The company's customers do not have access to the system suddenly, query the system as usual, but can not access the external network. Contact Customer IT, the investigation found that the system requests are intercepted off the firewall, because:
Go on like this is not acceptable.
Analysis of what should be the reason the project did not open the https.
We need to project now access the http to https access.
Targeting, and began to make it work.
Dealing with technology:
1、spring-boot;
2、node;
3、nginx;
4、openssl;
platform:
windows7
step:
First, turn the background http https:
1, SSLConfig.java add the following code:
1 @Bean 2 public TomcatServletWebServerFactory servletContainer() 3 { 4 5 TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() 6 { 7 8 @Override 9 protected void postProcessContext(Context context) 10 { 11 12 SecurityConstraint securityConstraint = new SecurityConstraint(); 13 securityConstraint.setUserConstraint("CONFIDENTIAL"); 14 SecurityCollection collection = new SecurityCollection(); 15 collection.addPattern("/*"); 16 securityConstraint.addCollection(collection); 17 context.addConstraint(securityConstraint); 18 } 19 }; 20 tomcat.addAdditionalTomcatConnectors(initiateHttpConnector()); 21 return tomcat; 22 } 23 24 private Connector initiateHttpConnector() 25 { 26 Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol"); 27 connector.setScheme("http"); 28 connector.setPort(38080); 29 connector.setSecure(false); 30 connector.setRedirectPort(8443); 31 return connector; 32 }
2, application.properties the open authentication ssl
1 server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 2 server.ssl.client-auth=want 3 server.ssl.enabled=true 4 server.ssl.key-alias=spinfosec 5 server.ssl.key-store= classpath:keystore.p12 6 server.ssl.key-store-password=%密码 7 server.ssl.key-store-type=PKCS12 8 server.ssl.protocol=TLS
3, browser access swagger, can be a normal visit. Configuration is complete.
Second, the front-end server http turn https:
1, node server cert to create a folder to hold the certificate Relevant documents:
2, create documents using the openssl tool:
openssl Download: https://slproweb.com/products/Win32OpenSSL.html
Command line to generate a certificate:
# Generates a private key file:
$ OpenSSL privatekey.pem 1024 genrsa -out
# generated by the private key CSR Certificate Signing
$ OpenSSL REQ -new -key privatekey.pem -out certsign.csr
# generated by the private key and certificate signing certificate file
$ openssl x509 -req -in certsign.csr -signkey privatekey.pem -out certificate.crt
3, generated certificate file:
4, app.js cited certificate file (hereinafter snippet):
1 var https = require('https'); 2 3 //证书配置 4 var options = { 5 key: fs.readFileSync('./cert/privatekey.pem', 'utf8'), 6 cert: fs.readFileSync('./cert/certificate.crt', 'utf8') 7 }; 8 var httpsServer = https.createServer(options, app); 9 10 //启动 11 var SSLPORT = 8180; 12 httpsServer.listen(SSLPORT, function() { 13 console.log('HTTPS Server is running on: https://localhost:%s', SSLPORT); 14 });
5, browser access to the project, can be accessed normally. Configuration is complete.
Third, the domain name to access the project using https:
Premise configurations:
1, open the https support domain name (for the record required);
2, Baidu cloud services can access a windows computer.
step:
1. Open the Baidu cloud SSL Services: https://cloud.baidu.com/product/ssl.html
2, click to buy, choose free dv type certificate, the certificate valid for one year;
3, click the certificate request, select the file validation;
4, corresponding to the domain name server on the new fileauth.txt, into the specified string automatically scan server cloud waiting Baidu, will receive the successful message;
5, after the authentication is successful download the certificate;
6, because of the use of a reverse proxy nginx, so chose PEM_Nginx download;
7, after downloading the certificate placed under nginx directory;
8、nginx.conf
1 server { 2 listen 8843; 3 server_name memory.mynatapp.cc; 4 5 ssl_certificate memory.mxxxxxp.cc.crt; 6 ssl_certificate_key memory.mxxxxxp.cc.key; 7 8 ssl_session_cache shared:SSL:1m; 9 ssl_session_timeout 5m; 10 11 ssl_ciphers HIGH:!aNULL:!MD5; 12 ssl_prefer_server_ciphers on; 13 14 location / {#wechat 15 proxy_pass https://localhost:8181/; 16 } 17 location /web/ {#web 18 proxy_pass https://localhost:8180/; 19 } 20 location /api/ {#api 21 proxy_pass https://localhost:28443/; 22 proxy_http_version 1.1; 23 proxy_set_header Upgrade $http_upgrade; 24 proxy_set_header Connection "Upgrade"; 25 } 26 }
9, restart nginx, open your browser to see the effect;
10, registration system, api request properly. Configuration is complete.
Note:
1, using cross-domain during the project development interface debug mode, after formally launched need to be closed to ensure that the browser same-origin policy to ensure security.
2, recently very interested in safety knowledge, there is no recommended web security-related books?