当前位置：文江博客话题详情

REST Lift 项目中的 SSL，从哪里开始？

发布于 2024-10-20 16:07:21 字数 122 浏览 1 评论 0原文

我们正在 Scala 中做一个项目，使用 Lift 为客户端提供一些 REST 风格的 Web 服务（通过 AJAX 的 Java 脚本）。出于某些商业原因，我们决定将其全部置于 SSL 下，但我不知道从哪里开始。见解将不胜感激。

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

逆夏时光 2024-10-27 16:07:21

当前处理 HTTP 流量的服务器软件（例如 Jetty、Nginx、Apache...）几乎肯定有一些添加 SSL 支持和禁用纯 HTTP 的方法；首先尝试一下。

至于添加 SSL 支持的基本机制，它是这样的：

生成RSA 密钥对（密钥大小应至少为 1024 位）。此步骤应提示您填写有关您、您的组织和服务器主机名（X.509 术语中的“公用名”）的一些信息。它还应该提示您输入密码，该密码将用于加密私钥。
密钥对由私钥（这是您不应与任何人共享的部分）和自签名证书组成，其中包含与其他元数据一起的公钥。
如果您想获得真正的卡特尔签名 SSL 证书，以便公众在访问您的网站时不会看到令人讨厌的警告，您需要生成证书签名请求（ CSR）并将其提交给 SSL 证书颁发机构，该机构将创建一个从您的 CSR 派生的证书，但使用其私钥进行签名。幸运的是，近年来，SSL CA 业务的竞争变得异常激烈，因此定价不应再成为主要障碍。
如果您不打算获取真正的卡特尔签名 SSL 证书，则可以按原样使用私钥和自签名证书。
无论哪种方式，您都需要告诉您的 Web 服务器如何查找证书（无论是自签名还是 CA 签名）和私钥。 Apache HTTPD 更喜欢将这两件事保存在单独的文件中；大多数 JVM 服务器更喜欢将它们封装在密钥库中。一般用途的最佳密钥库格式称为PKCS#12，它是一个行业标准。使用单独的密钥和证书制作 PKCS#12 文件有点棘手，如果您无法弄清楚，请查看 ServerFault。 :)
您通常希望将私钥密码放入服务器的配置文件中，因此请确保配置文件（以及包含私钥的文件）具有仍然有效的最严格的权限。

Whatever server software is currently handling HTTP traffic (e.g. Jetty, Nginx, Apache...) almost certainly has some means of adding SSL support and disabling plain HTTP; try that first.

As for the basic mechanism of adding SSL support, it goes something like this:

Generate an RSA keypair (the key size should be at least 1024 bits). This step should prompt you to fill in some information about you, your organization, and the server's hostname ("common name" in X.509 parlance). It should also prompt you for a passphrase, which will be used to encrypt the private key.
The keypair consists of a private key (this is the part you shouldn't share with anyone) and a self-signed certificate, which contains, along with other metadata, the public key.
If you want to get a real cartel-signed SSL certificate, so that members of the general public won't see nasty warnings when they visit your site, you'll need to generate a Certificate Signing Request (CSR) from your keypair and submit that to an SSL certificate authority, who will create a certificate derived from your CSR, but signed with their private key. Luckily, in recent years, the SSL CA business has gotten extremely competitive, so pricing shouldn't be a major hurdle anymore.
If you're not planning to get a real cartel-signed SSL certificate, you can use the private key and self-signed cert as-is.
Either way, you need to tell your web server how to find the certificate (whether self-signed or CA-signed) and private key. Apache HTTPD prefers to keep the two things in separate files; most JVM servers prefer that they be encapsulated in a keystore. The best keystore format for general use is called PKCS#12, it's an industry standard. Making a PKCS#12 file out of a separate key and cert is a bit tricky, look on ServerFault if you can't figure it out. :)
You usually want to put the private key passphrase in the server's configuration file, so make sure that configuration file (and the file containing the private key) have the most restrictive permissions that will still work.