服务器https配置

• tomcat https配置

1.生成证书：

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA  -keystore /usr/local/webserver/apache-tomcat-6.0.35/tomcat.keystore 

2.修改server.xml

去掉下边注释

<!--<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 

maxThreads="150" scheme="https" secure="true"

clientAuth="false"  sslProtocol="TLS" />-->

加入keystoreFile="tomcat.keystore“

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 

maxThreads="150" scheme="https" secure="true"

clientAuth="false"  sslProtocol="TLS" 

keystoreFile="tomcat.keystore“ keystorePass="tomcat"/>

3.重启tomcat

4.测试https

https://localhost:8443(注意是https不是http)

5.强制https

修改web.xml，在</welcome-file-list>后面加上

<login-config>  
        <!-- Authorization setting for SSL -->  
        <auth-method>CLIENT-CERT</auth-method>  
        <realm-name>Client Cert Users-only Area</realm-name>  
    </login-config>
    <security-constraint>
        <!-- Authorization setting for SSL -->
        <web-resource-collection >
            <web-resource-name >SSL</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

• nginx https配置

1.生成证书

cd /usr/local/webserver/nginx/conf

openssl genrsa -des3 -out server.key 1024

openssl req -new -key server.key -out server.csr

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

2.修改ningx.conf

ssl_certificate      server.crt;
ssl_certificate_key  server.key;