Domain name resolution_SSL certification_exposing external network access_intranet penetration_tutorial

1. Preparation

This operation is to upgrade http to https access and add SSL certificate to service access. The main purpose is to build a simulation environment for accessing local computer services through domain names; therefore, it is necessary to apply for domain names, prepare intranet penetration tools, and tomcat and a web application;

2. Intranet penetration

Several free penetration tools have been tested, and the Sunny-Ngroktools can meet the requirements of this build environment; just visit http://www.ngrok.cc/ to download, and at the same time, you need to register an account and apply for a free server (the overseas network is slower) );
Enter the management interface, fill in the tunnel information, and fill in the information as shown

So far, I have actually obtained a domain name, but it seems that this domain name cannot be resolved through DNS. I tried to resolve it many times, but failed...So I will apply for a domain name through Alibaba Cloud later;
decompression penetration tool; here Demonstrate the operation in the windows environment. After decompression, you will get two files, one exe and one bat, directly click the bat file, paste the tunnel id to the cursor, and press Enter;


this is the window that appears, do not close, this When accessing the just generated domain name through the external network, it will be mapped to port 8889; but this domain name cannot be verified by the SSL certificate applied by Alibaba Cloud; so let's apply for a domain name below;

Three, apply for a domain name

To apply for a domain name through Alibaba Cloud, log in to the Alibaba Cloud console to apply, and the real-name authentication is required to analyze; refer to the official website of Alibaba Cloud for specific steps;

Four, domain name resolution

After filling in, wait for the domain name resolution to take effect, usually 10 minutes; under
normal circumstances, the domain name you just applied for can be mapped to the address resolved by dns, but the domain name that is resolved here is the domain name generated by Ngrok, and it is still not accessible for the time being, you need to go back In the management console of Ngrok official website, add a custom domain name with the value of the domain name just applied for in Alibaba Cloud (this domain name requires authentication).

At this time, the Alibaba Cloud domain name resolution console can also query the status

At this time, the dns resolution is in effect, and the port 8889 mapped by Ngrok can be accessed through a computer that can access the external network.

Five, apply for a CA certificate

Alibaba Cloud provides several certificate application services, refer to the official website of Alibaba Cloud;

1. Classification of certificates

• OV version (enterprise/organization)
• DV version (for individuals)
• EV version (large enterprises/financial institutions)

2. Purchase

3. Verification

I am applying for free certificates under the certificate resource package, 20 at a time, first verify after application, and fill in the information as required; because the domain name is registered in Alibaba Cloud, the domain name verification method can choose DNS automatic verification; The CSR is also automatically generated;


you can submit it for review after the verification is successful; I applied at 6:30 in the afternoon and passed in five minutes

4. Download and deployment

The download and deployment of the two parts seem to be in no order. The main reason is to fill in the information when deploying;
save the downloaded certificate and put it on the tomcat server later;

5. Configure to the server

Alibaba Cloud's documentation tutorial for configuration is very detailed, here is the main demonstration of configuring tomcat:

5.1. Installation prerequisites:

1. You need to download the SSL certificate in advance. Tomcat supports two certificates in PFX format and JKS format. You can choose one of the certificates to install on Tomcat according to the Tomcat version;
2. Port 443 has been opened on the Tomcat server (the default port of the https service, in fact, you can also specify other ports);

5.2. Install PFX format certificate

1. Decompress the downloaded and saved Tomcat certificate file locally

• ● Certificate file (domain name.pfx): Use .pfx as the suffix or file type.
• ● Password file (pfx-password.txt): Use .txt as the suffix or file type.

2. Create a new cert directory under the Tomcat installation directory, and copy the decompressed certificate and password files to the cert directory;
3. Modify the configuration file server.xml
   ① Remove the comments of the following content, and release the content

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

② Refer to the following to modify the content of the label released above

<Connector port="443"   <!--#port属性根据实际情况修改（https默认端口为443）。如果使用其他端口号，则您需要使用https://yourdomain:port的方式来访问您的网站。-->
    protocol="HTTP/1.1"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keystoreFile="Tomcat安装目录/cert/domain name.pfx" <!--#证书名称前需加上证书的绝对路径，请使用您证书的文件名替换domain name。-->
    keystoreType="PKCS12"
    keystorePass="证书密码"  <!--#请替换为密码文件pfx-password.txt中的内容。-->
    clientAuth="false"
    SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>

Below is what I actually configured

③ Configure the web.xml file, turn on http forced redirection to https
, and add the following content after the file:

<login-config>  
    <!-- Authorization setting for SSL -->  
    <auth-method>CLIENT-CERT</auth-method>  
    <realm-name>Client Cert Users-only Area</realm-name>  
</login-config>  
<security-constraint>  
    <!-- Authorization setting for SSL -->  
    <web-resource-collection >  
        <web-resource-name >SSL</web-resource-name>  
        <url-pattern>/*</url-pattern>  
    </web-resource-collection>  
    <user-data-constraint>  
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
    </user-data-constraint>  
</security-constraint>

④ Restart tomcat

./shutdown.sh
./startup.sh

5.3 Verification

After the certificate is installed, you can verify whether the certificate is successfully installed by logging in to the certificate and binding the domain name.
https:// domain name.com;
domain nameReplace with the domain name bound to the certificate.
If a small green lock icon appears in the address bar of the webpage, it means that the certificate has been installed successfully.

When verifying whether the certificate is installed successfully, if the website cannot be accessed through https normally, you need to confirm whether port 443 of the server where you installed the certificate is open or blocked by other tools

---

The QR code below is a specific deployment tutorial

• 

Six, summary

In actual production, the deployment server is basically accessible to the public network, so there is no need to do penetration. You only need to apply for a certificate, and the resolution is also very easy. Then, after the formal verification, the bound domain name is placed under the specified path of tomcat. Just change the configuration file