tomcat 配置支持 ssl 附效果图

1、修改tomcat配置文件server.xml:

bash 复制代码
vim ./conf/server.xml

把配置文件:

bash 复制代码
	
    <Connector port="8088" Server=" "  protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="65536" maxPostSize="4194304"
			   compression="on" 
			   noCompressionUserAgents="gozilla,traviata"                          compressibleMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/x-javascript,application/xml,application/javascript,application/xhtml+xml,x-font/otf,application/x-font-woff,x-font/ttf,x-font/eot"/>
   

禁用:

bash 复制代码
<!--
    <Connector port="8088" Server=" "  protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="65536" maxPostSize="4194304"
			   compression="on" 
			   noCompressionUserAgents="gozilla,traviata"                          compressibleMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/x-javascript,application/xml,application/javascript,application/xhtml+xml,x-font/otf,application/x-font-woff,x-font/ttf,x-font/eot"/>
-->

2、server.xml单独开放一个端口,原来注释的,改造一下,并放出来:

bash 复制代码
    <Connector port="8088" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/youdomainfile.com.jks"
                         type="RSA"  certificateKeystorePassword="asdf2024" />
        </SSLHostConfig>
    </Connector>

3、server.xml中 AJP 1.3 Connector on port 8009相关

原来是注释的,我把他打开:

bash 复制代码
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8088" />
    

4、web.xml文件中:

原来末尾是:

bash 复制代码
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

      <security-constraint>
	     <web-resource-collection>
    		<web-resource-name>fortune</web-resource-name>
	    	<url-pattern>/*</url-pattern>
	    	<http-method>PUT</http-method>
	    	<http-method>DELETE</http-method>
	    	<http-method>HEAD</http-method>
	    	<http-method>OPTIONS</http-method>
	    	<http-method>TRACE</http-method>

		</web-resource-collection>
		<auth-constraint></auth-constraint>
	     </security-constraint>

      <login-config>
	        <auth-method>BASIC</auth-method>
      </login-config>
</web-app>

改成这样子:

bash 复制代码
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

      <security-constraint>
	     <web-resource-collection>
		<web-resource-name>fortune</web-resource-name>
		<url-pattern>/*</url-pattern>
		<http-method>PUT</http-method>
		<http-method>DELETE</http-method>
		<http-method>HEAD</http-method>
		<http-method>OPTIONS</http-method>
		<http-method>TRACE</http-method>

         <web-resource-name >SSL</web-resource-name>
		<url-pattern>/*</url-pattern>

		</web-resource-collection>

		<user-data-constraint>
		    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
	    </user-data-constraint>
		
<auth-constraint></auth-constraint>
	     </security-constraint>
             <login-config>
                <!--	<auth-method>BASIC</auth-method> -->
                <!-- Authorization setting for SSL -->
            	<auth-method>CLIENT-CERT</auth-method>
            	<realm-name>Client Cert Users-only Area</realm-name>

              </login-config>
</web-app>

上述即可实现用Ip的访问:http://10.10.8.91:8088/

如果出现提示,

复制代码
Bad Request
This combination of host and port requires TLS.

则用https访问即可,但是仍然有"不安全"的提示,

5、设置用域名即可完美实现安全访问:

5.1服务器端:

之前tomcat\conf\server.xml

bash 复制代码
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
  unpackWARs="true" autoDeploy="true">

改成:

bash 复制代码
    <Engine name="Catalina" defaultHost="kkk.yourdomain.com">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="kkk.yourdomain.com"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

5.2客户端dns配置:

另我在本机的C:\Windows\System32\drivers\etc\hosts

10.10.8.91 kkk.yourdomain.com

最终:可实现完美安全访问:

https://kkk.yourdomain.com:8088

后经朋友提醒,web.xml不改也行,我就没继续测试了,大家可酌情考虑。

相关推荐
没有名字的小羊10 小时前
8.Docker镜像讲解
运维·docker·容器·tomcat
ye901 天前
银河麒麟V10服务器版 + openGuass + JDK +Tomcat
java·开发语言·tomcat
hunjinYang1 天前
Tomcat镜像实战:掌握Dockerfile的编写以及发布项目
docker·tomcat
BD_Marathon2 天前
Ubuntu下的Tomcat服务器部署
服务器·ubuntu·tomcat
you秀2 天前
HTTPS通信流程:SSL/TLS握手全解析
网络协议·https·ssl
ladymorgana2 天前
【Spring boot】tomcat Jetty Undertow对比,以及应用场景
spring boot·tomcat·jetty
小菜鸡95272 天前
http、SSL、TLS、https、证书
http·https·证书·ssl·tls
小小鱼儿小小林2 天前
免费一键自动化申请、续期、部署、监控所有 SSL/TLS 证书,ALLinSSL开源免费的 SSL 证书自动化管理平台
开源·自动化·ssl
凌辰揽月3 天前
8分钟讲完 Tomcat架构及工作原理
java·架构·tomcat
斯普信专业组3 天前
K8s环境下基于Nginx WebDAV与TLS/SSL的文件上传下载部署指南
nginx·kubernetes·ssl