今天给网站添加SSL证书加密连接,说白了就是之前的是http协议访问, 添加完之后就是https协议访问,结果遇到了一堆问题,特此总结一下。
前言:我采用的是沃通证书免费证书,已经给证书设置里密码并且已经下载到本地了,文件名:www.dtxzw.jks
一.Web容器采用的是Tomcat,Tomcat如何配置SSL证书?
解决方案:
- 先把证书文件复制到tomcat的 conf目录下面
- 打开conf目录下的server.xml文件,找到并修改以下内容:
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
去掉注释并修改为:
< Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="conf/www.dtxzw.jks" keystorePass="证书密码"
clientAuth="false" sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" />
然后就可以吧tomcat 跑起来 用https://试试啦
如果您希望在中文页面显示认证标识,则在中文页面添加如下代码:
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript" SRC="https://seal.wosign/tws.js"></SCRIPT>
如果您希望在中文页面显示认证标识,则在英文页面添加如下代码:
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript" SRC="https://seal.wosign/tws-en.js"></SCRIPT>
当然,我的证书是沃通的所以链接的是他们的js文件。
这时候我门发现,只能自己指定https://+自己的域名访问,的时候,才会出现https访问,不指定还是会走http协议,我们不能要求用户每次发布除了打域名还要打https:// 吧?
二.配置tomcat http强制转 https
- 强制HTTP转HTTPS 对工程的web.xml进行修改,加入:
<security-constraint>
<web-resource-collection>
<web-resource-name>OPENSSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
- 禁用tomcat不安全的http方法 在tomcat/conf/web.xml最后加上一个节点
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
- 这样就配置好了,直接用域名访问试试吧。
三.本人还遇到一个问题,申请证书的时候,我填写的域名的是www.dtxzw,后来才知道dtxzw和填写的是有区别的,导致,最后用dtxzw访问提示不安全,十分头痛的问题啊,也找到了解决方案!
1.tomcat配置301重定向
顾名思义,就是你如果访问 dtxzw 服务器把你转到www.dtxzw。可以使用UrlRewriteFilter来实现。
2.开始配置
下载UrlRewriteFilter
wget http://urlrewritefilter.googlecode/files/urlrewritefilter-4.0.3.jar
并放入tomcat的 WEB-INF/lib下
3.编辑WEB-INF/web.xml 在其它servlet mapping前加入
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
4.添加跳转规则
在WEB-INF下新建urlrewite.xml文件,加入跳转规则
<urlrewrite>
<rule>
<name>seo redirect</name>
<condition name="host" operator="notequal">^www.example</condition>
<condition name="host" operator="notequal">^localhost</condition>
<from>^/(.*)</from>
<to type="permanent-redirect" last="true">http://www.example/$1</to>
</rule>
</urlrewrite>
这样就结束啦
另外一种解决方案
- 创建filter
package com.jeecmsmon.web;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class WwwFilter implements Filter {
private String originUrl;
private String targetUrl;
public void init(FilterConfig filterConfig) throws ServletException {
this.originUrl = filterConfig.getInitParameter("originUrl");//来源url地址
this.targetUrl = filterConfig.getInitParameter("targetUrl");//目标url地址
}
public void destroy() {
}
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
String hostName = req.getServerName();
if (hostName.startsWith(originUrl)) {
HttpServletResponse response = (HttpServletResponse) resp;
HttpServletRequest httpRequest = (HttpServletRequest) req;
String queryString = (httpRequest.getQueryString() == null ? "" : "?" + httpRequest.getQueryString());
response.setStatus(301);
String requestUrl = httpRequest.getRequestURL().toString();
requestUrl = requestUrl.replace(originUrl, targetUrl);
response.setHeader("Location", requestUrl + queryString);
response.setHeader("Connection", "close");
} else {
chain.doFilter(req, resp);
}
}
}
在web.xml文件中配置filter
<filter>
<filter-name>WwwFilter</filter-name>
<filter-class>com.jeecmsmon.web.WwwFilter</filter-class>
<init-param>
<param-name>originUrl</param-name>
<param-value>dtxzw</param-value>
</init-param>
<init-param>
<param-name>targetUrl</param-name>
<param-value>www.dtxzw</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>WwwFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
证书可以绑定多个域名的,所以在寻求另外一种解决方案,重新申请证书,免费嘛……..
最后一点:请保存好收到的证书压缩包文件及密码,以防丢失!!!
更多推荐
Java Web网站搭建SSL证书的问题与解决方案
发布评论