在Glassfish 2上使用单一端口进行HTTP和HTTPS [英] Using a single port for HTTP and HTTPS on Glassfish 2
问题描述
我有一个应用程序部署在Glassfish上,并监听端口8181以获取HTTPS流量(当前)。问题在于,部署时,客户很少为服务器创建有效的证书。这意味着HTTPS无法验证证书。
我们的应用程序中有一些类型的内容需要通过HTTP获取,因为它是静态的,抓取不加密不是问题。
我们遇到的问题是只有端口8181可用于用户(防火墙等无法更改)。因此,我们需要一种方法让Glassfish监听端口8181上的传入连接,并确定正在尝试什么协议( https:// myserver:8181 或 http:// myserver:8181 )。
我见过Tomcat的解决方案:
https://serverfault.com/questions/47876/handling-http-and-https-requests-using-a-single-port-with-nginx#co mment-37501
关于如何使用Glassfish做到这一点的任何想法?我们可以在那里实现一个钩子并且适当地交给处理程序(HTTP或HTTPS)吗?
所有答案在那里,他们告诉几乎相同:
由于HTTP和HTTPS之间的差异,这是不可能的。即使浏览器使用不同的默认端口来处理HTTP / HTTPS。
为什么会这样呢:HTTP基本上是文本协议,浏览器只是通过TCP- IP。
HTTPS不仅仅是HTTP over SSL。首先浏览器执行握手,然后它从服务器证书接收,并且从服务器到浏览器的所有信息(反之亦然)都使用在握手期间协商的对称密钥编码。
<由于用于非对称加密的两个密钥(公共和私有),没有人(除了谁知道私钥)不能嗅探或改变信息。
试验:尝试执行以下操作:
将 https 更改为 http ,并在最后显式添加443 em> http://google.com:443 )
您已拥有或者连接被重置或者存储二进制文件(例如证书)的建议。
注意:通常服务器设置为拒绝这些请求。 在同一端口上使用HTTP和HTTPS的唯一可能性是使用魔术识别器,它将检查纯文本是否来过或二进制握手。如果我们把这个识别器放在容器的边上(Glassfish协议处理器),它将会有相当大的性能开销(检查每个请求是否SSL)。如果我们把它放在代理服务器端(例如nginx或其他非阻塞服务器,如Netty),性能不会受到太大影响,但无论如何,这并不能保证100%的成功。 注意:代理服务器只是识别,然后它将请求转发到2个不同的端口! 一个结论:一般来说,这是可能的,但从我的角度来看,所需的工作并不值得。 编辑:正如@布鲁诺所回答的那样,现有的魔术识别器 开箱即用,但它并非正式由Glassfish支持。 I have an application that is deployed on Glassfish and listens to port 8181 for HTTPS traffic (currently). The problem is that when deployed, customers rarely create a valid certificate for the server. This means that the HTTPS fails certificate checks. There is some type of content in our application that we'd like to fetch over HTTP, as it's static and the fact that fetching is not encrypted is not a problem. The problem we DO have is that only port 8181 is available for the users (firewalls, etc., cannot be changed). So, we need a way for Glassfish to listen to the incoming connection on port 8181 and identify what protocol is being attempted ( I've seen a solution for Tomcat:
https://serverfault.com/questions/47876/handling-http-and-https-requests-using-a-single-port-with-nginx#comment-37501 Any ideas on how to do this with Glassfish? Can we implement a hook in there and hand off to either handler (HTTP or HTTPS) appropriately? I've looked at all answers over there and they tell almost the same:
it is impossible because of the differences between HTTP and HTTPS. Even browsers use different default ports for handling HTTP/HTTPS. Why this is happening: HTTP is basically text protocol, and browsers just sends HTTP (text) headers over TCP-IP.
HTTPS isn't just SSL over HTTP. First of all browser performs "handshake", then it receives from server certificate, and all information from server to browser and vice versa is being encoded with symmetric keys negotiated during the handshake. Because of 2 keys (public and private), which is used in asymmetric encryption, nobody (except who knows private key) can't sniff or change the information. Experiment: try to do following:
change https to http and explicitly add "443" in the end (something like http://google.com:443)
You've got either "The connection was reset" or suggestion to store binary file (e.g. certificate). Note: usually servers are set to reject such requests. So even if you use the same connector to handle both HTTP and HHTPS connections, you are supposed to use different connection handlers (we faced with this when were implementing high-load server based on Netty). And the only possibility to use HTTP and HTTPS on the same port is with using "magic recognizer", which would check either plain text has come or binary handshake. If we put that recognizer on the container's side (Glassfish protocol handler), it would have quite big performance overhead (checking each request whether it SSL or not!). If we put it on the proxy server's side (e.g. nginx or other non-blocking servers, such as Netty) performance wouldn't suffer too much, but anyway this doesn't guarantee 100% of success. Note: that proxy server just recognizes, and after that it forwards request to 2 different ports! As a conclusion: in general, it's possible, but from my point of view, the needed work doesn't worth the result. EDIT: As @Bruno answered, there is present magic recognizer out of the box, but it is not officially supported by Glassfish. 这篇关于在Glassfish 2上使用单一端口进行HTTP和HTTPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
因此即使你使用相同的连接器来处理HTTP和HHTPS连接,你也应该使用不同的连接方式(我们在实现基于Netty的高负载服务器时遇到了这个问题)。
https://myserver:8181 or http://myserver:8181).
