安裝SSL For Nginx/Tomcat

時間 2019-11-12

標籤安裝 ssl nginx tomcat 欄目 SSL 简体版

原文原文鏈接

安裝SSL For Nginx/Tomcat

Author by Leojavascript

生成證書

安裝OpenSSL
- https://www.openssl.org/source/openssl-1.1.0-pre5.tar.gz
生成服務器私有Key 推薦直接從eu服務器拷貝,不然生成key的全部問題都須要和公鑰保持一致(alias,password等等問題)
- EU : /home/security/wildcard/xxxx_net.key 全部服務器key都一致
導出Tomcat識別的p12證書
- openssl pkcs12 -export -clcerts -in 983e792300b2056e.crt -inkey xxxx_net.key -out tomcat.p12 導出文件爲tomcat的p12文件

安裝SSL到 Nginx

須要確保Nginx安裝了SSL的插件,不然須要重裝Nginx.css

修改conf文件

vim conf/nginx.conf

server {
    listen    443 ssl;
    server_name  xxxx;

    ssl on;
    ssl_certificate /home/security/wildcard/983e792300b2056e.crt(公鑰);
    ssl_certificate_key /home/security/wildcard/seoclarity_net.key(私鑰);
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2(支持的SSL協議版本);
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5(支持的密鑰加密算法);
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;(SSL認證緩存,提升效率)
    ssl_session_timeout 30m;
    ssl_buffer_size 1400;(緩存區)
    .....

重啓

./sbin/nginx -t
./sbin/nginx -s reload or ./sbin/nginx

安裝SSL到 Tomcat

進入Tomcat目錄
修改conf/server.xml

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
              maxThreads="200" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS"
              ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
              keystoreType="PKCS12"
              keystoreFile="/home/ec2-user/ssl-Tomcat/tomcat.p12(上面生成的p12)"
              keystorePass="xxxx"
              truststoreType="PKCS12"
              truststoreFile="/home/ec2-user/ssl-Tomcat/tomcat.p12(上面生成的p12)"
              truststorePass="xxxx"
              compression="on"
              URIEncoding="UTF-8"
              compressionMinSize="2048"
              maxPostSize="0"
              noCompressionUserAgents="gozilla, traviata"
              compressableMimeType="text/html,text/xml,text/javascript,text/css,application/json"  />