http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
1.生成tomcat自签名证书
keytool -genkey -alias tomcat -keyalg RSA -keystore self.jks
Enter keystore password: 设置keystore密码
Re-enter new password: 设置keystore密码
What is your first and last name?
[Unknown]: localhost 输入localhost
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password): 直接回车
直接生成了self.jks
2.让系统信任这个证书
keytool -exportcert -alias tomcat -keystore self.jks -file self.cer
sz self.cer
传到windows上打开self.cer,点击详细信息->复制到文件->Base64编码X.509->另存为self.crt
rz
回传self.crt
sudo mkdir -p /usr/share/ca-certificates/tomcat
sudo cp self.crt /usr/share/ca-certificates/tomcat
sudo dpkg-reconfigure ca-certificates
第一步选yes,然后按空格选中self.crt,回车。
3.tomcat开启SSL
打开/etc/tomcat8/server.xml
,修改这段如下
0 1 2 3 4 5 6 |
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" proxyPort="443" keystoreFile="/path/to/self.jks" keystorePass="keystore密码" /> |
4.apache开启SSL模块和proxy模块
cd /etc/apache2/mods-enabled
sudo ln -s ../mods-available/proxy.load .
sudo ln -s ../mods-available/proxy_http.load .
sudo ln -s ../mods-available/ssl.load .
5.Apache反向代理配置
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName www.example.com DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/ssl_error.log CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined SSLEngine on SSLCertificateFile /path/to/https/cert/证书.crt SSLCertificateKeyFile /path//to/https/cert/证书.key SSLCertificateChainFile /path/to/https/cert/chained.crt <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> SSLProxyEngine on #ProxyPass /not/proxy/sub/path ! ProxyPass / https://localhost:8443/ ProxyPassReverse / https://localhost:8443/ </VirtualHost> </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet |
重启apache和tomcat即可
0 Comments