tomcat 配置支持 ssl 附效果图

1、修改tomcat配置文件server.xml:

bash 复制代码
vim ./conf/server.xml

把配置文件:

bash 复制代码
	
    <Connector port="8088" Server=" "  protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="65536" maxPostSize="4194304"
			   compression="on" 
			   noCompressionUserAgents="gozilla,traviata"                          compressibleMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/x-javascript,application/xml,application/javascript,application/xhtml+xml,x-font/otf,application/x-font-woff,x-font/ttf,x-font/eot"/>
   

禁用:

bash 复制代码
<!--
    <Connector port="8088" Server=" "  protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="65536" maxPostSize="4194304"
			   compression="on" 
			   noCompressionUserAgents="gozilla,traviata"                          compressibleMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/x-javascript,application/xml,application/javascript,application/xhtml+xml,x-font/otf,application/x-font-woff,x-font/ttf,x-font/eot"/>
-->

2、server.xml单独开放一个端口,原来注释的,改造一下,并放出来:

bash 复制代码
    <Connector port="8088" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/youdomainfile.com.jks"
                         type="RSA"  certificateKeystorePassword="asdf2024" />
        </SSLHostConfig>
    </Connector>

3、server.xml中 AJP 1.3 Connector on port 8009相关

原来是注释的,我把他打开:

bash 复制代码
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8088" />
    

4、web.xml文件中:

原来末尾是:

bash 复制代码
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

      <security-constraint>
	     <web-resource-collection>
    		<web-resource-name>fortune</web-resource-name>
	    	<url-pattern>/*</url-pattern>
	    	<http-method>PUT</http-method>
	    	<http-method>DELETE</http-method>
	    	<http-method>HEAD</http-method>
	    	<http-method>OPTIONS</http-method>
	    	<http-method>TRACE</http-method>

		</web-resource-collection>
		<auth-constraint></auth-constraint>
	     </security-constraint>

      <login-config>
	        <auth-method>BASIC</auth-method>
      </login-config>
</web-app>

改成这样子:

bash 复制代码
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

      <security-constraint>
	     <web-resource-collection>
		<web-resource-name>fortune</web-resource-name>
		<url-pattern>/*</url-pattern>
		<http-method>PUT</http-method>
		<http-method>DELETE</http-method>
		<http-method>HEAD</http-method>
		<http-method>OPTIONS</http-method>
		<http-method>TRACE</http-method>

         <web-resource-name >SSL</web-resource-name>
		<url-pattern>/*</url-pattern>

		</web-resource-collection>

		<user-data-constraint>
		    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
	    </user-data-constraint>
		
<auth-constraint></auth-constraint>
	     </security-constraint>
             <login-config>
                <!--	<auth-method>BASIC</auth-method> -->
                <!-- Authorization setting for SSL -->
            	<auth-method>CLIENT-CERT</auth-method>
            	<realm-name>Client Cert Users-only Area</realm-name>

              </login-config>
</web-app>

上述即可实现用Ip的访问:http://10.10.8.91:8088/

如果出现提示,

复制代码
Bad Request
This combination of host and port requires TLS.

则用https访问即可,但是仍然有"不安全"的提示,

5、设置用域名即可完美实现安全访问:

5.1服务器端:

之前tomcat\conf\server.xml

bash 复制代码
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
  unpackWARs="true" autoDeploy="true">

改成:

bash 复制代码
    <Engine name="Catalina" defaultHost="kkk.yourdomain.com">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="kkk.yourdomain.com"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

5.2客户端dns配置:

另我在本机的C:\Windows\System32\drivers\etc\hosts

10.10.8.91 kkk.yourdomain.com

最终:可实现完美安全访问:

https://kkk.yourdomain.com:8088

后经朋友提醒,web.xml不改也行,我就没继续测试了,大家可酌情考虑。

相关推荐
Rewloc1 天前
IntelliJ IDEA 打包 Web 项目 WAR 包(含 Tomcat 部署+常见问题解决)
前端·tomcat·intellij-idea
夫唯不争,故无尤也2 天前
Tomcat 内嵌启动时找不到 Web 应用的路径
java·前端·tomcat
Super Rookie2 天前
Tomcat 自动化脚本安装方案
运维·tomcat·自动化
gaoshan123456789102 天前
‌MyBatis-Plus 的 LambdaQueryWrapper 可以实现 OR 条件查询‌
java·tomcat·mybatis
卓码软件测评2 天前
第三方媒体流压力测试:k6插件xk6-webrtc的使用来测试媒体流的性能
网络协议·测试工具·http·https·webrtc·ssl·媒体
AirDroid_cn2 天前
Win11 远程桌面:连接公司电脑时,提示 “证书错误” 如何解决?
windows·网络协议·https·ssl·电脑技巧
zz-zjx3 天前
Tomcat核心架构与生产部署指南
java·运维·tomcat
灰灰老师3 天前
在Ubuntu22.04和24.04中安装Docker并安装和配置Java、Mysql、Tomcat
java·mysql·docker·tomcat
这周也會开心3 天前
云服务器安装JDK、Tomcat、MySQL
java·服务器·tomcat