Java同时支持https和http访问
背景
目前,项目原来是使用http访问的,后面因安全要求,需要改成https,但是因为存在对外的接口,所以需要同时支持https和http。
yml配置
原来的端口默认是http的端口,如果在server下面添加https:port配置,会导致整体只支持https,所以需要额外的去配置,key-store属性是证书所在位置,我是直接将resources下面,你也可以用file配置。
#http端口
server:
port: 9993
servlet:
context-path: /zjf
encoding:
charset: UTF-8
file:
encoding: UTF-8
logging:
level:
com.travelsky.mapper: debug
mybatis:
configuration:
log-impl: org.apache.ibatis.logging.stdout.StdOutImpl
debug: true
# HTTPS 端口
app:
https:
port: 8443
ssl:
key-store: classpath:keystore.p12
key-store-password: "marukozjf@310"
key-store-type: PKCS12
key-alias: tomcat
enabled-protocols: TLSv1.2,TLSv1.3
ciphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384证书生成命令
keystore
证书生成位置
storepass(存储密码)
这是用于保护整个密钥库(keystore)的密码。密钥库是一个文件,它可以包含多个密钥对(每个密钥对都有一个别名)。storepass是访问这个密钥库文件的密码。也就是说,当你想要打开密钥库文件(例如,查看里面的证书或密钥)时,需要提供这个密码。
keypass(密钥密码)
这是用于保护密钥库中特定私钥的密码。每个密钥对(由别名标识)都可以有自己的密钥密码。当你想要使用某个私钥(例如,在SSL连接中用于身份验证)时,需要提供这个密钥的密码。
keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore "D:/maruko/keystore.p12" -validity 3650 -storepass "maruko@2025" -keypass "maruko@2025" -dname "CN=localhost, OU=Development, O=Company, L=City, ST=State, C=US" -ext "SAN=DNS:localhost,IP:127.0.0.1"配置类
bash
import org.apache.catalina.connector.Connector;
import org.apache.coyote.http11.Http11NioProtocol;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
/**
*
* @author maruko
* @version JDK 8
* @name HttpHttpsConfig
* @date 2025/10/30
* @description
*/
@Configuration
public class HttpHttpsConfig {
@Value("${app.https.port}")
private int httpsPort;
@Value("${app.ssl.key-store-password}")
private String password;
@Bean
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
factory.addAdditionalTomcatConnectors(createSslConnector());
return factory;
}
private Connector createSslConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
connector.setScheme("https");
connector.setSecure(true);
connector.setPort(httpsPort);
protocol.setSSLEnabled(true);
protocol.setKeystoreFile(getKeystoreFilePath());
protocol.setKeystorePass(password);
protocol.setKeystoreType("PKCS12");
protocol.setKeyAlias("tomcat");
return connector;
}
private String getKeystoreFilePath() {
try {
return new ClassPathResource("keystore.p12").getFile().getAbsolutePath();
} catch (Exception e) {
throw new RuntimeException("无法找到 keystore 文件", e);
}
}
}nginx配置
bash
# 自签名证书配置(开发环境)
listen 443 ssl; # 启用 SSL
ssl_certificate /opt/app/nginx/ssl/dcs.crt;
ssl_certificate_key /opt/app/nginx/ssl/dcs.key;linux生成证书
bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /opt/app/nginx/ssl/dcs.key -out /opt/app/nginx/ssl/dcs.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=TravelSky/OU=Development/CN=localhost"设置权限
sudo chmod 600 /opt/app/nginx/ssl/dcs.key
sudo chmod 644 /opt/app/nginx/ssl/dcs.crt
校验conf
sudo /opt/app/nginx/sbin/nginx
重启nginx
sudo /opt/app/nginx/sbin/nginx -s reload