HTTPS超文本传输安全协议,英语:Hypertext Transfer Protocol Secure,缩写:HTTPS,常称为HTTP over TLS、HTTP over SSL或HTTP Secure,是一种网络安全传输协议,在传统HTTP传输未加密的基础之上利用SSL/TLS来对数据包进行加密并提供安全、可信的请求、响应服务。
目前绝大多数平台的网站已经很好的支持了https,而且https未来也应该是主流趋势,大家比较常见的https网站,如:
- 12306 https://www.12306.cn
- 百度 https://www.baidu.com/
- QQ https://www.qq.com/
- 其他
另外本篇主要利用JDK工具自动生成、签发CA证书,免费测试使用,如生产环境可至对应的CA代理商那边去申请相关证书,另外证书是需要银子的哦,这个根据实际情况价格都在几千到上万RMB不等/年。
给友商们扣波小广告
演示环境
证书常用文件格式
- JKS(.keystore),
- 微软(.pfx),
- PEM(.key + .crt)
Tomcat使用JKS格式,Nginx使用PEM格式,使用的时候需要注意一下
JKS 证书生成
这里演示路径:E:\https,解压下载好的tomcat以备测试使用
- apache-tomcat-8.5.20
这里给支付宝颁发一张证书吧,有效期100年(马总说我们要战100年,至少,那咱就先给他安排上)alipay.keystore,证书密码:alibaba,生成命令如下:
keytool -genkey -v -alias alipayKey -keyalg RSA -validity 36500 -keystore E:\https\alipay.keystore
命令说明:
- alias 证书别名,alipayKey
- keyalg 证书算法,RSA
- validity 证书有效时间,100年
- keystore 证书生成位置,E:\https\alipay.keystore
其他命令
可通过-help获取更多命令帮助说明
E:\https>keytool -genkeypair -help
keytool -genkeypair [OPTION]...
生成密钥对
选项:
-alias <alias> 要处理的条目的别名
-keyalg <keyalg> 密钥算法名称
-keysize <keysize> 密钥位大小
-sigalg <sigalg> 签名算法名称
-destalias <destalias> 目标别名
-dname <dname> 唯一判别名
-startdate <startdate> 证书有效期开始日期/时间
-ext <value> X.509 扩展
-validity <valDays> 有效天数
-keypass <arg> 密钥口令
-keystore <keystore> 密钥库名称
-storepass <arg> 密钥库口令
-storetype <storetype> 密钥库类型
-providername <providername> 提供方名称
-providerclass <providerclass> 提供方类名
-providerarg <arg> 提供方参数
-providerpath <pathlist> 提供方类路径
-v 详细输出
-protected 通过受保护的机制的口令
使用 "keytool -help" 获取所有可用命令
关于keytool 更多命令
可通过-help获取,或访问官网查看说明也是可以的哦,
- keytool
E:\https> keytool -help
密钥和证书管理工具
命令:
-certreq 生成证书请求
-changealias 更改条目的别名
-delete 删除条目
-exportcert 导出证书
-genkeypair 生成密钥对(早期的版本使用genkey, 推荐使用genkeypair)
-genseckey 生成密钥
-gencert 根据证书请求生成证书
-importcert 导入证书或证书链
-importpass 导入口令
-importkeystore 从其他密钥库导入一个或所有条目
-keypasswd 更改条目的密钥口令
-list 列出密钥库中的条目
-printcert 打印证书内容
-printcertreq 打印证书请求的内容
-printcrl 打印 CRL 文件的内容
-storepasswd 更改密钥库的存储口令
使用 "keytool -command_name -help" 获取 command_name 的用法keytool -helpkeytoolE:\https> keytool -help
密钥和证书管理工具
命令:
-certreq 生成证书请求
-changealias 更改条目的别名
-delete 删除条目
-exportcert 导出证书
-genkeypair 生成密钥对(早期的版本使用genkey, 推荐使用genkeypair)
-genseckey 生成密钥
-gencert 根据证书请求生成证书
-importcert 导入证书或证书链
-importpass 导入口令
-importkeystore 从其他密钥库导入一个或所有条目
-keypasswd 更改条目的密钥口令
-list 列出密钥库中的条目
-printcert 打印证书内容
-printcertreq 打印证书请求的内容
-printcrl 打印 CRL 文件的内容
-storepasswd 更改密钥库的存储口令
使用 "keytool -command_name -help" 获取 command_name 的用法keytool -help
关于生成证书时,推荐使用genkeypair命令,虽然genkey仍被支持,但是这个是早期候命名的,后面大家就是用 -genkeypair 吧,参考摘自官网:
This command was named -genkey in earlier releases. The old name is still supported in this release. The new name, -genkeypair, is preferred going forward.
Tomcat 配置证书
第一步:上传证书
这里我们将生成好的证书文件:alipay.keystore,上传到测试服务器tomcat/conf目录下
第二步:配置Tomcat
打开 tomcat/conf/server.xml,复制一份server.xml.bak(一般修改之前先做好备份,以防给自己扔雷),这里我们修改3处,
①然后找到默认的8080连接器
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
修改端口号:
- 8080 -> 80
- 8443 -> 443
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
②找到8443连接器配置
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
取消注释并做如下修改:
- 8443 -> 443
- SSLHostConfig 配置修改
certificateKeystoreFile 修改证书路径:conf/alipay.keystore
certificateKeystorePassword 增加证书密码:alibaba
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/alipay.keystore" type="RSA" />
</SSLHostConfig>
</Connector>
③ 找到8009 AJP 连接器
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
内容调整修改如下:
8443 -> 443
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
第三步:重启tomcat
bin/startup.bat
启动成功,访问:https://localhost
由于非官方CA机构签发证书,所以浏览器会识别未知证书并提示安全风险,这里测试,直接点击高级,继续前往即可,如下:
这样我们就成功配置了免费版的SSL证书,继而实现HTTPS访问拉,另外可以查看证书,通过浏览器提示:不安全,查看证书如下:
是不是Jack Ma,有效期100年哈,好了关于Tomcat配置证书这块就简单的做个初步演示,另外生产环境下大家一般都是通过第三方商业CA(直接或者间接)代理机构那边采购的,配置这块,对方也都会提供相关示例文档的,大家也都不会迷路,这里发出来,避免后面的同学们翻车。
生产环境配置需要注意事项:
无论是私有云还是公有云,80、443端口都要配置响应的防火墙、云安全组端口放行,方可访问
1、防火墙
通常情况,建议服务器的防火墙打开,并配置对应的入站、出站端口放行规则
2、云服务器 - 安全组配置
在服务器上配置好防火墙的同时,也需要在云服务器的安全组中,分别对入站、出站添加端口放行策略
Ps:
如果你想一步到位看效果,可以通过下面几种方式,既然都写出来了,那就一步到位,但是我是不推荐这么干的,毕竟One step , one by one 哈哈~
1. 直接下载配置成功的tomcat文件
某盘:https://pan.baidu.com/s/1kJIlmqhxz3aY8ZiXJ-Hx3A
取码:i5y9
2. 下载server.xml、alipay.keystore 证书
3. ctrl+c、ctrl+v 可直接复制即可
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<!-- <Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" /> -->
<!-- A "Connector" using the shared thread pool-->
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/alipay.keystore"
certificateKeystorePassword="alibaba"
type="RSA" />
</SSLHostConfig>
</Connector>
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
好了,今天就到这里吧,予人玫瑰,手有余香哈
另外如果大家有好的想法,意见都可以反馈,反馈账号:datazhen 只要你敢➕,我都在哈 ,会不定期的直播、更新、普惠新人哦
期间分享的视频、文章或相关话题小主们感兴趣的话,可以点赞、关注、收藏、转发或留言、亦或回复,丢空看见了会及时答复粉丝的…毕竟码了这么多字,敲起来手麻,大家也都多关照、关照哈…