关于阿里PFX证书设置Tomcat的连接为https并无端口号项目名连接
Tomcat 7的配置和Tomcat7以上的配置有些更改
首先登录阿里云SSL证书控制台,下载证书
下载下来就有2个文件,一个证书文件(以.pfx为后缀或文件类型),一个密码文件(以.txt为后缀或文件类型)
有了这两个东西后可以开始配置Tomcat了
Tomcat 7的配置:
找到安装Tomcat目录下该文件server.xml,一般默认路径都是在 conf 文件夹中。找到 <Connection port=”8443”标签,增加如下属性:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="cert/a.pfx"
keystoreType="PKCS12"
keystorePass="证书密码"
clientAuth="false"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
keystoreFile最好填绝对路径如:certificateKeystoreFile="/usr/local/tomcat/cert/abc.com.pfx"
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
改为
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
改为
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
HOST中的Context标签内容
<Context path="" docBase="/usr/java/tomcat/apache-tomcat-7.0.93/webapps/项目名" reloadable="true" source="org.eclipse.jst.jee.server:项目名"></Context>
Tomcat 7以上的配置:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="cert/a.pfx"
certificateKeystoreType="PKCS12" certificateKeystorePassword="证书密码" />
</SSLHostConfig>
</Connector>
keystoreFile最好填绝对路径如:certificateKeystoreFile="/usr/local/tomcat/cert/abc.com.pfx"
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
改为
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
改为
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
HOST中的Context标签内容
<Context path="" docBase="/usr/java/tomcat/apache-tomcat-8.5.39/webapps/项目名" reloadable="true" source="org.eclipse.jst.jee.server:项目名"></Context>
最后重启Tomcat,访问网站可以看到域名前或公网IP前多了https 如下图
如果没有,则配置web.xml
(可选)找到web.xml文件开启HTTP强制跳转HTTPS
在welcome-file-list结束标签后添加以下内容:(Tomcat 的welcome-file-list结束标签一般都在最下面)
#在</welcome-file-list>后添加
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>