomain2/webapp" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
- <Alias>mydomain2.cn</Alias>
- <Alias>www.mydomain2.cn</Alias>
- </Host>
- <Host name="xxx.xxx.2.83" appBase="D:/mydomain1/webapp" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
- <Alias>mydomain1.com</Alias>
- <Alias>tax.mydomain1.com</Alias>
- <Alias>www.mydomain1.com</Alias>
- <Alias>www.mydomain1.cn</Alias>
- <Alias>mydomain1.cn</Alias>
- </Host>
- </Engine>
- </Service>
- </Server>
注意两个Port="443"的Connector配置,最后面的address参数是关键,如果不加address,那么Tomcat将会报错,说443端口已被使用。其他的配置信息,网络上都能找到例子或说明,就不多做说明了。