配置HTTPS(CentOS7+Tomcat+Nginx)记录
CentOS7配置
参考文章
https://www.digitalocean.com/community/tutorials/how-to-encrypt-tomcat-8-connections-with-apache-or-nginx-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7
网络配置
# 查看版本的几种方法
lsb_release -a
uname
uname -r
uname -a
cat /etc/redhat-release
cat /etc/centos-release
rpm -q redhat-release
cat /proc/version
# 配置静态IP
# 配置文件
/etc/sysconfig/network-scripts/ifcfg-eno16777736
(eno16777736 是设备名)
# 重启网络
/etc/init.d/network restart
systemctl restart network.service
# 查看网络情况
ifconfig
ip add
--------------------------------------------------------
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=62da3834-9ccf-4a71-874b-702077e16ec9
DEVICE=eno16777736
ONBOOT=yes #开机启用本配置
HWADDR=00:0C:29:C3:60:78
IPADDR=192.168.214.100 #静态IP
GATEWAY=192.168.214.2 #默认网关
NETMASK=255.255.255.0 #子网掩码
#DNS1= #DNS
NM_CONTROLLED=no #该接口将通过该配置文件进行设置而不通过网络管理器进行管理
PREFIX=24
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
--------------------------------------------------------
查看网络管理器服务的状态
systemctl status NetworkManager.service
查看受网络管理器管理的网络接口
nmcli dev status
配置DNS
vi /etc/resolv.conf
nameserver 114.114.114.114
yum配置
安装CentOS之后安全相关
0x01 Root Login
# root用户通过ssh登录
# ssh root@SERVER_IP_ADDRESS
ssh root@192.168.0.100
SSH Client Software
- OpenSSH(Linux and Mac OS X)
- PuTTY(Windows)
Login as Root
# Option 1: OpenSSH(Linux and Mac OS X)
# Option 2: PuTTY
0x02 Create a New User
# 创建用户
adduser loginuser
# 设置密码
passwd loginuser
0x03 Root Privileges
# 普通用户要行使root权限用sudo,加入wheel组的用户就有sudo权限
gpasswd -a loginuser wheel
0x04 Add Public Key Authentication
Generate a Key Pair
# 在本地机器执行
# generate a new key pair
ssh-keygen
ssh-keygen -t rsa -C "your_email@example.com"
# 生成的密钥对在如下目录
/Users/snddfhv/.ssh/
id_rsa是私钥
id_rsa.pub是公钥
Copy the Public Key
然后就是将生成的公钥添加到服务器上,有两种方法
# Option 1:Use ssh-copy-id
# 本地安装了ssh-copy-id脚本
ssh-copy-id loginuser@192.168.0.100
# 执行该命令后,前面在本地机器生成的公钥会被拷贝到远程机器的loginuser的家目录下的.ssh/authorized_keys文件中
# Option 2:Manually Install the Key
cat ~/.ssh/id_rsa.pub
# 复制本地机器的公钥
# 在远程机器中的loginuser目录下创建如下目录,并设置权限
su - loginuser
mkdir .ssh
chmod 700 .ssh
# 打开.ssh/authorized_keys,将本地机器的公钥复制进去,并设置权限
vi .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
# 退出loginuser用户
exit
# 现在就可以在本地机器不用密码登录远程机器了
ssh loginuser@192.168.0.100
登录ssh遇到的一个问题
错误信息如下:
# 其他机器连接CentOS7报如下错误
ssh: connect to host 192.168.0.100 port 22: Connection refused
packet_write_wait: Connection to 192.168.0.100 port 22: Broken pipe
按如下清单进行排查:
- ip地址对不对
- 查看防火墙是否关闭
- ping 一下能否ping通
- 查看sshd服务是否启动
- 进入/home/.ssh/know_hosts 查看是否有想要ssh的主机的IP的信息,有的话就删除
- 重新启动sshd服务
- ssh Ip
# 设置SSH Server保持长时间连接
vi /etc/ssh/sshd_config
# 设置如下两个参数
TCPKeepAlive yes
ClientAliveCountMax 60
# 前一个参数表示要保持TCP连接
# 后一个参数表示客户端的SSH连线闲置多长时间后自动终止连线的时间,单位为分钟
# 重启生效
sudo systemctl restart sshd
# 还有一种设置思路
# 在客户端的~/.ssh/文件夹中添加config文件,并添加如下配置
ServerAliveInterval 60
# 在服务器的/etc/ssh/sshd_config中添加如下配置
ClientAliveInterval 60
# 只想让当前的ssh保持连接
ssh -o ServerAliveInterval=60 user@sshserver
http://stackoverflow.com/questions/13228425/write-failed-broken-pipe
http://superuser.com/questions/364304/how-do-i-configure-ssh-on-os-x
0x06 Configure SSH Daemon
Confiure SSH - 禁止Root登录
修改配置文件/etc/ssh/sshd_config
#PermitRootLogin yes
改成如下(不允许Root登录)
PermitRootLogin no
Reload SSH
systemctl reload sshd
增强配置
Configuring a Basic Firewall
开启防火墙
sudo systemctl start firewalld
管理SSH
# 让ssh通过防火墙
sudo firewall-cmd --permanent --add-service=ssh
# 如果ssh改了端口
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --permanent --add-port=12211/tcp
firewalld管理的服务
# 查看服务列表
sudo firewall-cmd --get-services
# 添加http
sudo firewall-cmd --permanent --add-service=http
# 添加https
sudo firewall-cmd --permanent --add-service=https
# 添加smtp
sudo firewall-cmd --permanent --add-service=smtp
# 查看被firewalld允许的服务
sudo firewall-cmd --permanent --list-all
# reload the firewall
sudo firewall-cmd --reload
开机自启
sudo systemctl enable firewalld
Configure Timezones and Network Time Protocol Synchronizaton
Configure Timezones
# available timezones
sudo timedatectl list-timezones
# look current setting
timedatectl
# setting
# sudo timedatectl set-timezone region/timezone
sudo timedatectl set-timezone Asia/Shanghai
Configure NTP Synchronization
# 安装NTP
sudo yum install ntp
# 开启并设置开机启动
sudo systemctl start ntpd
sudo systemctl enable ntpd
Create a Swap File
sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo swapon /swapfile
sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'
Tomcat安装
Install Java
删除系统自带的OpenJDK
# 安装OpenJDK
sudo yum install java-1.7.0-openjdk-devel
# OpenJDK的JAVA_HOME
/usr/lib/jvm/jre
# 查看安装的JDK
rpm -qa | grep java
# 卸载openjdk
rpm -e --nodeps java-xxx
安装HotSpot JDK
# 下载
wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u111-b14/jdk-8u111-linux-x64.rpm
# 安装
rpm -ivh xxx.rpm
# 安装后的路径
which java
/usr/bin/java
ls -l /usr/bin/java
/usr/bin/java -> /etc/alternatives/java
ls -l /etc/alternatives/java -> /usr/java/jdk1.8.0_111/jre/bin/java
# OracleJDK的JAVA_HOME
/usr/java/jdk1.8.0_111/
Create Tomcat User
# create a new tomcat group
sudo groupadd tomcat
# create a new tomcat user
# 组是tomcat
# 家目录是/opt/tomcat(Tomcat的安装路径)
# shell是/bin/false(so nobody can log into the account)
sudo useradd -M -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
# -M 不创建用户主目录
# -s 新账户的登录shell
# -g 新账户的主组的名称
# -d 新账户的主目录,这个目录需要用户自行创建
Install Tomcat
# 下载
wget http://mirrors.hust.edu.cn/apache/tomcat/tomcat-8/v8.5.11/bin/apache-tomcat-8.5.11.tar.gz
# 解压
sudo mkdir /opt/tomcat
sudo tar xvf xxx.tar.gz -C /opt/tomcat --strip-components=1
# 设置权限
cd /opt/tomcat
# 该目录归属为tomcat小组
sudo chgrp -R tomcat /opt/tomcat
# tomcat组对conf目录及其内容有读权限
sudo chmod -R g+r conf
# 对conf目录有执行权限
sudo chmod g+x conf
# 设置tomcat用户是webapps/, work/, temp/, logs/这几个目录的主人
sudo chown -R tomcat webapps/ work/ temp/ logs/
Install Systemd Unit File
将Tomcat注册为服务
create and open unit file
# 添加文件
sudo vi /etc/systemd/system/tomcat.service
设置成如下内容,具体参数根据实际情况修改
# Systemd unit file for tomcat
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target
[Service]
Type=forking
Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPID
User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target
重新加载配置
sudo systemctl daemon-reload
sudo systemctl start tomcat
sudo systemctl status tomcat
# 设置成开机启动
sudo systemctl enable tomcat
问题:远程不能访问tomcat
# 找到对应的pid:tomcat_pid
ps -ef | grep java
# 查看对应端口是否都打开8080,8009
sudo netstat -tupln | grep $tomcat_pid
尝试关闭ipv6
-
通过网卡属性查看
命令:ifconfig
注释:有 “inet6 addr:。。。。。。。“ 的表示开启了ipv6功能 -
通过内核模块加载信息查看
命令:lsmod | grep ipv6
ipv6关闭方法
在/etc/modprobe.d/dist.conf结尾添加
alias net-pf-10 off
alias ipv6 off -
编辑网卡配置文件
/etc/sysconfig/network-scripts/ifcfg-xxxx
把涉及到IPV6相关配置注释掉 -
编辑Network网络配置文件
添加NETWORKING_IPV6=no -
重启网卡服务
sudo systemctl restart network
Configure Tomcat Web Management Interface
# tomcat管理员用户
sudo vi /opt/tomcat/conf/tomcat-users.xml
# -------------start
<tomcat-users>
<user username="admin" password="password" roles="manager-gui,admin-gui"/>
</tomcat-users>
# ---------------end
# 新版的Tomcat对本地访问Manager和Host Manager有限制
sudo vi /opt/tomcat/webapps/manager/META-INF/context.xml
sudo vi /opt/tomcat/webapps/host-manager/META-INF/context.xml
# ---------------start
<Context antiResourceLocking="false" privileged="true" >
<!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->
</Context>
# -----------------end
# 重启Tomcat
sudo systemctl restart tomcat
nginx安装
安装nginx
# Install EPEL,Add Nginx Repository
sudo yum install epel-release
# Insgall nginx, 默认配置文件路径/etc/nginx/nginx.conf
sudo yum install nginx
# Start nginx, 默认80端口
sudo systemctl start nginx
# 如果开了防火墙
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
# 访问
http://server_domain_name_or_IP/
# 设置开机启动
sudo systemctl enable nginx
通过nginx访问tomcat
# 添加文件/etc/nginx/conf.d/tomcat.conf,内容如下
upstream tomcat{
server localhost:8080 weight=9;
}
server{
listen 80;
server_name tomcat;
location /{
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_pass http://localhost:8080;
}
}
HTTPS
How To Create a Self-Signed SSL Certificate for Nginx on CentOS 7
How To Secure Nginx with Let's Encrypt on CentOS 7
Create a Self-Signed SSL Certificate for Nginx
Create the SSL Certificate
# /etc/ssl/certs目录,在服务器上保存公钥
# /etc/ssl/private目录,在服务器上保存私钥
sudo mkdir /etc/ssl/certs
sudo mkdir /etc/ssl/private
sudo chmod 700 /etc/ssl/private
# create a self-signed key and certificate pair with OpenSSL
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
该命令会有交互
# create a strong Diffie-Hellman group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
# 生成这么一个文件/etc/ssl/certs/dhparam.pem
Configure Nginx to Use SSL
sudo vi /etc/nginx/conf.d/ssl.conf
# -------------------------start
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name server_IP_address;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
########################################################################
# from https://cipherli.st/ #
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
########################################################################
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# resolver 8.8.8.8 8.8.4.4 valid=300s;
# resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
##################################
# END https://cipherli.st/ BLOCK #
##################################
root /usr/share/nginx/html;
location / {
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# -------------------------start
Create a Redirect from HTTP to HTTPS
sudo vi /etc/nginx/default.d/ssl-redirect.conf
# ---------------------------start
return 301 https://$host$request_uri/;
# ---------------------------end
# 修改tomcat.conf,即http的配置
# 添加一行include /etc/nginx/default.d/*.conf;
# -------------------------------start
upstream tomcat{
server localhost:8081 weight=9;
}
server{
listen 80;
server_name tomcat;
include /etc/nginx/default.d/*.conf;
location /{
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_pass http://localhost:8081;
}
}
# -------------------------------end
Enable the Changes in Nginx
sudo nginx -t
# 会提示如下信息
# ----------------------start
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# ----------------------end