Learn to configure https, and some server installation and deployment processes, install and configure https in tomcat and nginx.
1. Application and download of Alibaba Cloud free certificate
Reference: https://common-buy.aliyun.com/?spm=5176.2020520163.cas.85.3b102b7arJW2wy&commodityCode=cas#/buy
Portal
After successful purchase, download the configuration according to the corresponding process.
Related configuration reference: https://help.aliyun.com/video_detail/54217.html?spm=5176.2020520163.cas.80.3b102b7arJW2wy
Portal
2. Configuration Notes
- Change the port number, the default port number of https is 443.
- Modification of the certificate path
- Modification of the Agreement
- Change of certificate password
Blog related reference: http://imtianx.cn/2017/09/22/tomcat_set_https/
Portal
3. Opening of firewall ports
vim /etc/sysconfig/iptables
In the file add:
-A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
Of course, you can also set up security group policies to open ports in Alibaba Cloud's background management system.
4. Test
Restart tomcat and use https://willhappy.cn
test.
Five. Fanwai (nginx + tomcat + https)
As mentioned above, the web project is configured with https in the tomcat container alone. However, now most enterprises use nginx as the reverse proxy server, and tomcat is only the provider of data services, so let’s briefly talk about the https certificate of nginx Install and configure.
1. About nginx installation
There are already quite a few online, you can refer to the portal .
2. nginx configure https certificate
Similar to tomcat's https configuration, reference portal , video reference portal .
My configuration file nginx.conf
:
server {
listen 443;
server_name willhappy.cn; #拦截的域名
ssl on;
root html;
index index.html index.htm;
ssl_certificate cert/XX.pem; #你自己申请的证书文件
ssl_certificate_key cert/XX.key; #私钥文件
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://whome; #提供数据服务的服务器
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
upstream whome{
server localhost:8080;
}
Configure tomcat's server.xml to access the project directly through ip
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="" docBase="/usr/local/tomcat/webapps/whome" reloadable="true" />
</Host>
3. Start the test
Start nginx, you may get an error:
[emerg] 10464#0: unknown directive “ssl” in /usr/local/nginx-0.6.32/conf/nginx.conf:74
This is because the ssl module is not compiled into nginx, just add "--with-http_ssl_module" when configuring
[root@localhost nginx-1.4.4]# ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_ssl_module
Reconfigure and compile in the nginx installation package.
Pass again https://willhappy.cn
, access the test, and the configuration is successful.
Note: We can only access through https://willhappy.cn is safe access, through willhappy.cn or ordinary http access, so, in order to have safe access through both methods, you need to configure it.
Reference portal , not tested. You can try it yourself, hehe