tomcat 配置支持 ssl 附效果图

1、修改tomcat配置文件server.xml:

bash 复制代码
vim ./conf/server.xml

把配置文件:

bash 复制代码
	
    <Connector port="8088" Server=" "  protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="65536" maxPostSize="4194304"
			   compression="on" 
			   noCompressionUserAgents="gozilla,traviata"                          compressibleMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/x-javascript,application/xml,application/javascript,application/xhtml+xml,x-font/otf,application/x-font-woff,x-font/ttf,x-font/eot"/>
   

禁用:

bash 复制代码
<!--
    <Connector port="8088" Server=" "  protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="65536" maxPostSize="4194304"
			   compression="on" 
			   noCompressionUserAgents="gozilla,traviata"                          compressibleMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/x-javascript,application/xml,application/javascript,application/xhtml+xml,x-font/otf,application/x-font-woff,x-font/ttf,x-font/eot"/>
-->

2、server.xml单独开放一个端口,原来注释的,改造一下,并放出来:

bash 复制代码
    <Connector port="8088" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/youdomainfile.com.jks"
                         type="RSA"  certificateKeystorePassword="asdf2024" />
        </SSLHostConfig>
    </Connector>

3、server.xml中 AJP 1.3 Connector on port 8009相关

原来是注释的,我把他打开:

bash 复制代码
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8088" />
    

4、web.xml文件中:

原来末尾是:

bash 复制代码
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

      <security-constraint>
	     <web-resource-collection>
    		<web-resource-name>fortune</web-resource-name>
	    	<url-pattern>/*</url-pattern>
	    	<http-method>PUT</http-method>
	    	<http-method>DELETE</http-method>
	    	<http-method>HEAD</http-method>
	    	<http-method>OPTIONS</http-method>
	    	<http-method>TRACE</http-method>

		</web-resource-collection>
		<auth-constraint></auth-constraint>
	     </security-constraint>

      <login-config>
	        <auth-method>BASIC</auth-method>
      </login-config>
</web-app>

改成这样子:

bash 复制代码
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

      <security-constraint>
	     <web-resource-collection>
		<web-resource-name>fortune</web-resource-name>
		<url-pattern>/*</url-pattern>
		<http-method>PUT</http-method>
		<http-method>DELETE</http-method>
		<http-method>HEAD</http-method>
		<http-method>OPTIONS</http-method>
		<http-method>TRACE</http-method>

         <web-resource-name >SSL</web-resource-name>
		<url-pattern>/*</url-pattern>

		</web-resource-collection>

		<user-data-constraint>
		    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
	    </user-data-constraint>
		
<auth-constraint></auth-constraint>
	     </security-constraint>
             <login-config>
                <!--	<auth-method>BASIC</auth-method> -->
                <!-- Authorization setting for SSL -->
            	<auth-method>CLIENT-CERT</auth-method>
            	<realm-name>Client Cert Users-only Area</realm-name>

              </login-config>
</web-app>

上述即可实现用Ip的访问:http://10.10.8.91:8088/

如果出现提示,

复制代码
Bad Request
This combination of host and port requires TLS.

则用https访问即可,但是仍然有"不安全"的提示,

5、设置用域名即可完美实现安全访问:

5.1服务器端:

之前tomcat\conf\server.xml

bash 复制代码
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
  unpackWARs="true" autoDeploy="true">

改成:

bash 复制代码
    <Engine name="Catalina" defaultHost="kkk.yourdomain.com">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="kkk.yourdomain.com"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

5.2客户端dns配置:

另我在本机的C:\Windows\System32\drivers\etc\hosts

10.10.8.91 kkk.yourdomain.com

最终:可实现完美安全访问:

https://kkk.yourdomain.com:8088

后经朋友提醒,web.xml不改也行,我就没继续测试了,大家可酌情考虑。

相关推荐
软件开发-NETKF888815 小时前
JSP到Tomcat特详细教程
java·开发语言·tomcat·jsp·项目运行
|CXHAO|17 小时前
使用tomcat本地部署draw.io
java·tomcat·draw.io
叙白冲冲1 天前
tomcat 为啥能一直运行?不像方法那样结束?
java·tomcat
赖龙1 天前
记录SSL部署,链路不完整问题
网络·网络协议·ssl
I like Code?1 天前
阿里云服务器配置ssl-docker nginx
服务器·阿里云·ssl
梦想blog1 天前
使用 Acme.sh 获取和管理免费 SSL 证书
证书·ssl·acme
牛奶咖啡131 天前
Nginx +Tomcat架构的必要性与应用示例
nginx·tomcat·nginx的静态动态资源配置·root与alias的区别·静态及负载均衡动态资源配置
吐个泡泡v1 天前
网络编程基础:一文搞懂 Socket、HTTP、HTTPS、TCP/IP、SSL 的关系
网络·网络协议·http·https·socket·ssl·tcp
爱隐身的官人2 天前
新后端漏洞(上)- Aapache Tomcat AJP 文件包含漏洞(CVE-2020-1938)
java·tomcat·ajp
XMYX-02 天前
解决 Apache/WAF SSL 证书链不完整导致的 PKIX path building failed 问题
网络协议·apache·ssl