Why write this article?
Today a group of friends asked the group how to configure Tomcat SSL, that is, HTTPS, Ali cloud server he bought, built public network ip, also find a free SSL certificate
Since @ me, I will help engage in a practice chant, I'm going to a user with sudo, he began to step on the road to the pit
The reason stepped pit or Linux because of his lack of understanding, so write it down, telling myself prudent
Tomcat installation
Presentation with Centos 7, Tomcat version 8.5.50, you need to install the JDK, here with openjdk
Download Tomcat http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.50/bin/apache-tomcat-8.5.50.tar.gz
$ cd ~
$ wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.50/bin/apache-tomcat-8.5.50.tar.gz #下载到家目录
$ tar zxvf apache-tomcat-8.5.50.tar.gz #解压tomcat
$ cd apache-tomcat-8.5.50
$ bin/startup.sh #启动tomcat
$ tail -f logs/catalina.out #查看日志输出
You will find under Linux tomcat start very slowly, because the Tomcat Gets a random number will be blocked when using /dev/./random not generate a new random number procedures, refer to the random number of files in Linux / dev / random / dev / urandom where the problem where we change it bin/catalina.sh
so that it uses non-blocking/dev/urandom
vim bin/catalina.sh
256 in the vicinity of the line for the JAVA_OPTS
default random number is added to specify -Djava.security.egd=file:/dev/./urandom
, save and exit
Restart tomcat
$ bin/shutdown.sh
$ bin/startup.sh
$ tail -f logs/catalina.out
The start is very fast
Access <127.0.0.1:8080> or
Installation APR
View the boot log, you may find that there does not seem to find the library
The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
APR with the official website of the argument:Tomcat can use the [Apache Portable Runtime](https://apr.apache.org/) to provide superior scalability, performance, and better integration with native server technologies.
In simple terms, APR is optimized for the operating system, greatly enhance server performance runtime environment
The easiest solution is to install apr-devel
more details refer http://tomcat.apache.org/tomcat-8.5-doc/apr.html
$ sudo yum install -y apr-devel
Modify Tomcat port 80
http default port is 80, when we only write ip or domain name will default access port 80, it's quite a useful configuration
$ vim conf/server.xml
Modify the line in about 69 to 80 8080, save and exit
Restart tomcat, in line with the top command, not repeat them
If you're like me, is the use of sudo user, then you might want to be fucked, "I visited 127.0.0.1" how did not respond ah?
This is because the non-root user Linux default port number can be used directly to greater than 1024! I was here for a long time in the pit today, until the root user is not a little thing, and found the problem, change the security group, off the firewall, change the configuration shuttle did not find a problem, change to cynicism
Configuring Https SSL Certificates
First of all authority Web site to download the certificate file and password from the certificate, the certificate file suffix .pfx
, password usually pfx-password.txt
, sometimes using pfx configure password will fail here use conversion pfx
to jks
file
First copy .pfx certificate and password to the current directory, where on the user's home directory
Convert pfx certificate to jks
$ cd ~
$ cat pfx-password.txt #查看密码,这里可以复制一下,马上会用到
$ keytool -importkeystore -srckeystore 你的证书.pfx -destkeystore domains.jks -srcstoretype PKCS12 -deststoretype JKS #这里的domains.jks名称你可以改成别的,只要以.jsk结尾就可以
Enter the password three times, you can just copy and paste the password, ls
you will find domain.jks has been generated
Configuration Server.xml
$ cp domains.jks ~/apache-tomcat-8.5.50/conf
$ cd ~/apache-tomcat-8.5.50
$ vim conf/server.xml
In about 87 lines, to modify the original 8443 to 443, protocol may use other high version of the protocol, details refer http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support
As shown, keystoreFile fill jks at the absolute path, keystorePass fill out the certificate password (just fill in the generation jks with pfx same password)
<!-- 开启ssl支持,请注意其它接口转发应修改redirectPort为443 -->
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/你的目录/apache-tomcat-8.5.50/conf/domains.jks"
keystorePass="证书密码"
clientAuth="false" sslProtocol="TLS"
connectionTimeout="20000" />
Modify the default configuration of 8443 to 443, the other port forwarding to port 443 encryption has
Input in vim, should generally be successfully replaced at 6 (including comments)
:1,$s/8443/443/g
Save and exit and restart Tomcat
Follow-up
Generally seen here, your Tomcat should have tied a certificate Https
Since this is the first step on the recording pit, to mention a few mouth problems you may encounter:
- ECS server configured by the security group inbound outbound rule, the default full ban inbound, outbound full, to pay attention to configure ports 80 and 443 inbound release
- Ali ECS security groups can only be used in certain areas
专用网络
, different from the经典网络
public network and the network can be configured individually,专用网络
security group default standard ash内网
should not be modified, by querying Ali's documents, we found专用网络
the安全组配置
will in the public network and intranet become effective - Linux default non-root user has no authority to use the port below 1024