web應用http轉https

時間 2019-11-11

標籤 web 應用 http https 欄目 HTML 简体版

原文原文鏈接

網上看到說有兩種http轉https的方法：web

一、tomcat打開8443或443端口以後，修改web.xml配置https做用路徑便可實現shell

二、tomcat打開8443或443端口以後，建立filter類將http轉爲httpsexpress

如下介紹的是相對簡單的http轉https的配置方法，第一種：apache

1、獲取證書（自簽名證書或者數字認證中心頒發的證書，這裏介紹自簽名證書的製做）tomcat

一、經過jdk工具生成keystore文件bash

keytool -genkeypair -alias "MyWebShell" -keyalg "RSA" -keystore "mywebshell.keystore"

二、導出到證書文件-crt文件app

keytool -export -alias MyWebShell -file mywebshell.crt -keystore mywebshell.keystore

三、導入證書信息less

keytool -import -keystore mywebshell_cacerts -file mywebshell.crt

注：生成證書時的密碼必定要記下，下一步會用到。webapp

參考連接：建立自簽名證書工具

2、tomcat開啓https相關端口-443或者8443端口

tomcat的conf文件夾下的server.xml文件中添加如下配置便可開通443或者8443端口：

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="mywebshell.keystore所在目錄路徑" keystorePass="生成證書時設置的密碼" sslProtocol="TLS" />

完整的配置以下（給兩個應用配置https服務，應配置兩個不一樣的https訪問端口-443和8443端口，不然其中一個應用將沒法進行正常訪問）：

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
  <Service name="Catalina">
    <Connector port="8088" protocol="HTTP/1.1"
               connectionTimeout="8000"
               redirectPort="8443" />
	<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="keystore文件所在目錄路徑" keystorePass="生成證書時設置的密碼" sslProtocol="TLS" />


    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    <Engine name="Catalina" defaultHost="localhost">

      <Realm className="org.apache.catalina.realm.LockOutRealm">

        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
  <Service name="Catalina1">
    <Connector port="8099" protocol="HTTP/1.1"
               connectionTimeout="8000"
               redirectPort="8443" />
			   
	<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="keystore文件所在目錄路徑" keystorePass="生成證書時設置的密碼" sslProtocol="TLS" />
	
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

	
    <Engine name="Catalina1" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps1"
            unpackWARs="true" autoDeploy="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
</Server>

以上，便能正常訪問tomcat的808八、809九、8443端口了。

3、web應用的web.xml中添加如下代碼配置須要https訪問的頁面

<security-constraint>
        <web-resource-collection>
            <web-resource-name>SSL</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>

注：/* 表示應用的全部頁面都強制https訪問

最終配置完成以後的結果以下：