Apache 和 Tomcat 的 SSL 问题

Apache 和 Tomcat 的 SSL 问题

我有一台运行 Apache 和 Tomcat 的服务器。前端应用程序(内置于 angularjs)在 Apache 中运行,我在那里安装了 SSL 证书,它运行良好,我可以使用 HTTPS 访问,并且浏览器信任该证书。但是,此应用程序正在使用同一台服务器中的另一个应用程序的一些服务,但它使用 Tomcat 8 运行(因为它是一个用 Java 构建的应用程序)。

问题是浏览器(chrome)不允许 https 中的网站使用另一台未使用 SSL 的服务器(实际上它在同一台服务器上运行,但它是不同的应用程序)的服务。所以我尝试在 Tomcat 中使用与 Apache 中相同的 SSL。但我无法让它工作。根据我所读到的,我需要将证书添加到密钥库,但是当我尝试这样做时,证书被列为 trustCertEntry,根据文档,这是因为我没有使用与生成私钥时相同的别名……但是当我创建私钥时,我没有使用别名,所以我不确定如何解决这个问题……

总结:一台服务器上运行着一个 Apache 应用程序(端口 80)和另一个 Tomcat 应用程序(端口 8080)。在 Apache 中,设置可以使用 SSL,我使用以下命令生成私钥:

openssl genrsa -out mydomain.key 2048 
openssl req -new -key mydomain.key -out mydomain.csr 

然后我尝试使用以下命令将证书添加到密钥库

keytool -import -keystore mydomain -alias mydomain -file [certificate file]

但是它被列为trustedCertEntry并且tomcat不能在端口8080或8443上使用HTTPS。

我遗漏了什么?我可以用一个证书来做到这一点吗?还是即使它们在同一台服务器上,我也需要两个证书?

我的 server.xml 是

<?xml version="1.0" encoding="UTF-8"?>

  http://www.apache.org/licenses/LICENSE-2.0

除非适用法律要求或书面同意,否则根据许可证分发的软件将按“原样”分发,不附带任何明示或暗示的保证或条件。请参阅许可证,了解许可证下特定语言的权限和限制。--> -->

<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
    maxThreads="150" minSpareThreads="4"/>
-->


<!-- A "Connector" represents an endpoint by which requests are received
     and responses are returned. Documentation at :
     Java HTTP Connector: /docs/config/http.html
     Java AJP  Connector: /docs/config/ajp.html
     APR (HTTP/AJP) Connector: /docs/apr.html
     Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
           port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
     This connector uses the NIO implementation. The default
     SSLImplementation will depend on the presence of the APR/native
     library and the useOpenSSL attribute of the
     AprLifecycleListener.
     Either JSSE or OpenSSL style configuration may be used regardless of
     the SSLImplementation selected. JSSE style configuration is used below.
-->

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
     This connector uses the APR/native implementation which always uses
     OpenSSL for TLS.
     Either JSSE or OpenSSL style configuration may be used. OpenSSL style
     configuration is used below.
-->

<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                     certificateFile="conf/localhost-rsa-cert.pem"
                     certificateChainFile="conf/localhost-rsa-chain.pem"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


<!-- An Engine represents the entry point (within Catalina) that processes
     every request.  The Engine implementation for Tomcat stand alone
     analyzes the HTTP headers included with the request, and passes them
     on to the appropriate Host (virtual host).
     Documentation at /docs/config/engine.html -->

<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">

  <!--For clustering, please take a look at documentation at:
      /docs/cluster-howto.html  (simple how to)
      /docs/config/cluster.html (reference documentation) -->
  <!--
  <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
  -->

  <!-- Use the LockOutRealm to prevent attempts to guess user passwords
       via a brute-force attack -->
  <Realm className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

  <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">

    <!-- SingleSignOn valve, share authentication between web applications
         Documentation at: /docs/config/valve.html -->
    <!--
    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
    -->

    <!-- Access log processes all example.
         Documentation at: /docs/config/valve.html
         Note: The pattern used is equivalent to using pattern="common" -->
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log" suffix=".txt"
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />

  </Host>
</Engine>

答案1

浏览器对于包含不安全内容的 SSL 站点可能会有点不以为然。如果您在 Apache 上使用 SSL,则可以使用 Apache 作为反向代理来发布 Tomcat 应用程序,可以使用 ajp 连接器或反向代理。这样,您就完全不必担心 Tomcat 上的 SSL,一切都由 Apache 服务器处理(tomcat 和 apache 之间的连接并不安全,但无论如何都应该在专用网络上)。所有必要的文档都来自 apache:

Tomcat AJP 参考

在 Apache 上配置 AJP 连接器

或者你可以使用简单的反向代理

tomcat AJP 文档不是特别清楚 - 只需编辑 conf/server.xml 文件,并取消注释/包含以下位以使 tomcat 接受 ajp 请求:

<Service name="Catalina">
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
...

相关内容