This article draws on the following articles:
http://reallifejava.com/configuring-ssl-in-wildfly-8/
http://www.360doc.com/content/12/0405/13/3200886_201082456.shtml
http://xeseo.blog.163.com/blog/static/5632431620130825428120/
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration
1. Basic Concepts
证书与编码:
本质上,X.509证书是一个数字文档,这个文档根据RFC 5280来编码并/或签发。
实际上,“X.509证书”经常被用来指代IETF的PKIX(Public Key Infrastructure)证书和X.509 v3 证书标准中的CRL(Certificate Revocation List)。
encoding (also used for extensions)
.DER = 扩展名DER用于二进制DER编码的证书。这些证书也可以用CER或者CRT作为扩展名。比较合适的说法是“我有一个DER编码的证书”,而不是“我有一个DER证书”。
.PEM = 扩展名PEM用于ASCII(Base64)编码的各种X.509 v3 证书。文件开始由一行"—– BEGIN …“开始。
Common extensions
.CRT = 扩展名CRT用于证书。证书可以是DER编码,也可以是PEM编码。扩展名CER和CRT几乎是同义词。这种情况在各种unix/linux系统中很常见。
.CER = CRT证书的微软型式。可以用微软的工具把CRT文件转换为CER文件(CRT和CER必须是相同编码的,DER或者PEM)。扩展名为CER的文件可以被IE识别并作为命令调用微软的cryptoAPI(具体点就是rudll32.exe cryptext.dll, CyrptExtOpenCER),进而弹出一个对话框来导入并/或查看证书内容。
.KEY = 扩展名KEY用于PCSK#8的公钥和私钥。这些公钥和私钥可以是DER编码或者PEM编码。
CRT files and CER files can only be safely substituted for each other if they use the same encoding.
2. Self-issued SSL certificates that are not trusted by browsers
1. Generate an RSA key and public key
openssl genrsa -des3 -out 33iq.key 1024
openssl rsa -in 33iq.key -pubout -out 33iq.pub
2. Copy a key file that does not require a password
openssl rsa -in 33iq.key -out 33iq_nopass.key
3. Generate a certificate request
openssl req -new -key 33iq.key -out 33iq.csr
4. Sign the certificate yourself
openssl x509 -req -days 365 -in 33iq.csr -signkey 33iq.key -out 33iq.crt
ps
第3个命令是生成证书请求,会提示输入省份、城市、域名信息等,重要的是,email一定要是你的域
名后缀的。这样就有一个 csr 文件了,提交给 ssl 提供商的时候就是这个 csr 文件。当然我这里
并没有向证书提供商申请,而是在第4步自己签发了证书。
3. Edit the configuration file nginx.conf and add the HTTPS protocol to the site
server {
server_name YOUR_DOMAINNAME_HERE;
listen 443;
ssl on;
ssl_certificate /usr/local/nginx/conf/33iq.crt;
ssl_certificate_key /usr/local/nginx/conf/33iq_nopass.key;
# 若ssl_certificate_key使用33iq.key,则每次启动Nginx服务器都要求输入key的密码。
}
4. HTTPS encryption only for registration and login
Since HTTPS can guarantee security, why are most websites in the world still using HTTP? Using the HTTPS protocol is a large load overhead for the server. From a performance point of view, we cannot safely encrypt every access request of every user (except, of course, a god like Google). As an ordinary website, what we pursue is only the security when conducting transactions, password login and other operations. This can be done using rewrite by configuring the Nginx server. Since HTTPS can guarantee security, why are most websites in the world still using HTTP? Using the HTTPS protocol is a large load overhead for the server. From a performance point of view, we cannot safely encrypt every access request of every user (except, of course, a god like Google). As an ordinary website, what we pursue is only the security when conducting transactions, password login and other operations. This can be done using rewrite by configuring the Nginx server.
Add the following configuration under the https server:
if ($uri !~* "/logging.php$")
{
rewrite ^/(.*)$ http://$host/$1 redirect;
}
在http server下加入如下配置:
if ($uri ~* "/logging.php$")
{
rewrite ^/(.*)$ https://$host/$1 redirect;
}
这样用户会且只会在访问logging.php的情况下,才会通过https访问。
Some development frameworks will judge whether the current access request is using https according to whether the PHP variable $_SERVER['HTTPS'] is on. To do this we need to add a sentence to the Nginx configuration file to set this variable. Students who encounter the problem of automatically jumping to http after the https link is redirected can refer to it.
server {
...
listen 443;
location \.php$ {
...
include fastcgi_params;
fastcgi_param HTTPS on; # 多加这一句
}
}
server {
...
listen 80;
location \.php$ {
...
include fastcgi_params;
}
}
Fourth, wildfly ssl certification
A. Make a certificate
1. Generate an RSA key and public key:
openssl genrsa -des3 -out domain.key 1024
openssl rsa -in domain.key -pubout -out domain.pub
2. Copy a key file that does not require a password:
openssl rsa -in domain.key -out domain_nopass.key
3. Generate a certificate request:
openssl req -new -key domain.key -out domain.csr
4.CA certification, here to certify yourself:
openssl x509 -req -days 365 -in domain.csr -signkey domain.key -out domain.crt
5. Create the pkcs12 file:
openssl pkcs12 -export -in domain.crt -inkey domain.key -out domain.p12 -name default -CAfile domain.crt -caname root
6. Import the keystore file:
keytool -importkeystore -deststorepass <secret password> -destkeypass <secret password> -destkeystore domain.jks -srckeystore domain.p12 -srcstoretype PKCS12 -srcstorepass <secret password used in csr> -alias default
B.wildfly file configuration
PS1: The wildfly operating mode is standalone, the wildfly decompression package path is /opt/wildfly-8.1.0.Final, and the file /opt/wildfly-8.1.0.Final/standalone/configuration/standalone.xml needs to be modified
PS2: Create a new folder openssl under configuration, and copy the generated keystore file to this folder
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:2.1">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
……
<extension module="org.wildfly.extension.undertow"/>
</extensions>
<management>
<security-realms>
<security-realm name="SslRealm"> #此段为添加
<server-identities>
<ssl>
<keystore path="openssl/domain.jks" relative-to="jboss.server.config.dir" keystore-password="8546356"/>
</ssl>
</server-identities>
</security-realm>
……
</security-realm>
</management>
<profile>
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
<buffer-cache name="default"/>
<server name="default-server">
<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/> #此行替换原有语句
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
……
</profile>
C.tomcat file configuration
PS1: tomcat is a binary package downloaded from the official website ( http://tomcat.apache.org/download-70.cgi ), the path to decompress the package is /opt/apache-tomcat-7.0.59, and the file /opt/apache needs to be modified -tomcat-7.0.59/conf/server.xml
PS2: Copy the generated keystore file to the /opt/apache-tomcat-7.0.59/conf folder
PS3: tomcat server.xml file comes with ssl related configuration, you can modify it
修改前ssl部分被注释掉:
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
修改后:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" enableLookups="false" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/domain.jks" keystorePass="8546356" />