出于安全考慮脏款,項(xiàng)目中用dubbo發(fā)布的rest服務(wù)需要增加https安全訪問(wèn)钮科,原本服務(wù)是跑在內(nèi)置tomcat,內(nèi)置tomcat對(duì)于https設(shè)置不支持奄喂,只能折騰一番铐殃,調(diào)整各種配置,部署到外置tomcat發(fā)布服務(wù)跨新,大致過(guò)程:生成安全證書富腊、設(shè)置tomcat服務(wù)參數(shù)、設(shè)置服務(wù)參數(shù)域帐,詳細(xì)過(guò)程見下文赘被。
證書生成
- 進(jìn)入到j(luò)dk目錄,執(zhí)行命令:
keytool -genkey -alias mykeystore -keyalg RSA -validity 30000 -keypass mypass -keystore E:/mykeystore.keystore
- 證書查看:
keytool -list -v -keystore E:/mykeystore.keystore
Tomcat配置
配置Tomcat肖揣,打開tomcat目錄下/conf/server.xml民假,修改如下:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
修改為:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"/>-->
修改為:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/tomcat/mykeystore.keystore" keystorePass="mypass"/>
注釋:keystoreFile是證書文件的位置,keystorePasss是證書的密碼,在證書文件生成過(guò)程時(shí)設(shè)置的龙优。
<!--
<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="8443" />
-->
修改為:
<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="443" />
dubbo服務(wù)配置
- 服務(wù)配置
pom.xml文件羊异,修改為war方式發(fā)布:
<packaging>war</packaging>
provider.xml文件,修個(gè)服務(wù)配置:
<dubbo:protocol name="rest" port="443" contextpath="dop" server="tomcat"/>
<dubbo:protocol name="http" port="8889" />
- web.xml配置
打開項(xiàng)目webapp下面的web.xml,在文件末尾增加:
<security-constraint>
<web-resource-collection>
<web-resource-name >TLS</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
