vim tomcat/conf/server.xml
,按照如下配置SSL证书,启用https
<?xml version='1.0' encoding='utf-8'?>
<!--关闭端口,启动多个Tomcat时修改此端口号-->
<Server port="8006" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<!-- HTTP,启动多个Tomcat时修改此端口号 -->
<Connector port="8081" protocol="HTTP/1.1" maxHttpHeaderSize="8192"
minProcessors="100" maxProcessors="5000" maxThreads="5000"
minSpareThreads="1000" maxSpareThreads="4000" enableLookups="false"
acceptCount="3500" disableUploadTimeout="true" connectionTimeout="180000"
compression="on" compressionMinSize="2048"
compressableMimeType="text/html,text/xml,text/javascript,text/css,text/plain"
URIEncoding="UTF-8" redirectPort="443"
/>
<!-- HTTPS 如果启用SSL配置,则HTTP以及AJP中的redirectPort参数需修改为HTTPS端口
port SSL端口
keystoreFile SSL证书路径
keystorePass SSL证书密钥库密码
sslEnabledProtocols 支持的SSL版本,通过HttpClient编写HTTPS接口调用时必配,否则客户端请求时异常,服务器无法接受请求,但是可以接受HTTP接口请求
-->
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,SSL"
keystoreFile="/home/program/tomcat7-1/ssl/ssl.jks" keystorePass="123456"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"
/>
<!-- AJP,启动多个Tomcat时修改此端口号-->
<Connector port="8010" protocol="AJP/1.3" redirectPort="443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
<!-- 通用配置 -->
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
<Context path="" docBase="/home/wwwroot/fank243.com"/>
</Host>
<!-- 合法域名 -->
<Host name="www.fan243.com" appBase="/home/wwwroot/fank243.com" unpackWARs="true" autoDeploy="true">
<!-- 指定多个域名 -->
<Alias>www.fank243.com</Alias>
<Context path="" docBase="."/>
</Host>
<!-- 非法域名,在other目录下创建index.html文件,通过html强制跳转至www.fank243.com -->
<Host name="www.baidu.com" appBase="/home/wwwroot/other" unpackWARs="true" autoDeploy="true">
<Context path="" docBase="."/>
</Host>
</Engine>
</Service>
</Server>
如果需要网站目录下所有请求都启用https,vim tomcat/conf/web.xml
,增加如下配置,该配置会将所有http请求重定向到https
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>