1.登陆阿里云 ,申请免费的ssl证书。每人限制20个
2.等待审核通过,下载相应的证书,目前支持下图所示类型的证书
3.以配置tomcat 为例
server.xml 修改如下内容
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" >
<SSLHostConfig>
<Certificate certificateKeystoreFile="/home/tomcat/apache-tomcat-8.5.8/cert/aaa.pfx"
certificateKeystorePassword="xxxxx"
certificateKeystoreType="xxxx" />
</SSLHostConfig>
</Connector>
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
4.设置网站自动跳转https,配置web.xml
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
----------------------------------------------------------------------nginx-----------------------------------------------
1. nginx 未安装ssl 模块
a。查询nginx 是否安装ssl 模块《图中未安装》 /usr/local/nginx/sbin/nginx -V
b.执行 ./configure --with-http_ssl_module
c.编译make
d,查看nginx ssl模块是否安装成功
2.配置ssl证书
证书位置:
/usr/local/nginx/conf/dingdanys.com_bundle.pem
/usr/local/nginx/conf/dingdanys.com.key
nginx.conf 增加如下配置
server { listen 443 ssl default_server; # 替换自己的域名 server_name dingdanys.com www.dingdanys.com; #替换自己的文件名字 ssl_certificate dingdanys.com_bundle.pem; ssl_certificate_key dingdanys.com.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; #charset koi8-r; #access_log logs/host.access.log main; location / { root /root/dingdang/houtai/h5; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server { listen 80; # 替换自己的域名 server_name dingdanys.com www.dingdanys.com; location / { root /root/dingdang/houtai/h5; index index.html index.htm; rewrite ^/(.*)$ https://www.dingdanys.com/#/$1 permanent; #将所有HTTP请求通过rewrite指令重定向到HTTPS。 } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } }
附:
注意 腾讯云,阿里云 端口一定要开放
查看端口firewall-cmd --list-ports
开启80、443端口
firewall-cmd --zone=public --add-port=80/tcp --permanent
查询443端口(结果为yes)
firewall-cmd --zone=public --query-port=443/tcp
查看防火墙是否开启(dead 未开启,running 开启)
systemctl status firewalld
启动防火墙
systemctl start firewalld
重启防火墙
firewall-cmd --reload
暂时关闭防火墙
systemctl stop firewalld
service iptables stop
永久关闭防火墙
systemctl disable firewalld
chkconfig iptables off