Wildfly 9 http 到 https [英] Wildfly 9 http to https
问题描述
我想将请求从 HTTP 重定向到 HTTPS.我正在使用wildfly 9.在谷歌搜索后,我发现了以下内容,但它不起作用.我希望有人
I want to redirect the request from HTTP to HTTPS. I am using wildfly 9. After a google search I found the following, but it is not working. I hope somebody
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<https-listener name="https" socket-binding="https" security-realm="SSLRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/9"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
推荐答案
首先,我基于 WildFly 9.0.1.Final,我假设您只是想通过 HTTPS 启用 SSL,并不担心验证.我只是花了大约一天的时间来弄清楚这一切.处理此文档:
First, I am basing this off of WildFly 9.0.1.Final and I am assuming you're merely trying to enable SSL via HTTPS and am not worried about authentication. I just spent about a day figuring this all out. Work off this documentation:
https://docs.jboss.org/author/display/WFLY9/Admin+Guide
您要做的第一件事是按照文档中的说明创建您的密钥库.
The first thing you want to do is create your keystore as outlined in the documentation.
https://docs.jboss.org/author/display/WFLY9/Admin+Guide#AdminGuide-EnableSSL
要正确回答的真正重要的问题是要求你的名字和姓氏.在那里,你需要把主机名应用程序服务器(例如本地主机).在文件夹 {jboss.home}/standalone/configuration 中打开终端窗口并输入以下命令:
The really important question to answer correctly is the one asking for your first and last name. In there, you need to put the hostname of the application server (e.g. localhost). Open a terminal window in the folder {jboss.home}/standalone/configuration and enter the following command:
keytool -genkey -alias MY_ALIAS -keyalg RSA -keystore MY_KEYSTORE_FILENAME -validity 365`
注意:、MY_ALIAS、MY_KEYSTORE_FILENAME 和 MY_PASSWORD 是任意的,您可以根据需要进行设置.
NOTE:, MY_ALIAS, MY_KEYSTORE_FILENAME, and MY_PASSWORD are arbitrary and you can set them as you wish.
下一步是修改同一个{jboss.home}/standalone/configuration目录下的standalone-XXX.xml文件.我正在使用 standalone-full.xml 文件,但我相信这也适用于其他文件.
The next step is to modify the standalone-XXX.xml file in the same {jboss.home}/standalone/configuration directory. I am using the standalone-full.xml file, however I believe this will work for the others as well.
我在上面链接的文档中的下一步告诉我们将 SSL 密钥库引用放在 ManagementRealm 中.这可能会导致很多混乱.出于此响应的目的,我试图让 WildFly 通过端口 8443 启用 SSL 以访问我的应用程序.虽然我还为管理控制台启用了 SSL(通过端口 9993),但这是稍后使用的.
The next step in the documentation I linked to above tells us to put the SSL keystore reference in the ManagementRealm. This can lead to a good deal of confusion. For the purposes of this response, I am trying to get WildFly to enable SSL over port 8443 for access to my applications. While I also enabled SSL for the management console (via port 9993), that's for later.
我建议将 keystore 信息放在 ApplicationRealm 中,如下所示:
I suggest putting the keystore information in the ApplicationRealm as follows:
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="MY_KEYSTORE_FILENAME" relative-to="jboss.server.config.dir" keystore-password="MY_PASSWORD" alias="MY_ALIAS" key-password="MY_PASSWORD"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
注意:,此部分中对默认文件的唯一更改应该是 server-identities 标记.除非您有其他原因需要修改身份验证标签,否则应单独保留该标签).
NOTE:, the only changes to the default file in this section should be the server-identities tag. The authentication tag should be left alone unless you have other reasons to modify it).
注意:、MY_KEYSTORE_FILENAME、MY_ALIAS 和 MY_PASSWORD 必须与您在创建密钥时提供的值匹配.
NOTE:, MY_KEYSTORE_FILENAME, MY_ALIAS and MY_PASSWORD must match the values you provided when creating the key.
现在,文档变得有点棘手.您现在需要向下滚动一下以执行下一步,但不幸的是它并没有告诉您这样做.现在您已经在 Wildfly 中安装了密钥库并在适当的安全领域中进行了配置,您需要安装 HTTPS 侦听器并将其链接到密钥库.
Now, the documentation gets a bit tricky. You now need to scroll down a bit to do the next step, though unfortunately it doesn't tell you to do so. Now that you have the keystore installed in Wildfly and configured within the appropriate security realm, you need to install the HTTPS listener and link it to the keystore.
https://docs.jboss.org/author/display/WFLY9/Admin+Guide#AdminGuide-HTTPSlistener
HTTPS 监听器
Https 侦听器提供对服务器的安全访问.最多重要的配置选项是定义 SSL 的安全领域安全上下文.
Https listener provides secure access to the server. The most important configuration option is security realm which defines SSL secure context.
不幸的是,文档与 security-realm 属性不一致(之前在 ManagementRealm 中安装密钥库,这里在 ssl-realm 中引用它).由于我将密钥库放在 ApplicationRealm 中,因此我们需要这样引用它.
Unfortunately, the documentation does not remain consistent with the security-realm attribute (previously installing the keystore in ManagementRealm and here referencing it in the ssl-realm). Since I put the keystore in the ApplicationRealm, we need to reference it as such.
此外,为了澄清起见,您需要将其放入undertow 子系统.这是我在 http-listener 标签下插入的内容:
Additionally, just to clarify, you need to put this within the undertow subsystem. Here is what I inserted, right underneath the http-listener tag:
<https-listener name="httpsServer" socket-binding="https" security-realm="ApplicationRealm"/>
以下是undertow子系统的完整体.
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<https-listener name="httpsServer" socket-binding="https" security-realm="ApplicationRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/9"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
此外,socket-binding-group 标签定义了端口本身:
And also, the socket-binding-group tag which defines the ports themselves:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="iiop" interface="unsecure" port="3528"/>
<socket-binding name="iiop-ssl" interface="unsecure" port="3529"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
注意:,您会注意到在 HTTPS 侦听器中我们引用了 name="httpsServer"(此值 'httpServer' 是任意的,可以设置为您希望的任何值),socket-binding="https"(此值 'https' 必须与套接字绑定组中列出的 https 套接字匹配)和 security-realm="ApplicationRealm"(此值 'ApplicationRealm' 必须是您安装密钥库的任何安全领域).
NOTE:, you will notice in the HTTPS listener we referenced name="httpsServer" (this value 'httpServer' is arbitrary and can be set to whatever you wish), socket-binding="https" (this value 'https' must match the https socket listed in the socket-binding group) and security-realm="ApplicationRealm" (this value 'ApplicationRealm' must be whatever security realm you installed the keystore in).
使用此配置,您应该会发现端口 8443(安全)和 8080(不安全)都可用于访问 WildFly 的应用程序服务.端口 9990(不安全)仍可用于访问 Web 管理界面,但 9993(安全管理界面)则不行.
With this configuration, you should find that ports 8443 (secure) and 8080 (unsecure) both work for accessing WildFly's application service. Port 9990 (unsecure) still works for accessing the web administration UI, however 9993 (secure admin UI) does not.
安全的管理控制台
我找到了这些说明,它们运行良好.
I found these instructions and they worked perfectly.
第一步是创建 SSL 密钥:
First step is to create the SSL key:
keytool -genkeypair -alias serverkey -keyalg RSA -keysize 2048 -validity 7360 -keystore server.keystore -keypass mypassword -storepass mypassword
注意:请记住,当要求输入名字/姓氏时,应使用您的服务器名称.
NOTE: Remember, your server name should be used when it asks for first name / last name.
接下来,在 standalone-XXX.xml 中配置 ManagementRealm 以包含密钥库.在下面添加 server-identities 标签:
Next, configure the ManagementRealm in the standalone-XXX.xml to include the keystore. Add in the server-identities tag below:
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="serverkey" key-password="mypassword"/>
</ssl>
</server-identities>
以下是完整的 ManagementRealm:
Below is what the full ManagementRealm looks like:
<security-realm name="ManagementRealm">
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="serverkey" key-password="mypassword"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
接下来,standalone-XXX.xml 文件的 management-interfaces 部分使用 HTTP 套接字绑定,我们希望将其绑定到 HTTPS 套接字(特别是管理 https 套接字).
Next, the management-interfaces section of the standalone-XXX.xml file uses an HTTP socket binding and we want to bind it to the HTTPS socket (specifically, the management-https socket).
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
注意:查看接口如何引用 ManagementRealm 安全领域.我只是通过引用 ApplicationRealm 来尝试它,而没有创建单独的密钥库,但它仍然以某种方式工作.最好不要为这两个目的重复使用该代码.
NOTE: see how the interface references the ManagementRealm security-realm. I tried it by just referencing the ApplicationRealm, without creating a separate keystore and it still worked somehow. It's probably best practice to not reuse that code for both purposes.
注意:下面是管理接口中引用的管理https套接字定义.
NOTE: below is the management-https socket definition referenced in the management-interface.
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
注意:对于任何套接字定义,您都可以(如果需要)更改端口号.
NOTE: for any of the socket definitions, you can (if needed) change the port number.
重定向 HTTP 到 HTTPS
在您的 web.xml 文件中,在 web-app 标记中插入以下代码块.
In your web.xml file, insert the following chunk of code within the web-app tag.
<security-constraint>
<web-resource-collection>
<web-resource-name>WEB_APPLICATION_NAME</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
注意:您需要将应用程序的名称放在显示 WEB_APPLICATION_NAME 的位置.我不能确定在所有情况下会是什么情况,但对我来说,如果部署的 war 文件是 MyApp.war,那么我将 MyApp 放在那里.
NOTE: You need to put the name of your application where it says WEB_APPLICATION_NAME. I can't be sure of what that would be in all scenarios, but for me, if the war file being deployed is MyApp.war, then I put MyApp there.
您可以使用 CONFIDENTIAL、INTEGRAL 或 NONE 作为传输保证.请注意以下 URL:https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html 将描述差异,但它也指出 CONFIDENTIAL 和 INTEGRAL 实际上是相同的.
You can use either CONFIDENTIAL, INTEGRAL or NONE for the transport-guarantee. Note the below URL: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html which will describe the differences, however it also states that CONFIDENTIAL and INTEGRAL are effectively the same.
一旦安装了该代码,您就完成了.继续使用 https 通过端口 8443 进行测试,然后通过端口 8080 使用 http.您会注意到,当您使用 http/8080 时,它会回复并且您的浏览器切换到 https/8443.如果你和我一样不信任它,你可以卷曲它.
Once that code is installed, you're done. Go ahead and test it out using https via port 8443 and then using http via port 8080. You will notice that when you use http/8080, it replies and your browser switches to https/8443. If you are like me and didn't trust it, you can curl it.
curl -vv -k -L -X GET http://localhost:8080/MyApp/rest/endpoint
您将看到类似于以下内容的输出,表明重定向有效:
You will see output similar to the following, demonstrating the redirect is working:
在 DNS 缓存中找不到主机名
正在尝试 127.0.0.1...
连接到本地主机 (127.0.0.1) 端口 8080 (#0)
GET/MyApp/rest/endpoint HTTP/1.1
用户代理:curl/7.35.0
主机:本地主机:8080
接受:/
Hostname was NOT found in DNS cache
Trying 127.0.0.1...
Connected to localhost (127.0.0.1) port 8080 (#0)
GET /MyApp/rest/endpoint HTTP/1.1
User-Agent: curl/7.35.0
Host: localhost:8080
Accept: /
发现 HTTP/1.1 302
连接:保持连接
X-Powered-By: Undertow/1
服务器 WildFly/9 未列入黑名单
服务器:WildFly/9
位置:https://localhost:8443/MyApp/rest/endpoint
内容长度:0
日期:2015 年 9 月 4 日星期五 18:42:08 GMT
HTTP/1.1 302 Found
Connection: keep-alive
X-Powered-By: Undertow/1
Server WildFly/9 is not blacklisted
Server: WildFly/9
Location: https://localhost:8443/MyApp/rest/endpoint
Content-Length: 0
Date: Fri, 04 Sep 2015 18:42:08 GMT
到主机 localhost 的连接 #0 保持不变
向此 URL 发出另一个请求:'https://localhost:8443/MyApp/rest/endpoint'
找到主机本地主机的包:0x8d68f0
在 DNS 缓存中找不到主机名
正在尝试 127.0.0.1...
连接到本地主机 (127.0.0.1) 端口 8443 (#1)
成功设置证书验证位置:
CA文件:无
CApath:/etc/ssl/certs
SSLv3、TLS 握手、客户端问候 (1):
SSLv3、TLS 握手、服务器问候 (2):
SSLv3、TLS 握手、CERT (11):
SSLv3、TLS 握手、服务器密钥交换 (12):
SSLv3、TLS 握手、服务器完成 (14):
SSLv3、TLS 握手、客户端密钥交换 (16):
SSLv3、TLS 更改密码、客户端问候 (1):
SSLv3,TLS 握手,完成 (20):
SSLv3、TLS 更改密码、客户端问候 (1):
SSLv3,TLS 握手,完成 (20):
使用 ECDHE-RSA-DES-CBC3-SHA
的 SSL 连接服务器证书:
主题:C=美国;ST=未知;L=未知;O=组织;OU=未知;CN=本地主机
开始日期:2015-09-04 15:23:06 GMT
到期日期:2016-09-03 15:23:06 GMT
发行人:C=US;ST=未知;L=未知;O=组织;OU=未知;CN=本地主机
SSL 证书验证结果:自签名证书 (18),继续.
GET/MyApp/rest/endpoint HTTP/1.1
用户代理:curl/7.35.0
主机:本地主机:8443
接受:/
Connection #0 to host localhost left intact
Issue another request to this URL: 'https://localhost:8443/MyApp/rest/endpoint'
Found bundle for host localhost: 0x8d68f0
Hostname was NOT found in DNS cache
Trying 127.0.0.1...
Connected to localhost (127.0.0.1) port 8443 (#1)
successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs
SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using ECDHE-RSA-DES-CBC3-SHA
Server certificate:
subject: C=US; ST=Unknown; L=Unknown; O=Org; OU=Unknown; CN=localhost
start date: 2015-09-04 15:23:06 GMT
expire date: 2016-09-03 15:23:06 GMT
issuer: C=US; ST=Unknown; L=Unknown; O=Org; OU=Unknown; CN=localhost
SSL certificate verify result: self signed certificate (18), continuing anyway.
GET /MyApp/rest/endpoint HTTP/1.1
User-Agent: curl/7.35.0
Host: localhost:8443
Accept: /
HTTP/1.1 200 禁止
连接:保持连接
X-Powered-By: Undertow/1
服务器 WildFly/9 未列入黑名单
服务器:WildFly/9
内容类型:应用程序/json
内容长度:42
日期:2015 年 9 月 4 日星期五 18:42:08 GMT
HTTP/1.1 200 Forbidden
Connection: keep-alive
X-Powered-By: Undertow/1
Server WildFly/9 is not blacklisted
Server: WildFly/9
Content-Type: application/json
Content-Length: 42
Date: Fri, 04 Sep 2015 18:42:08 GMT
与主机 localhost 的连接 #1 保持不变
Connection #1 to host localhost left intact
这篇关于Wildfly 9 http 到 https的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
