tomcat 配置支持 ssl 附效果图

1、修改tomcat配置文件server.xml:

bash 复制代码
vim ./conf/server.xml

把配置文件:

bash 复制代码
	
    <Connector port="8088" Server=" "  protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="65536" maxPostSize="4194304"
			   compression="on" 
			   noCompressionUserAgents="gozilla,traviata"                          compressibleMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/x-javascript,application/xml,application/javascript,application/xhtml+xml,x-font/otf,application/x-font-woff,x-font/ttf,x-font/eot"/>
   

禁用:

bash 复制代码
<!--
    <Connector port="8088" Server=" "  protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="65536" maxPostSize="4194304"
			   compression="on" 
			   noCompressionUserAgents="gozilla,traviata"                          compressibleMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/x-javascript,application/xml,application/javascript,application/xhtml+xml,x-font/otf,application/x-font-woff,x-font/ttf,x-font/eot"/>
-->

2、server.xml单独开放一个端口,原来注释的,改造一下,并放出来:

bash 复制代码
    <Connector port="8088" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/youdomainfile.com.jks"
                         type="RSA"  certificateKeystorePassword="asdf2024" />
        </SSLHostConfig>
    </Connector>

3、server.xml中 AJP 1.3 Connector on port 8009相关

原来是注释的,我把他打开:

bash 复制代码
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8088" />
    

4、web.xml文件中:

原来末尾是:

bash 复制代码
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

      <security-constraint>
	     <web-resource-collection>
    		<web-resource-name>fortune</web-resource-name>
	    	<url-pattern>/*</url-pattern>
	    	<http-method>PUT</http-method>
	    	<http-method>DELETE</http-method>
	    	<http-method>HEAD</http-method>
	    	<http-method>OPTIONS</http-method>
	    	<http-method>TRACE</http-method>

		</web-resource-collection>
		<auth-constraint></auth-constraint>
	     </security-constraint>

      <login-config>
	        <auth-method>BASIC</auth-method>
      </login-config>
</web-app>

改成这样子:

bash 复制代码
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

      <security-constraint>
	     <web-resource-collection>
		<web-resource-name>fortune</web-resource-name>
		<url-pattern>/*</url-pattern>
		<http-method>PUT</http-method>
		<http-method>DELETE</http-method>
		<http-method>HEAD</http-method>
		<http-method>OPTIONS</http-method>
		<http-method>TRACE</http-method>

         <web-resource-name >SSL</web-resource-name>
		<url-pattern>/*</url-pattern>

		</web-resource-collection>

		<user-data-constraint>
		    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
	    </user-data-constraint>
		
<auth-constraint></auth-constraint>
	     </security-constraint>
             <login-config>
                <!--	<auth-method>BASIC</auth-method> -->
                <!-- Authorization setting for SSL -->
            	<auth-method>CLIENT-CERT</auth-method>
            	<realm-name>Client Cert Users-only Area</realm-name>

              </login-config>
</web-app>

上述即可实现用Ip的访问:http://10.10.8.91:8088/

如果出现提示,

复制代码
Bad Request
This combination of host and port requires TLS.

则用https访问即可,但是仍然有"不安全"的提示,

5、设置用域名即可完美实现安全访问:

5.1服务器端:

之前tomcat\conf\server.xml

bash 复制代码
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
  unpackWARs="true" autoDeploy="true">

改成:

bash 复制代码
    <Engine name="Catalina" defaultHost="kkk.yourdomain.com">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="kkk.yourdomain.com"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

5.2客户端dns配置:

另我在本机的C:\Windows\System32\drivers\etc\hosts

10.10.8.91 kkk.yourdomain.com

最终:可实现完美安全访问:

https://kkk.yourdomain.com:8088

后经朋友提醒,web.xml不改也行,我就没继续测试了,大家可酌情考虑。

相关推荐
杉之1 小时前
SpringBlade 数据库字段的自动填充
java·笔记·学习·spring·tomcat
心灵宝贝3 小时前
Tomcat 部署 Jenkins.war 详细教程(含常见问题解决)
java·tomcat·jenkins
生命是有光的7 小时前
【中间件安全计划】锚定Tomcat安全基线
安全·中间件·tomcat
qq_431510168 小时前
tomcat组件概览
java·tomcat
IT成长日记1 天前
Elasticsearch安全加固指南:启用登录认证与SSL加密
安全·elasticsearch·ssl
ccc_9wy1 天前
玄机-第六章 流量特征分析-常见攻击事件 tomcat的测试报告
网络安全·tomcat·玄机靶场·攻击流程·溯源分析·定时任务反弹shell·gobuster
当归10241 天前
Tomcat中的webapps的访问方式和java -jar内置Tomcat的访问方式的区别
java·tomcat·jar
magic 2451 天前
监听器(Listener)详解
java·servlet·tomcat
MaCa .BaKa1 天前
25-智慧旅游系统(协同算法)三端
java·javascript·vue.js·spring boot·tomcat·maven·旅游
WoTrusSSL2 天前
SSL证书如何保障人脸识别系统安全?
网络协议·系统安全·ssl