对 SSL 配置和 Tomcat 感到困惑
我们的应用程序在两个框架中运行。一种使用 https,一种不使用。我正在尝试将 tomcat 连接器配置为工作,但是当我让它在一个框架中工作时,它在另一个框架中不起作用。
我被告知我们不需要完全“处理”SSL,因为这是由我们的负载均衡器处理的。不确定这些意味着什么。
例如: 在一个框架中,我们会收到权限被拒绝的错误,而另一个框架则可以工作。如果我们改变周围的情况,就会发生相反的情况,但我们会得到无效证书错误,而不是权限错误。
关于连接器的 tomcat 文档没有很好地描述这些选项。知道我们做错了什么吗?
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"/>
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="false" maxThreads="150" scheme="https" secure="false" clientAuth="false" sslProtocol="TLS"/>
上面的连接器与 http 框架配合使用,但在 IE 中给了我“混合内容警告”,因为有些请求是 http,有些是 https。
任何帮助将不胜感激。
Our application runs in two frameworks. One uses https one does not. I am trying to configure the tomcat connectors to work but when I get it working in one framework it does not work in the other.
I have been told we do not need to 'handle' SSL totally as this is handled by our load balancers. Not sure what these means.
For example:
In one framework we'll get permission denied errors and the other will work. If we change things around the opposite occurs but instead of permission errors we get invalid certificate error.
The tomcat documentation on connectors does not describe the options very well. Any idea what we are doing wrong?
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"/>
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="false" maxThreads="150" scheme="https" secure="false" clientAuth="false" sslProtocol="TLS"/>
The above connectors work with the http framework but gives me the "mixed content warning" in IE because some requests are http and some https.
Any help would be greatly appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您有一个连接器侦听端口 443,则它应该启用 SSL,因为这是 HTTPS 端口,并且浏览器在连接后会立即发送 SSL
ClientHello
消息 — 服务器无法理解这一点除非它启用了 SSL。您的负载平衡器可能正在终止 SSL 连接,并通过纯 HTTP 将请求转发到 Tomcat。在这种情况下,您不需要端口 443 上的连接器。
但是,听起来您的应用程序之一可能正在使用客户端证书来执行身份验证。查看 web.xml 文件中的
login-config
元素。使用哪些身份验证方法?如果您需要客户端证书,但 SSL 在负载均衡器处终止,则身份验证无法工作,因为客户端证书永远不会到达 Tomcat。
If you have a connector listening on port 443, it should have SSL enabled, because that is the HTTPS port and browsers will send an SSL
ClientHello
message as soon as they connect—the server won't understand this unless it is SSL-enabled.It could be that your load-balancer is terminating SSL connections, and forwarding the requests to Tomcat over plain HTTP. In that case, you don't need a connector on port 443.
However, it sounds like one of your applications might be using client certificates to perform authentication. Look the
login-config
elements in your web.xml files. What authentication methods are in use?If you require client certificates, but SSL is terminated at the load balancer, authentication cannot work, because the client certificate never reaches Tomcat.
如果您使用负载平衡器,例如带有 mod_proxy 的 Apache Httpd(反向模式),则 SSL 连接将从浏览器到负载平衡器(如“erickson”所述)。您确实可以检查 web.xml 文件中的登录配置(以检查您是否正在使用 CLIENT-CERT)。
您可能遇到的另一个问题是 web.xml 中的
transport-guarantee
元素:当您确定自己是一个安全的负载均衡器时,似乎有一种方法可以使用自定义阀门强制执行此操作。这是一篇关于该主题的文章(翻译自法语)。
混合内容最可能的原因是加载未托管在 SSL 上的图像。您可能会发现模板中某处有一个用
http://
硬编码的公司徽标,或者某些Location
标头可能会返回http://< /代码> 网址。
后者可以使用像 Apache Httpd 这样的配置来修复(假设它是您的负载平衡器),当然您需要用正确的地址替换它:
许多网站(甚至来自大公司)混合内容。这实际上是一件坏事,因为:
If you're behind a load-balancer, such as Apache Httpd with mod_proxy (in reverse mode), the SSL connection will be from the browser to the load-balancer (as "erickson" said). You may indeed check login-config in your web.xml file (to check whether you're using CLIENT-CERT).
Another problem you may encounter is the
transport-guarantee
element in web.xml:It seems there is a way to force this with a custom valve when you're sure you're being a secure load-balancer. Here is an article on the subject (translated from French).
The most likely cause for mixed-content is loading images that are not hosted on SSL. You might find that there's a company logo hard-coded with
http://
in the template somewhere, or perhaps someLocation
headers return anhttp://
URL.The latter can be fixed using a configuration like this Apache Httpd (assuming it's your load-balancer), where you'd need to replace it with the correct address of course:
Many sites (even from big companies) mix content. This is actually a bad thing because: