配置HTTPS(CentOS7+Tomcat+Nginx)记录

CentOS7配置

参考文章
https://www.digitalocean.com/community/tutorials/how-to-encrypt-tomcat-8-connections-with-apache-or-nginx-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

网络配置

# 查看版本的几种方法
lsb_release -a
uname
uname -r
uname -a
cat /etc/redhat-release
cat /etc/centos-release
rpm -q redhat-release
cat /proc/version

# 配置静态IP
# 配置文件
/etc/sysconfig/network-scripts/ifcfg-eno16777736
(eno16777736 是设备名)
# 重启网络
/etc/init.d/network restart
systemctl restart network.service
# 查看网络情况
ifconfig
ip add
--------------------------------------------------------
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=62da3834-9ccf-4a71-874b-702077e16ec9
DEVICE=eno16777736
ONBOOT=yes #开机启用本配置
HWADDR=00:0C:29:C3:60:78
IPADDR=192.168.214.100 #静态IP
GATEWAY=192.168.214.2 #默认网关
NETMASK=255.255.255.0 #子网掩码
#DNS1= #DNS
NM_CONTROLLED=no #该接口将通过该配置文件进行设置而不通过网络管理器进行管理
PREFIX=24
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
--------------------------------------------------------
查看网络管理器服务的状态
systemctl status NetworkManager.service
查看受网络管理器管理的网络接口
nmcli dev status

配置DNS
vi /etc/resolv.conf
nameserver 114.114.114.114

yum配置

安装CentOS之后安全相关

Initial Server Setup with CentOS 7

0x01 Root Login

# root用户通过ssh登录
# ssh root@SERVER_IP_ADDRESS
ssh [email protected]

How To Connect To Your Droplet with SSH

SSH Client Software

  1. OpenSSH(Linux and Mac OS X)
  2. PuTTY(Windows)

Login as Root

# Option 1: OpenSSH(Linux and Mac OS X)
# Option 2: PuTTY

0x02 Create a New User

# 创建用户
adduser loginuser
# 设置密码
passwd loginuser

0x03 Root Privileges

# 普通用户要行使root权限用sudo,加入wheel组的用户就有sudo权限
gpasswd -a loginuser wheel

0x04 Add Public Key Authentication

Generate a Key Pair

# 在本地机器执行
# generate a new key pair
ssh-keygen
ssh-keygen -t rsa -C "[email protected]"

# 生成的密钥对在如下目录
/Users/snddfhv/.ssh/
id_rsa是私钥
id_rsa.pub是公钥

Copy the Public Key

然后就是将生成的公钥添加到服务器上,有两种方法

# Option 1:Use ssh-copy-id
# 本地安装了ssh-copy-id脚本
ssh-copy-id [email protected]
# 执行该命令后,前面在本地机器生成的公钥会被拷贝到远程机器的loginuser的家目录下的.ssh/authorized_keys文件中

# Option 2:Manually Install the Key
cat ~/.ssh/id_rsa.pub
# 复制本地机器的公钥
# 在远程机器中的loginuser目录下创建如下目录,并设置权限
su - loginuser
mkdir .ssh
chmod 700 .ssh
# 打开.ssh/authorized_keys,将本地机器的公钥复制进去,并设置权限
vi .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
# 退出loginuser用户
exit

# 现在就可以在本地机器不用密码登录远程机器了
ssh [email protected]

登录ssh遇到的一个问题

错误信息如下:

# 其他机器连接CentOS7报如下错误
ssh: connect to host 192.168.0.100 port 22: Connection refused

packet_write_wait: Connection to 192.168.0.100 port 22: Broken pipe

按如下清单进行排查:

  1. ip地址对不对
  2. 查看防火墙是否关闭
  3. ping 一下能否ping通
  4. 查看sshd服务是否启动
  5. 进入/home/.ssh/know_hosts 查看是否有想要ssh的主机的IP的信息,有的话就删除
  6. 重新启动sshd服务
  7. ssh Ip
# 设置SSH Server保持长时间连接
vi /etc/ssh/sshd_config
# 设置如下两个参数
TCPKeepAlive yes
ClientAliveCountMax 60
# 前一个参数表示要保持TCP连接
# 后一个参数表示客户端的SSH连线闲置多长时间后自动终止连线的时间,单位为分钟

# 重启生效
sudo systemctl restart sshd
# 还有一种设置思路
# 在客户端的~/.ssh/文件夹中添加config文件,并添加如下配置
ServerAliveInterval 60

# 在服务器的/etc/ssh/sshd_config中添加如下配置
ClientAliveInterval 60

# 只想让当前的ssh保持连接
ssh -o ServerAliveInterval=60 user@sshserver

http://stackoverflow.com/questions/13228425/write-failed-broken-pipe
http://superuser.com/questions/364304/how-do-i-configure-ssh-on-os-x

0x06 Configure SSH Daemon

Confiure SSH - 禁止Root登录

修改配置文件/etc/ssh/sshd_config

#PermitRootLogin yes

改成如下(不允许Root登录)

PermitRootLogin no

Reload SSH

systemctl reload sshd

增强配置

Additional Recommended Steps for New CentOS 7 Servers

Configuring a Basic Firewall

开启防火墙

sudo systemctl start firewalld

管理SSH

# 让ssh通过防火墙
sudo firewall-cmd --permanent --add-service=ssh
# 如果ssh改了端口
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --permanent --add-port=12211/tcp

firewalld管理的服务

# 查看服务列表
sudo firewall-cmd --get-services

# 添加http
sudo firewall-cmd --permanent --add-service=http

# 添加https
sudo firewall-cmd --permanent --add-service=https

# 添加smtp
sudo firewall-cmd --permanent --add-service=smtp

# 查看被firewalld允许的服务
sudo firewall-cmd --permanent --list-all

# reload the firewall
sudo firewall-cmd --reload

开机自启

sudo systemctl enable firewalld

Configure Timezones and Network Time Protocol Synchronizaton

Configure Timezones

# available timezones
sudo timedatectl list-timezones

# look current setting
timedatectl

# setting
# sudo timedatectl set-timezone region/timezone
sudo timedatectl set-timezone Asia/Shanghai

Configure NTP Synchronization

# 安装NTP
sudo yum install ntp

# 开启并设置开机启动
sudo systemctl start ntpd
sudo systemctl enable ntpd

Create a Swap File

sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo swapon /swapfile
sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'

Tomcat安装

How To Install Apache Tomcat 8 on CentOS 7

Install Java

删除系统自带的OpenJDK

# 安装OpenJDK
sudo yum install java-1.7.0-openjdk-devel
# OpenJDK的JAVA_HOME
/usr/lib/jvm/jre
# 查看安装的JDK
rpm -qa | grep java
# 卸载openjdk
rpm -e --nodeps java-xxx

安装HotSpot JDK

# 下载
wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u111-b14/jdk-8u111-linux-x64.rpm

# 安装
rpm -ivh xxx.rpm
# 安装后的路径
which java
/usr/bin/java
ls -l /usr/bin/java
/usr/bin/java -> /etc/alternatives/java
ls -l /etc/alternatives/java -> /usr/java/jdk1.8.0_111/jre/bin/java
# OracleJDK的JAVA_HOME
/usr/java/jdk1.8.0_111/

Create Tomcat User

# create a new tomcat group
sudo groupadd tomcat

# create a new tomcat user
# 组是tomcat
# 家目录是/opt/tomcat(Tomcat的安装路径)
# shell是/bin/false(so nobody can log into the account)
sudo useradd -M -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
# -M 不创建用户主目录
# -s 新账户的登录shell
# -g 新账户的主组的名称
# -d 新账户的主目录,这个目录需要用户自行创建

Install Tomcat

# 下载
wget http://mirrors.hust.edu.cn/apache/tomcat/tomcat-8/v8.5.11/bin/apache-tomcat-8.5.11.tar.gz

# 解压
sudo mkdir /opt/tomcat
sudo tar xvf xxx.tar.gz -C /opt/tomcat --strip-components=1

# 设置权限
cd /opt/tomcat
# 该目录归属为tomcat小组
sudo chgrp -R tomcat /opt/tomcat
# tomcat组对conf目录及其内容有读权限
sudo chmod -R g+r conf
# 对conf目录有执行权限
sudo chmod g+x conf
# 设置tomcat用户是webapps/, work/, temp/, logs/这几个目录的主人
sudo chown -R tomcat webapps/ work/ temp/ logs/

Install Systemd Unit File

将Tomcat注册为服务

create and open unit file

# 添加文件
sudo vi /etc/systemd/system/tomcat.service

设置成如下内容,具体参数根据实际情况修改

# Systemd unit file for tomcat
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target

[Service]
Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPID

User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target

重新加载配置

sudo systemctl daemon-reload
sudo systemctl start tomcat
sudo systemctl status tomcat
# 设置成开机启动
sudo systemctl enable tomcat

问题:远程不能访问tomcat

# 找到对应的pid:tomcat_pid
ps -ef | grep java
# 查看对应端口是否都打开8080,8009
sudo netstat -tupln | grep $tomcat_pid

尝试关闭ipv6

  1. 通过网卡属性查看

    命令:ifconfig
    注释:有 “inet6 addr:。。。。。。。“ 的表示开启了ipv6功能

  2. 通过内核模块加载信息查看

    命令:lsmod | grep ipv6
    ipv6关闭方法
    在/etc/modprobe.d/dist.conf结尾添加
    alias net-pf-10 off
    alias ipv6 off

  3. 编辑网卡配置文件
    /etc/sysconfig/network-scripts/ifcfg-xxxx
    把涉及到IPV6相关配置注释掉

  4. 编辑Network网络配置文件
    添加NETWORKING_IPV6=no

  5. 重启网卡服务

    sudo systemctl restart network

Configure Tomcat Web Management Interface

# tomcat管理员用户
sudo vi /opt/tomcat/conf/tomcat-users.xml
# -------------start

    

# ---------------end

# 新版的Tomcat对本地访问Manager和Host Manager有限制
sudo vi /opt/tomcat/webapps/manager/META-INF/context.xml
sudo vi /opt/tomcat/webapps/host-manager/META-INF/context.xml
# ---------------start

  

# -----------------end

# 重启Tomcat
sudo systemctl restart tomcat

nginx安装

安装nginx

# Install EPEL,Add Nginx Repository
sudo yum install epel-release
# Insgall nginx, 默认配置文件路径/etc/nginx/nginx.conf
sudo yum install nginx
# Start nginx, 默认80端口
sudo systemctl start nginx
# 如果开了防火墙
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
# 访问
http://server_domain_name_or_IP/
# 设置开机启动
sudo systemctl enable nginx

通过nginx访问tomcat

# 添加文件/etc/nginx/conf.d/tomcat.conf,内容如下
upstream tomcat{
        server localhost:8080 weight=9;
}

server{
        listen 80;
        server_name tomcat;
        location /{
                proxy_connect_timeout 300;
                proxy_send_timeout 300;
                proxy_read_timeout 300;
                proxy_pass http://localhost:8080;
        }
}

HTTPS

How To Create a Self-Signed SSL Certificate for Nginx on CentOS 7
How To Secure Nginx with Let's Encrypt on CentOS 7

Create a Self-Signed SSL Certificate for Nginx

Create the SSL Certificate

# /etc/ssl/certs目录,在服务器上保存公钥
# /etc/ssl/private目录,在服务器上保存私钥
sudo mkdir /etc/ssl/certs
sudo mkdir /etc/ssl/private
sudo chmod 700 /etc/ssl/private
# create a self-signed key and certificate pair with OpenSSL 
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

该命令会有交互

# create a strong Diffie-Hellman group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
# 生成这么一个文件/etc/ssl/certs/dhparam.pem

Configure Nginx to Use SSL

sudo vi /etc/nginx/conf.d/ssl.conf
# -------------------------start
server {
    listen 443 http2 ssl;
    listen [::]:443 http2 ssl;

    server_name server_IP_address;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    
    ########################################################################
    # from https://cipherli.st/                                            #
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
    ########################################################################

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    # resolver 8.8.8.8 8.8.4.4 valid=300s;
    # resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ##################################
    # END https://cipherli.st/ BLOCK #
    ##################################
    
    root /usr/share/nginx/html;

    location / {
    }

    error_page 404 /404.html;
    location = /404.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}
# -------------------------start

Create a Redirect from HTTP to HTTPS

sudo vi /etc/nginx/default.d/ssl-redirect.conf
# ---------------------------start
return 301 https://$host$request_uri/;
# ---------------------------end

# 修改tomcat.conf,即http的配置
# 添加一行include /etc/nginx/default.d/*.conf;
# -------------------------------start
upstream tomcat{
        server localhost:8081 weight=9;
}

server{
        listen 80;
        server_name tomcat;
        include /etc/nginx/default.d/*.conf;
        location /{
                proxy_connect_timeout 300;
                proxy_send_timeout 300;
                proxy_read_timeout 300;
                proxy_pass http://localhost:8081;
        }
}
# -------------------------------end

Enable the Changes in Nginx

sudo nginx -t
# 会提示如下信息
# ----------------------start
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# ----------------------end

Test Encryption

https://server_domain_or_IP

http://server_domain_or_IP

Nginx with Let's Encrypt

Install the Certbot Let's Encrypt Client

你可能感兴趣的:(配置HTTPS(CentOS7+Tomcat+Nginx)记录)