Apache 和 Tomcat 的 SSL 問題
我有一台執行 Apache 和 Tomcat 的伺服器。前端應用程序(內置 angularjs)在 Apache 中執行,我在那里安裝了 SSL 證書,它工作正常,我可以使用 HTTPS 訪問,並且瀏覽器信任證書。但是這個應用程序正在使用來自同一伺服器中的另一個應用程序的一些服務,但它使用 Tomcat 8 執行(因為它是一個用 Java 建構的應用程序)。
問題是瀏覽器(chrome)不允許 https 中的站點使用不使用 SSL 的另一台伺服器(實際上它在同一台伺服器上執行,但它是不同的應用程序)的服務。因此,我嘗試在 Tomcat 的 Apache 中使用相同的 SSL。但是我不能讓它工作。根據我正在閱讀的內容,我需要將證書添加到密鑰庫中,但是當我嘗試這樣做時,證書被列為trustedCertEntry 並且根據文件是因為我沒有使用我用來生成的相同別名私鑰….但是當我創建私鑰時我沒有使用別名,所以我不知道如何解決這個問題……
總結:執行 Apache 中的應用程序(埠 80)和 Tomcat 中的其他應用程序(埠 8080)的伺服器。在 Apache 中,設置可以使用 SSL 我生成私鑰:
openssl genrsa -out mydomain.key 2048 openssl req -new -key mydomain.key -out mydomain.csr
然後我嘗試將證書添加到密鑰庫
keytool -import -keystore mydomain -alias mydomain -file [certificate file]
但它被列為trustedCertEntry,並且tomcat 無法在埠8080 或8443 中使用HTTPS。
我錯過了什麼?我可以用一個證書做到這一點嗎?或者即使它們在同一台伺服器上,我也需要兩個?
我的 server.xml 是
<?xml version="1.0" encoding="UTF-8"?>
http://www.apache.org/licenses/LICENSE-2.0
除非適用法律要求或書面同意,否則根據許可分發的軟體將按“原樣”分發,沒有任何明示或暗示的保證或條件。有關許可下的特定語言管理權限和限制,請參閱許可。–> –>
<!--The connectors can use a shared executor, you can define one or more named thread pools--> <!-- <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" maxThreads="150" minSpareThreads="4"/> --> <!-- A "Connector" represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <!-- A "Connector" using the shared thread pool--> <!-- <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> --> <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation. The default SSLImplementation will depend on the presence of the APR/native library and the useOpenSSL attribute of the AprLifecycleListener. Either JSSE or OpenSSL style configuration may be used regardless of the SSLImplementation selected. JSSE style configuration is used below. --> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" /> </SSLHostConfig> </Connector> <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 This connector uses the APR/native implementation which always uses OpenSSL for TLS. Either JSSE or OpenSSL style configuration may be used. OpenSSL style configuration is used below. --> <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" certificateFile="conf/localhost-rsa-cert.pem" certificateChainFile="conf/localhost-rsa-chain.pem" type="RSA" /> </SSLHostConfig> </Connector> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html --> <!-- You should set jvmRoute to support load-balancing via AJP ie : <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> --> <Engine name="Catalina" defaultHost="localhost"> <!--For clustering, please take a look at documentation at: /docs/cluster-howto.html (simple how to) /docs/config/cluster.html (reference documentation) --> <!-- <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> --> <!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack --> <Realm className="org.apache.catalina.realm.LockOutRealm"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <!-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host> </Engine>
對於包含不安全內容的 ssl 站點,瀏覽器可能會有些好笑。如果您在 Apache 上使用 SSL,則可以使用 Apache 作為反向代理來發布 Tomcat 應用程序,可以使用 ajp 連接器或反向代理。這樣你就完全不用擔心 Tomcat 上的 SSL,它全部在 Apache 伺服器上處理(tomcat 和 apache 之間的連接並不安全,但無論如何都應該在專用網路上)。所有必要的文件都來自 apache:
tomcat AJP 文件不是特別清楚 - 只需編輯 conf/server.xml 文件,並取消註釋/包含以下位以使 tomcat 接受 ajp 請求:
<Service name="Catalina"> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> ...