证书处理(得到的证书的密钥不同处理的方式也不同,根据自己需求来处理):
openssl pkcs12 -export -out ancient.pfx -inkey privkey.pem -in fullchain.pem
证书后缀名是.pfx就不需要生成了
配置server.xml文件
<Connector port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
SSLEnabled="true" maxThreads="300" enableLookups="false"
scheme="https" secure="true" acceptCount="200"
clientAuth="false" sslProtocol="TLS" compression="on" compressionMinSize="8192"
keystoreFile="上面证书生成的文件.pfx" keystorePass="密码"/>
配置web.xml文件
<welcome-file-list>
<welcome-file>index_default.html</welcome-file>
<welcome-file>index_default.htm</welcome-file>
<welcome-file>index_default.jsp</welcome-file>
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</welcome-file-list>
nginx配置转发tomcat
修改nginx.conf文件:
server
{
listen 8443 ssl;
server_name cnsgsy-test.efuncn.com;
ssl_certificate ../cert/efuncn.com_bundle.crt;
ssl_certificate_key ../cert/efuncn.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:8888;
proxy_set_header Host $host:$server_port;#server_port端口
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /home/wwwlogs/access.log;
}
修改tomcat的server.xml文件<Host>标签中
<Host
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
httpsServerPort="8443" #nginx端口
protocolHeaderHttpsValue="https"/>
</Host>