Table of contents
When visiting some websites recently, the problem "This website cannot provide case connection, the client and server do not support general SSL protocol version or cipher suite" appears as shown in the figure below.
1. Positioning problem
Click the lock on the URL in the browser, and the following will appear:
Then click the website security link , and the following will appear:
Through comparison, you can see that the domain name uses TLS 1.0, so there will be problems, because most browsers such as Google have already started TLS1.0 is completely banned . So we need to upgrade our server to support TLS1.2 or above.
2. Upgrade TLS1.2
1. Principle
previous architecture
Before Tomcat listened to port 8443 of https, the configuration in tomcat/conf/server.xml is as follows:
<Connector port="8080" protocol="HTTP/1.1" URIEncoding="UTF-8"
connectionTimeout="20000"
compression="on"
compressionMinSize="512"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/csv,application/javascript,application/json,application/xml"
/>
<Connector protocol="org.apache.coyote.http11.Http11Protocol" URIEncoding="UTF-8" port="8443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" disableUploadTimeout="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="../ssl3/sggk.jks" keystorePass="sggk123"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
/>
Although it is seen that the tomcat configuration supports TLSv1.2, the configuration is invalid because the lower version does not support it well.
Adjust the structure
So we need to listen to HTTPS:8443 port through nginx reverse proxy , and then forward to tomcat's HTTP:8080
2. Configure nginx
The configuration reference is as follows
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
underscores_in_headers on;#表示如果header name中包含下划线,则不忽略
#access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
gzip on;
#服务器的集群
upstream www_test {
#服务器集群名字
#ip_hash;
server 127.0.0.1:8080 ;#服务器配置 weight是权重的意思,权重越大,分配的概率越大。
#server 127.0.0.1:9092 weight=1;
}
server {
listen 443 ssl;
server_name www.test.cn;
ssl_certificate D:/Tomcat 7.0/ssl/www.test.cn.pem;
ssl_certificate_key D:/Tomcat 7.0/ssl/www.test.cn.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# 配置静态资源
location /pm/v4/{
alias "D:/Tomcat 7.0/webapps/pm/v4/";
}
location /pm/jslib/{
alias "D:/Tomcat 7.0/webapps/pm/jslib/";
}
location /pm/css/{
alias "D:/Tomcat 7.0/webapps/pm/css/";
}
location /pm/images/{
alias "D:/Tomcat 7.0/webapps/pm/images/";
}
location /pm/temp/{
alias "D:/Tomcat 7.0/webapps/pm/temp/";
}
location /pm/main4.0/{
alias "D:/Tomcat 7.0/webapps/pm/main4.0/";
}
location /pm{
add_header Cache-Control 'no-store';
client_max_body_size 300m;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_connect_timeout 1;
proxy_send_timeout 240;
proxy_read_timeout 240;
proxy_pass http://www_test/pm;
}
}
}
Pay attention to the two ssl certificate file paths
ssl_certificate D:/Tomcat 7.0/ssl/www.test.cn.pem;
ssl_certificate_key D:/Tomcat 7.0/ssl/www.test.cn.key;
the certificate needs to be provided by the customer or go to Alibaba Cloud by yourself Or Tencent Cloud application, which belongs to nginx special certificate, which is different from Tomcat's.
You can refer to: nginx configures the free SSL certificate applied by Alibaba Cloud/Tencent Cloud (nginx configures https)
3. Configure tomcat
Remove the https configuration and only keep http
<Connector port="8080" protocol="HTTP/1.1" URIEncoding="UTF-8"
connectionTimeout="20000"
compression="on"
compressionMinSize="512"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/csv,application/javascript,application/json,application/xml"
/>
Three, just visit nginx
https://www.test.cn:8443/pm