1.转换前准备
http转https需要一个证书、本文已ssl证书举例,只有认证的证书才能被认可。阿里云可以申请免费的证书, 但是生成证书需要域名。且域名要绑定ip。故ssl申请前需要域名。可上阿里云购买。
证书申请教程:证书申请
绑定ip:如果没有服务器、也可以用本地ip代替。
2.后端spring boot http 转 https
1) 下载对应tomcat证书
2) 将证书移动到spring boot 中的resources文件夹下、配置application.yml或application.properties
application.properties:
#https 端口
server.port: 7001
#http端口
server.http.port: 7000
# 用的是公司的证书 此处不再提供,请替换成自己的证书
server.ssl.key-store: classpath:xx.pfx
server.ssl.key-store-password: 96XP9E9F
server.ssl.keyStoreType: PKCS12application.yml
server:port: 9004http:port: 9003ssl:key-store: classpath:XX.pfxkey-store-type: PKCS12enabled: true#密码key-store-password: j0B2b291Dd3) http的端口自动跳转到https端口
HttpsConfig.java
import org.apache.catalina.Context;
import org.apache.catalina.connector.Connector;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.stereotype.Component;/*** HTTP自动转向HTTPS的配置**/
@Component
public class HttpsConfig {/*** http的端口*/@Value("${server.http.port}")private int httpPort;/*** https的端口*/@Value("${server.port}")private int httpsPort;@Beanpublic TomcatServletWebServerFactory tomcatServletWebServerFactory() {TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory() {@Overrideprotected void postProcessContext(Context context) {SecurityConstraint securityConstraint = new SecurityConstraint();securityConstraint.setUserConstraint("CONFIDENTIAL");SecurityCollection securityCollection = new SecurityCollection();securityCollection.addPattern("/*");securityConstraint.addCollection(securityCollection);context.addConstraint(securityConstraint);}};factory.addAdditionalTomcatConnectors(httpConnector());return factory;}@Beanpublic Connector httpConnector() {Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");connector.setScheme("http");//Connector监听的http的端口号connector.setPort(httpPort);connector.setSecure(false);//监听到http的端口号后转向到的https的端口号connector.setRedirectPort(httpsPort);return connector;}
}
报红是因为当前的域名所对应的ip和服务器ip不一致所致, 将域名对应的IP和服务器ip对应即可解决问题。可通过ping 域名查询域名所对应的地址。
3.nginx 配置http转https(docker)
nginx.conf
user nginx;
worker_processes auto;error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;events {worker_connections 1024;
}http {include /etc/nginx/mime.types;default_type application/octet-stream;log_format main '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;sendfile on;#tcp_nopush on;keepalive_timeout 65;#gzip on;include /etc/nginx/conf.d/*.conf;server { listen 80; server_name www.aaa.bbb.fun;rewrite ^(.*)$ https://${server_name}$1 permanent;}server {listen 443 ssl;server_name www.aaa.bbb.fun;ssl_certificate /ssl/6431157_aaa.bbb.fun.pem;ssl_certificate_key /ssl/6431157_aaa.bbb.fun.key;ssl_session_cache shared:SSL:10m;ssl_session_timeout 5m;ssl_protocols SSLv3 TLSv1.1 TLSv1.2;ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;ssl_prefer_server_ciphers on;location / {proxy_set_header Host $host; proxy_set_header X-real-ip $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; root /usr/share/nginx/html;index index.html index.htm;add_header Access-Control-Allow-Origin *;}error_page 500 502 503 504 /50x.html;location = /50x.html {root html;}}
}
dokcer运行:
#运行容器
docker run -d -p 30014:443 --name jsjmh-web -v ~/nginx/jsj/dist:/usr/share/nginx/html -v ~/nginx/jsj/conf/nginx.conf:/etc/nginx/nginx.conf -v ~/nginx/jsj/logs:/var/log/nginx -v ~/nginx/jsj/ssl:/ssl nginx#运行说明
-v ~/nginx/jsj/dist:/usr/share/nginx/html 静态页面挂载
-v ~/nginx/jsj/conf/nginx.conf:/etc/nginx/nginx.conf 配置文件挂载
-v ~/nginx/jsj/logs:/var/log/nginx 日志挂载
-v ~/nginx/jsj/ssl:/ssl ssl证书挂载
