教你如何配置阿里云免费HTTPS证书(Tomcat版)

简介: 效果图 第一步:阿里云申请免费的SSL证书 申请免费证书比较简单,坑比较少,故不多说,网上很多相关资料免费证书支持多个服务器,这里演示的是Tomcat服务器 证书需要绑定你购买的域名 点我领取阿里云2000元代金券,(阿里云优惠券的作用:购买阿里云产品,最后支付结算的时候,阿里云优惠券可抵扣一部分费用。


效果图


image.png


第一步:阿里云申请免费的SSL证书


申请免费证书比较简单,坑比较少,故不多说,网上很多相关资料
免费证书支持多个服务器,这里演示的是Tomcat服务器


证书需要绑定你购买的域名


点我领取阿里云2000元代金券,(阿里云优惠券的作用:购买阿里云产品,最后支付结算的时候,阿里云优惠券可抵扣一部分费用。

阿里云ssl证书控制中心


image.png
一定要是签发状态


点我领取阿里云2000元代金券,(阿里云优惠券的作用:购买阿里云产品,最后支付结算的时候,阿里云优惠券可抵扣一部分费用。

第二步:配置Tomcat


从阿里云SSL控制台下载SSL证书并解压


image.png


把解压的文件放入远程服务器Tomcat目录下的cert目录(新建cert目录)


image.png


点我领取阿里云2000元代金券,(阿里云优惠券的作用:购买阿里云产品,最后支付结算的时候,阿里云优惠券可抵扣一部分费用。

进入Tomcat conf目录配置server.xml文件


<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
  http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not

 define subcomponents such as "Valves" at this level.
 Documentation at /docs/config/server.html

-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

<!-- Global JNDI resources

   Documentation at /docs/jndi-resources-howto.html

-->
<GlobalNamingResources>

&lt;!-- Editable user database that can also be used by
     UserDatabaseRealm to authenticate users
--&gt;
&lt;Resource name="UserDatabase" auth="Container"
          type="org.apache.catalina.UserDatabase"
          description="User database that can be updated and saved"
          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" /&gt;

</GlobalNamingResources>

<!-- A "Service" is a collection of one or more "Connectors" that share

   a single "Container" Note:  A "Service" is not itself a "Container",
   so you may not define subcomponents such as "Valves" at this level.
   Documentation at /docs/config/service.html

-->
<Service name="Catalina">

&lt;!--The connectors can use a shared executor, you can define one or more named thread pools--&gt;
&lt;!--
&lt;Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
    maxThreads="150" minSpareThreads="4"/&gt;
--&gt;
&lt;!-- A "Connector" represents an endpoint by which requests are received
     and responses are returned. Documentation at :
     Java HTTP Connector: /docs/config/http.html
     Java AJP  Connector: /docs/config/ajp.html
     APR (HTTP/AJP) Connector: /docs/apr.html
     Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
--&gt;
&lt;Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
            maxHttpHeaderSize="8192"
           redirectPort="443" /&gt;
&lt;!-- A "Connector" using the shared thread pool--&gt;
&lt;!--
&lt;Connector executor="tomcatThreadPool"
           port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" /&gt;
--&gt;
&lt;!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
     This connector uses the NIO implementation. The default
     SSLImplementation will depend on the presence of the APR/native
     library and the useOpenSSL attribute of the
     AprLifecycleListener.
     Either JSSE or OpenSSL style configuration may be used regardless of
     the SSLImplementation selected. JSSE style configuration is used below.
--&gt;

&lt;Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true"&gt;
    &lt;SSLHostConfig&gt;
       &lt;Certificate  certificateKeystoreFile="/usr/local/tomcat/apache-tomcat-8.5.30/cert/证书名字.pfx"
                     certificateKeystoreType="PKCS12" 
                     certificateKeystorePassword="证书密码" /&gt;
    &lt;/SSLHostConfig&gt;
&lt;/Connector&gt;

&lt;!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
     This connector uses the APR/native implementation which always uses
     OpenSSL for TLS.
     Either JSSE or OpenSSL style configuration may be used. OpenSSL style
     configuration is used below.
--&gt;
&lt;!--
&lt;Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" &gt;
    &lt;UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /&gt;
    &lt;SSLHostConfig&gt;
        &lt;Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                     certificateFile="conf/localhost-rsa-cert.pem"
                     certificateChainFile="conf/localhost-rsa-chain.pem"
                     type="RSA" /&gt;
    &lt;/SSLHostConfig&gt;
&lt;/Connector&gt;
--&gt;
&lt;!-- Define an AJP 1.3 Connector on port 8009 --&gt;
&lt;Connector port="8009" protocol="AJP/1.3" redirectPort="443" /&gt;
&lt;!-- An Engine represents the entry point (within Catalina) that processes
     every request.  The Engine implementation for Tomcat stand alone
     analyzes the HTTP headers included with the request, and passes them
     on to the appropriate Host (virtual host).
     Documentation at /docs/config/engine.html --&gt;

&lt;!-- You should set jvmRoute to support load-balancing via AJP ie :
&lt;Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"&gt;
--&gt;
&lt;Engine name="Catalina" defaultHost="localhost"&gt;

  &lt;!--For clustering, please take a look at documentation at:
      /docs/cluster-howto.html  (simple how to)
      /docs/config/cluster.html (reference documentation) --&gt;
  &lt;!--
  &lt;Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/&gt;
  --&gt;

  &lt;!-- Use the LockOutRealm to prevent attempts to guess user passwords
       via a brute-force attack --&gt;
  &lt;Realm className="org.apache.catalina.realm.LockOutRealm"&gt;
    &lt;!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  --&gt;
    &lt;Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/&gt;
  &lt;/Realm&gt;

  &lt;Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true"&gt;

    &lt;!-- SingleSignOn valve, share authentication between web applications
         Documentation at: /docs/config/valve.html --&gt;
    &lt;!--
    &lt;Valve className="org.apache.catalina.authenticator.SingleSignOn" /&gt;
    --&gt;

    &lt;!-- Access log processes all example.
         Documentation at: /docs/config/valve.html
         Note: The pattern used is equivalent to using pattern="common" --&gt;
    &lt;Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log" suffix=".txt"
           pattern="%h %l %u %t &amp;quot;%r&amp;quot; %s %b" /&gt;

  &lt;/Host&gt;
&lt;/Engine&gt;

</Service>
</Server>


第三步:去掉8443端口


上面配置文件已经把8443端口去掉了。如果想改回来,只要把截图中的443更换为8443端口,或者其它你想要的端口号。


image.png


image.png


点我领取阿里云2000元代金券,(阿里云优惠券的作用:购买阿里云产品,最后支付结算的时候,阿里云优惠券可抵扣一部分费用。

第四步:http自动重定向到https


tomcat conf目录下的web.xml末尾加上如下配置:


<security-constraint>
&lt;web-resource-collection &gt;
          &lt;web-resource-name &gt;SSL&lt;/web-resource-name&gt;
          &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
   &lt;/web-resource-collection&gt;

   &lt;user-data-constraint&gt;
   &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt;
   &lt;/user-data-constraint&gt;

</security-constraint>


前提是Http和Https都可正常访问的情况下。

阿里云服务器:活动地址

购买可领取:阿里云代金券

目录
相关文章
|
3月前
|
网络协议 Java 应用服务中间件
tomcat配置域名及HTTPS
tomcat配置域名及HTTPS
|
3天前
|
安全 应用服务中间件 网络安全
49.3k star,本地 SSL 证书生成神器,轻松解决 HTTPS 配置痛点
mkcert是一款由Filippo Valsorda开发的免费开源工具,专为生成受信任的本地SSL/TLS证书而设计。它通过简单的命令自动生成并安装本地信任的证书,使本地环境中的HTTPS配置变得轻松无比。mkcert支持多个操作系统,已获得49.2K的GitHub Star,成为开发者首选的本地SSL工具。
|
1月前
|
安全 应用服务中间件 Shell
nginx配置https的ssl证书和域名
nginx配置https的ssl证书和域名
|
2月前
|
数据安全/隐私保护 Docker 容器
配置Harbor支持https功能实战篇
关于如何配置Harbor支持HTTPS功能的详细教程。
76 12
配置Harbor支持https功能实战篇
|
2月前
HAProxy的高级配置选项-配置haproxy支持https协议及服务器动态上下线
文章介绍了如何配置HAProxy以支持HTTPS协议和实现服务器的动态上下线。
134 8
HAProxy的高级配置选项-配置haproxy支持https协议及服务器动态上下线
|
2月前
|
分布式计算 Hadoop Devops
Hadoop集群配置https实战案例
本文提供了一个实战案例,详细介绍了如何在Hadoop集群中配置HTTPS,包括生成私钥和证书文件、配置keystore和truststore、修改hdfs-site.xml和ssl-client.xml文件,以及重启Hadoop集群的步骤,并提供了一些常见问题的故障排除方法。
67 3
Hadoop集群配置https实战案例
|
2月前
|
Linux Docker Windows
Docker配置https证书案例
本文介绍了如何为Docker的Harbor服务配置HTTPS证书,包括安装Docker和Harbor、修改配置文件以使用证书、生成自签名证书、配置证书以及验证配置的步骤。
149 2
Docker配置https证书案例
|
2月前
|
应用服务中间件 网络安全 Apache
HTTPS配置
HTTPS配置
121 11
|
2月前
|
监控 安全 应用服务中间件
如何配置HTTPS协议?
如何配置HTTPS协议?
151 4
|
3月前
|
Web App开发 存储
常见抓包工具配置抓取HTTPS
常见抓包工具配置抓取HTTPS