对 SSL 配置和 Tomcat 感到困惑

发布于 2024-09-06 21:22:42 字数 630 浏览 5 评论 0原文

我们的应用程序在两个框架中运行。一种使用 https,一种不使用。我正在尝试将 tomcat 连接器配置为工作,但是当我让它在一个框架中工作时,它在另一个框架中不起作用。

我被告知我们不需要完全“处理”SSL,因为这是由我们的负载均衡器处理的。不确定这些意味着什么。

例如: 在一个框架中,我们会收到权限被拒绝的错误,而另一个框架则可以工作。如果我们改变周围的情况,就会发生相反的情况,但我们会得到无效证书错误,而不是权限错误。

关于连接器的 tomcat 文档没有很好地描述这些选项。知道我们做错了什么吗?

<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"/>

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="false" maxThreads="150" scheme="https" secure="false" clientAuth="false" sslProtocol="TLS"/>

上面的连接器与 http 框架配合使用,但在 IE 中给了我“混合内容警告”,因为有些请求是 http,有些是 https。

任何帮助将不胜感激。

Our application runs in two frameworks. One uses https one does not. I am trying to configure the tomcat connectors to work but when I get it working in one framework it does not work in the other.

I have been told we do not need to 'handle' SSL totally as this is handled by our load balancers. Not sure what these means.

For example:
In one framework we'll get permission denied errors and the other will work. If we change things around the opposite occurs but instead of permission errors we get invalid certificate error.

The tomcat documentation on connectors does not describe the options very well. Any idea what we are doing wrong?

<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"/>

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="false" maxThreads="150" scheme="https" secure="false" clientAuth="false" sslProtocol="TLS"/>

The above connectors work with the http framework but gives me the "mixed content warning" in IE because some requests are http and some https.

Any help would be greatly appreciated.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

微凉徒眸意 2024-09-13 21:22:42

如果您有一个连接器侦听端口 443,则它应该启用 SSL,因为这是 HTTPS 端口,并且浏览器在连接后会立即发送 SSL ClientHello 消息 — 服务器无法理解这一点除非它启用了 SSL。

您的负载平衡器可能正在终止 SSL 连接,并通过纯 HTTP 将请求转发到 Tomcat。在这种情况下,您不需要端口 443 上的连接器。

但是,听起来您的应用程序之一可能正在使用客户端证书来执行身份验证。查看 web.xml 文件中的 login-config 元素。使用哪些身份验证方法?

如果您需要客户端证书,但 SSL 在负载均衡器处终止,则身份验证无法工作,因为客户端证书永远不会到达 Tomcat。

If you have a connector listening on port 443, it should have SSL enabled, because that is the HTTPS port and browsers will send an SSL ClientHello message as soon as they connect—the server won't understand this unless it is SSL-enabled.

It could be that your load-balancer is terminating SSL connections, and forwarding the requests to Tomcat over plain HTTP. In that case, you don't need a connector on port 443.

However, it sounds like one of your applications might be using client certificates to perform authentication. Look the login-config elements in your web.xml files. What authentication methods are in use?

If you require client certificates, but SSL is terminated at the load balancer, authentication cannot work, because the client certificate never reaches Tomcat.

怀里藏娇 2024-09-13 21:22:42

如果您使用负载平衡器,例如带有 mod_proxy 的 Apache Httpd(反向模式),则 SSL 连接将从浏览器到负载平衡器(如“erickson”所述)。您确实可以检查 web.xml 文件中的登录配置(以检查您是否正在使用 CLIENT-CERT)。

您可能遇到的另一个问题是 web.xml 中的 transport-guarantee 元素:

<security-constraint>
   <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>

当您确定自己是一个安全的负载均衡器时,似乎有一种方法可以使用自定义阀门强制执行此操作。这是一篇关于该主题的文章(翻译自法语)

混合内容最可能的原因是加载未托管在 SSL 上的图像。您可能会发现模板中某处有一个用 http:// 硬编码的公司徽标,或者某些 Location 标头可能会返回 http://< /代码> 网址。
后者可以使用像 Apache Httpd 这样的配置来修复(假设它是您的负载平衡器),当然您需要用正确的地址替换它:

Header edit Location ^http://www.example.com/test/ https://www.example.com/test/

许多网站(甚至来自大公司)混合内容。这实际上是一件坏事,因为:

  • 如果不查看所有请求以及页面的来源,用户无法真正知道页面的哪些部分是安全的,哪些部分不安全。
  • 有些会将 cookie 和信息从 HTTPS 请求泄漏到纯 HTTP 请求。如果有人通过纯 HTTP 捕获该 cookie,他们可能会通过 HTTPS 使用它,作为冒名顶替者。 (更具体地说,当使用不带安全标志的 cookie 时。)

If you're behind a load-balancer, such as Apache Httpd with mod_proxy (in reverse mode), the SSL connection will be from the browser to the load-balancer (as "erickson" said). You may indeed check login-config in your web.xml file (to check whether you're using CLIENT-CERT).

Another problem you may encounter is the transport-guarantee element in web.xml:

<security-constraint>
   <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>

It seems there is a way to force this with a custom valve when you're sure you're being a secure load-balancer. Here is an article on the subject (translated from French).

The most likely cause for mixed-content is loading images that are not hosted on SSL. You might find that there's a company logo hard-coded with http:// in the template somewhere, or perhaps some Location headers return an http:// URL.
The latter can be fixed using a configuration like this Apache Httpd (assuming it's your load-balancer), where you'd need to replace it with the correct address of course:

Header edit Location ^http://www.example.com/test/ https://www.example.com/test/

Many sites (even from big companies) mix content. This is actually a bad thing because:

  • The user can't really know which parts of the page are secure and which aren't, without looking at all the requests and perhaps the source of the page.
  • Some leak cookies and information from the HTTPS request to the plain HTTP request. If someone catches that cookie over plain HTTP, they could potentially use it over HTTPS, as an impostor. (More particularly when cookies without the secure flag are used.)
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文