Java 我可以在端口 443 上安全地运行 Tomcat 而在 8080 上不安全地运行吗
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3561667/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can I run Tomcat securely on port 443 and insecurely on 8080
提问by jeph perro
Let me explain my situation.
让我解释一下我的情况。
Currently, I have a lot of applications running on Tomcat 6, on the default port 8080.
目前,我有很多应用程序在 Tomcat 6 上运行,默认端口为 8080。
I just created some applications that will need a log in. I'm going to buy an SSL certificate to install on this server.
我刚刚创建了一些需要登录的应用程序。我将购买 SSL 证书以安装在此服务器上。
I don't like the idea of using port 8443 because it makes the URL more complicated. If I run Tomcat on port 80, I'd have to change dozens of links and I'd have to run Tomcat as root ( rather than tomcat ).
我不喜欢使用端口 8443 的想法,因为它使 URL 更加复杂。如果我在端口 80 上运行 Tomcat,则必须更改数十个链接,并且必须以 root 身份运行 Tomcat(而不是 tomcat)。
Is there any problem running the insecure applications on port 8080 but having the secure run on port 443?
在端口 8080 上运行不安全的应用程序但在端口 443 上运行安全的应用程序是否有任何问题?
I'm imagining my setup will have URLs that look like this:
我想象我的设置将具有如下所示的 URL:
Is this possible?
这可能吗?
采纳答案by Bozho
Yes, it's perfectly OK. Just configure the connectors to use the respective ports. But for 443 I'd guess root would be required as well.
是的,完全没问题。只需配置连接器以使用相应的端口。但是对于 443,我猜想 root 也是必需的。
回答by Alexander Pogrebnyak
Setup HTTP connector on 8080 and HTTPS connector on 8443. In your <Connector>declaration add proxyPortattribute and set it to default HTTP and HTTPS port ( 80 and 443 respectively ). Setup firewall redirect rule from 80 to 8080 and from 443 to 8443. Then the server will accept regular http and https URLs without the need to specify port numbers.
在 8080 上设置 HTTP 连接器,在 8443 上设置 HTTPS 连接器。在您的<Connector>声明中添加proxyPort属性并将其设置为默认 HTTP 和 HTTPS 端口(分别为 80 和 443)。设置从 80 到 8080 和从 443 到 8443 的防火墙重定向规则。然后服务器将接受常规的 http 和 https URL,而无需指定端口号。
Below is a sample declaration of these connectors.
以下是这些连接器的示例声明。
<Connector
maxSpareThreads='75'
port='8080'
proxyPort='80'
enableLookups='false'
maxThreads='150'
connectionTimeout='20000'
disableUploadTimeout='true'
minSpareThreads='5'
maxHttpHeaderSize='8192'
redirectPort='443'
acceptCount='200'
/>
<Connector
SSLEnabled='true'
keystoreFile='/path/to/keystore.jks'
maxSpareThreads='75'
port='8443'
proxyPort='443'
algorithm='SunX509'
enableLookups='false'
secure='true'
maxThreads='150'
connectionTimeout='20000'
disableUploadTimeout='true'
scheme='https'
minSpareThreads='5'
maxHttpHeaderSize='8192'
sslProtocol='SSL'
acceptCount='200'
clientAuth='false'
/>
And here are some redirect IPTABLES commands:
这里有一些重定向 IPTABLES 命令:
# Redirect external packets
-A PREROUTING -j NAT-Port-Redirect
# redirect http traffic
-A NAT-Port-Redirect -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
# redirect https traffic
-A NAT-Port-Redirect -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
