部署须知:域名ICP备案没完成,以下文章务必使用服务器公网IP替代
目录
- 1.前言
- 2.安装PFX格式证书前提条件
- 3.阿里云申请免费版SSL证书
- 4.下载阿里云SSL证书(.pfx+.txt)
- 5.上传文件到轻量应用服务器(Xftp)
- 6.进入Tomcat安装目录
- 7.编辑server.xml文件
- 8.编辑web.xml文件(可选操作)
- 9.检查配置与服务启动状态
- 10.打开Google浏览器测试SSL证书部署结果
- 11.server.xml配置文件完整内容
- 12.总结
1.前言
SSL证书(SSL Certificates)为网站、移动应用及小程序等平台提供数据HTTPS加密协议访问,保障数据的安全。
本章介绍在阿里云轻量应用服务器Linux系统中部署安装Tomcat8.5.69的SSL证书,这样就可以实现“https://域名”访问Tomcat服务器的网站项目。
安装部署SSL证书,需要在阿里云轻量应用服务器Linux系统中先安装Tomcat,安装部署Tomcat教程,传送门链接:——提示:安装Tomcat,也需要安装JDK支持(教程有JDK安装步骤)
(Linux笔记)CentOS7.3镜像+Tomcat8.5.69安装部署——Linux系统
CSDN链接:https://blog.csdn.net/qq_39038178/article/details/119333721
2.安装PFX格式证书前提条件
(1)阿里云SSL证书服务支持下载证书安装到Tomcat服务器上。Tomcat支持PFX格式和JKS两种格式的证书,您可根据您Tomcat的版本择其中一种格式的证书安装到Tomcat上。
(2)已安装OpenSSL工具。
(3)您的Tomcat服务器上已经开启443端口,轻量应用服务器开启HTTPS防火墙规则或安全组规则(HTTPS服务的默认端口)。
(4)已下载Tomcat服务器所需要的证书文件。
3.阿里云申请免费版SSL证书
申请步骤简单,每个用户有1次申请机会,并可以发放获取免费版SSL证书的20次。具体申请步骤——申请阿里云免费版SSL证书:
4.下载阿里云SSL证书(.pfx+.txt)
(1)下载SSL证书文件步骤:登录阿里云——右上角控制台——产品与服务——SSL证书(应用安全)——SSL证书——免费证书——部署(操作)
(2)下载证书文件清单:xxx.pfx密钥原件、xxx.txt原件密码
(3)将SSL证书文件下载到电脑桌面Desktop
5.上传文件到轻量应用服务器(Xftp)
打开Xftp工具——成功连接阿里云服务器——打开Tomcat安装路径/conf目录——新建文件夹cert——xxx.pfx密钥原件、xxx.txt原件密码——上传证书文件——放置cert目录下
6.进入Tomcat安装目录
(1)获取证书文件的完整路径,使用ls命令:ls /usr/java/tomcat/apache-tomcat-8.5.69/conf/cert/zs_linux_server.pfx,便于Tomcat服务server.xml部署SSL证书使用,记得右击copy到本机电脑上,配置方便。
(2)cat命令获取SSL证书密码,使用命令(cd到证书文件路径):
(3)使用 cd 命令进入Tomcat安装目录:cd /usr/java/tomcat/apache-tomcat-8.5.69/
7.编辑server.xml文件
(1)必须在Tomcat安装路径或conf目录下,编辑server.xml服务配置文件,使用命令:vim conf/server.xml
(2)配置server.xml参数:定位到Service配置区域,从“<Service name="Catalina">
”配置下面的参数
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
(3)将Connector port 连接端口“8080”修改为“80”。将redirectPort重定向端口“8443”修改为SSL默认端口“443”,让HTTPS请求转发到443端口。
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<!-- <Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
(4) 将Connector port 连接端口“8443”修改为“443”,在<SSLHostConfig>标签中,添加SSL证书参数(xxx.pfx证书完整路径、xxx.txt证书密码、PKCS12证书类型),【xxx.jks证书对应证书类型是——RSA】
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="/usr/java/tomcat/apache-tomcat-8.5.69/conf/cert/zs_linux_server.pfx"
certificateKeystorePassword="QWORqu7g"
certificateKeystoreType="PKCS12" />
</SSLHostConfig>
</Connector>
参数说明:
- <Connector port="443" ...:443端口是HTTPS的默认端口,可通过域名直接访问,无需在域名后加端口号。
——Connector port有两种运行模式(NIO和APR),选择NIO模式:protocol="org.apache.coyote.http11.Http11NioProtocol"
- maxThreads="150":最大线程数150 SSLEnabled="true":开启SSL证书
- <SSLHostConfig>:SSL证书配置
- <Certificate>:证书参数
- certificateKeystoreFile:SSL证书文件的完整路径
- certificateKeystorePassword:SSL证书的密码
- certificateKeystoreType:SSL证书的类型——.pfx证书,默认类型PKCS12
(5) 在“<!-- Define an AJP 1.3 Connector on port 8009 -->”默认注释下添加如下内容:将redirectPort修改为443,让HTTPS请求转发到443端口。
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
说明:配置以上三处参数,保存server.xml文件配置,然后退出(Esc——Shift+:英文冒号——wq——enter)
8.编辑web.xml文件(可选操作)
(1)必须在Tomcat安装路径或conf目录下,编辑web.xml配置文件,定位到最底端</web-app>标签上方,<welcome-file-list>标签下,添加<security-constraint>内容如下:实现HTTP自动跳转为HTTPS
<!-- ==================== Default Welcome File List ===================== -->
<!-- When a request URI refers to a directory, the default servlet looks -->
<!-- for a "welcome file" within that directory and, if present, to the -->
<!-- corresponding resource URI for display. -->
<!-- If no welcome files are present, the default servlet either serves a -->
<!-- directory listing (see default servlet configuration on how to -->
<!-- customize) or returns a 404 status, depending on the value of the -->
<!-- listings setting. -->
<!-- -->
<!-- If you define welcome files in your own application's web.xml -->
<!-- deployment descriptor, that list *replaces* the list configured -->
<!-- here, so be sure to include any of the default values that you wish -->
<!-- to use within your application. -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<!-- HTTP automatically changes to HTTPS -->
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
说明:配置参数后,保存web.xml文件配置,然后退出(Esc——Shift+:英文冒号——wq——enter)
9.检查配置与服务启动状态
(1)效验xml文件语法:server.xml 与 web.xml 配置完成后,先使用命令:“cd ..”——返回上一级Tomcat安装根目录,再使用命令:bin/configtest.sh ——效验配置的xml文件是否有语法错误,如下:无报错提示,表示效验语法通过
(2)启动Tomcat服务,使用命令: bin/startup.sh
(3)打开Tomcat服务器日志监控查看服务启动状态,使用命令:tailf logs/catalina.out——无报错提示,表示服务已正常启动
(4)查询Tomcat服务器网络监听状态,使用命令:netstat -ntlp|grep 端口号——若433端口+80端口都被查询出来,并且两者均处于LISTEN状态,表示HTTP服务和HTTPS服务都已开启监听
(5)查询Tomcat服务器响应header信息,使用命令:curl -I http://www.xxx.com——http协议服务、curl -I https://www.xxx.com——https协议服务
10.打开Google浏览器测试SSL证书部署结果
(1)在地址栏URL输入:https://域名——域名替换为自己注册购买的域名,且已完成云解析DNS解析设置
重点说明:因为本人配置HTTP自动跳转HTTPS,因此不管URL输入http://域名 或 https://域名,都会使用重定向转发到433端口,等同于当前Tomcat默认使用HTTPS协议服务。
(2)没有配置HTTP自动跳转HTTPS情况,那么使用http://域名,访问网站,会提示该网站不安全,如下:
***至此所以部署测试结束,实现https服务高安全性访问网站项目,Nice~!~!~!***
11.server.xml配置文件完整内容
web.xml 文件最后添加部分内容自动跳转HTTPS,就不贴出来了。
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!-- APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="/usr/java/tomcat/apache-tomcat-8.5.69/conf/cert/zs_linux_server.pfx"
certificateKeystorePassword="QWORqu7g"
certificateKeystoreType="PKCS12" />
</SSLHostConfig>
</Connector>
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
12.总结
仅自己学习记录,如有错误,敬请谅解~,谢谢~~~