背景:项目如果遇到外网公开访问,或者是外围系统对接使用的是HTTPS,亦或者增加兼容http,都需要添加HTTPS渠道。
- HTTPS 简介
Http超⽂本传输协议,明⽂传输 ,传输不安全,https在传输数据的时候会对数据进⾏加密;ssl协议、TLS(transport layer security)协
-
HTTPS和HTTP的主要区别
HTTPS协议使⽤时需要到电⼦商务认证授权机构(CA)申请SSL证书
HTTP默认使⽤8080端⼝,HTTPS默认使⽤8443端⼝
HTTPS则是具有SSL加密的安全性传输协议,对数据的传输进⾏加密,效果上相 当于HTTP的升级
版
HTTP的连接是⽆状态的,不安全的;HTTPS协议是由SSL+HTTP协议构建的可进⾏加密传输、身
份认证的⽹络协议,⽐HTTP协议安全 -
HTTPS的请求原理
- 一:war包部署方式,Tomcat对HTTPS的支持
1) 使⽤ JDK 中的 keytool ⼯具⽣成免费的秘钥库⽂件(证书,=公司官方购买的证书)。
keytool -genkey -alias lagou -keyalg RSA -keystore lagou.keystore
2) 配置conf/server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" schema="https" secure="true" SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateKeystoreFile="/Users/yingdian/workspace/servers/apache-tomcat8.5.50/conf/lagou.keystore" certificateKeystorePassword="lagou123" type="RSA"
/>
</SSLHostConfig>
</Connector>
4)使⽤https协议访问8443端⼝(https://localhost:8443)。
二:springboot上jar包,使用Nginx支持添加
前提
已购买证书
在Java Web服务器上安装了证书,既支持了HTTPS
crt:证书、key:私钥;csr:请求文件(信息明文)
1、Nginx 使用 SSL 证书
1.1 在 Nginx 中新建ssl文件夹,将生成的crt和key放入其中,配置文件中加入以下代码
#修改Nginx的配置文件,安装SSL证书
cd /etc/nginx/conf.d
vi default.conf
listen 443 ssl http2;#https协议监听的端口号是443端口,基于http2进行工作的。
ssl_certificate /etc/nginx/ssl/nginx.crt; # 指向 ssl文件夹中的 crt 文件
ssl_certificate_key /etc/nginx/ssl/nginx.key; #指ssl 文件夹中的 key 文件
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#启用false start加速
ssl_ciphers
AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
再查看一下
2.2 启动Nginx
#切换到可执行目录
cd /usr/sbin/
./nginx
#查看启动状态
ps -ef|grep nginx
2.3、测试访问
curl https://192.168.200.21
2.4、添加证书:
#安装 ca-certificates package:
yum install ca-certificates
#启用dynamic CA configuration feature:
update-ca-trust force-enable
#将证书文件放到 /etc/pki/ca-trust/source/anchors/ 目录下
mv /etc/pki/CA/cacert.pem /etc/pki/ca-trust/source/anchors/
#执行更新:
update-ca-trust extract
2.5、修改本地host文
cd /etc
vi hosts
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
192.168.200.21 yj.com #对域名做IP映射
2.6、访问测试 curl https://yj.com
2.7、记录实际配置
ssl文件夹下:server.key和server.pem
具体配置如下
Nginx.conf
include main.conf;
http {
include control.conf;
include vhost/*.outer;
}
main.conf
# 可以根据实际情况, 但是必须保证用户存在
user OPS_admin;
worker_processes 4;
# 可以根据实际情况修改,但是必须保证目录存在
error_log /admin/nginx/logs/error.log;
# make sure /etc/security/limits.conf is sensible
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 20480;
}
control.conf
include mime.types;
log_format ZAWEB '$time_iso8601\t$request_uri\t$request_body\t$proxy_add_x_forwarded_for\t$upstream_addr\t$status\t$request_time\t$http_user_agent\t$host\t$request\t$http_referer\t$remote_addr\t$request_length\t$body_bytes_sent\t$http_cookie';
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
limit_req_zone $binary_remote_addr zone=one:20m rate=200r/s;
limit_req_log_level error;
sendfile on;
# ssl_session_cache shared:SSL:20m;
# ssl_session_timeout 10m;
gzip on;
gzip_types text/plain text/xml text/css application/x-javascript;
gzip_vary on;
gzip_comp_level 9;
client_max_body_size 100m;
underscores_in_headers on;
proxy_set_header X-Http-Scheme $scheme;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_connect_timeout 300;
proxy_read_timeout 300;
fastcgi_next_upstream error timeout http_500 http_503;
fastcgi_connect_timeout 30;
fastcgi_read_timeout 60;
send_timeout 60;
large_client_header_buffers 8 8K;
proxy_buffers 32 128K;
proxy_busy_buffers_size 128K;
proxy_buffer_size 128K;
fastcgi_buffers 32 128K;
vhost/*.outer;
=vhost文件夹中:www.outer
upstream wo-client {
server 10.142.xxx.171:8080 max_fails=3 fail_timeout=20;
}
upstream wo {
server 10.142.xxx.171:8088 max_fails=3 fail_timeout=20;
}
server {
listen 8080;
server_name wo-sit.test-cignacmb.com;
#return 301 https://$host$request_uri;
include vhost/wo.inner;
# include vhost/stream.com;
}
server {
listen 8088;
server_name wo-sit-client.test-cignacmb.com;
#return 301 https://$host$request_uri;
include vhost/wo-client.inner;
# include vhost/stream-client.com;
}
server {
listen 443 ssl;
server_name wo-sit.test-cignacmb.com;
include vhost/https.wo-sit.test-cignacmb.com;
# include vhost/stream.com;
}
server {
listen 443 ssl;
server_name wo-sit-client.test-cignacmb.com;
include vhost/https.wo-sit-client.test-cignacmb.com;
# include vhost/stream-client.com;
}
##uat
server {
listen 8080;
server_name wo-uat.test-cignacmb.com;
#return 301 https://$host$request_uri;
include vhost/wo-uat.inner;
# include vhost/stream.com;
}
server {
listen 8088;
server_name wo-uat-client.test-cignacmb.com;
#return 301 https://$host$request_uri;
include vhost/wo-uat-client.inner;
# include vhost/stream-client.com;
}
server {
listen 443 ssl;
server_name wo-uat.test-cignacmb.com;
include vhost/https.wo-uat.test-cignacmb.com;
# include vhost/stream.com;
}
server {
listen 443 ssl;
server_name wo-uat-client.test-cignacmb.com;
include vhost/https.wo-uat-client.test-cignacmb.com;
# include vhost/stream-client.com;
}
涉及众多文件配置
https.wo-sit.test-cignacmb.com
[OPS_admin@szvmapwork02-sit vhost]$ cat https.wo-sit.test-cignacmb.com
#ssl on;
#证书文件
ssl_certificate ssl/server.pem;
ssl_certificate_key ssl/server.key;
# 性能优化
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70s;
# 配置只支持tls协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# SSL密码套件配置
#ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
ssl_prefer_server_ciphers on;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Via "nginx";
location / {
proxy_pass http://10.142.xxx.171:8080; #软件包根目录
}
配置:https.wo-sit-client.test-cignacmb.com
[OPS_admin@szvmapwork02-sit vhost]$ cat https.wo-sit-client.test-cignacmb.com
#ssl on;
#证书文件
ssl_certificate ssl/server.pem;
ssl_certificate_key ssl/server.key;
# 性能优化
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70s;
# 配置只支持tls协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# SSL密码套件配置
#ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
ssl_prefer_server_ciphers on;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Via "nginx";
location / {
proxy_pass http://10.142.xxx.171:8088; #软件包根目录
}
配置https.wo-uat.test-cignacmb.com
[OPS_admin@szvmapwork02-sit vhost]$ cat https.wo-uat.test-cignacmb.com
#ssl on;
#证书文件
ssl_certificate ssl/server.pem;
ssl_certificate_key ssl/server.key;
# 性能优化
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70s;
# 配置只支持tls协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# SSL密码套件配置
#ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
ssl_prefer_server_ciphers on;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Via "nginx";
location / {
proxy_pass http://10.142.xxx.197:8080; #软件包根目录
}
配置uat后台
(MS-DOS应用程序)
[OPS_admin@szvmapwork02-sit vhost]$ cat https.wo-uat.test-cignacmb.com
#ssl on;
#证书文件
ssl_certificate ssl/server.pem;
ssl_certificate_key ssl/server.key;
# 性能优化
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70s;
# 配置只支持tls协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# SSL密码套件配置
#ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
ssl_prefer_server_ciphers on;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Via "nginx";
location / {
proxy_pass http://10.142.xxx.197:8080; #软件包根目录
}
配置uat前台
[OPS_admin@szvmapwork02-sit vhost]$ cat https.wo-uat-client.test-cignacmb.com
#ssl on;
#证书文件
ssl_certificate ssl/server.pem;
ssl_certificate_key ssl/server.key;
# 性能优化
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70s;
# 配置只支持tls协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# SSL密码套件配置
#ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
ssl_prefer_server_ciphers on;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Via "nginx";
location / {
proxy_pass http://10.142.xxx.197:8088; #软件包根目录
}
配置wo.inner
proxy_set_header Host $proxy_host;
proxy_next_upstream error http_500 http_502 http_503 http_504;
proxy_connect_timeout 300;
proxy_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 16 64k;
proxy_buffer_size 32k;
proxy_buffers 8 32k;
proxy_cache_methods POST;
add_header P3P "ZA-BACk";
location / {
proxy_pass http://10.142.xxx.171:8080;
}
配置wo-client.inner
(INNER文件)
proxy_set_header Host $proxy_host;
proxy_next_upstream error http_500 http_502 http_503 http_504;
proxy_connect_timeout 300;
proxy_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 16 64k;
proxy_buffer_size 32k;
proxy_buffers 8 32k;
proxy_cache_methods POST;
add_header P3P "ZA-WEB";
location / {
proxy_pass http://10.142.xxx.171:8088;
}
wo-uat-client.inner配置
proxy_set_header Host $proxy_host;
proxy_next_upstream error http_500 http_502 http_503 http_504;
proxy_connect_timeout 300;
proxy_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 16 64k;
proxy_buffer_size 32k;
proxy_buffers 8 32k;
proxy_cache_methods POST;
add_header P3P "ZA-WEB";
location / {
proxy_pass http://10.142.xxx.197:8088;
}
以上是http和https共存方案,生存能力强