Wildfly 9 http到https [英] Wildfly 9 http to https
问题描述
我想将请求从HTTP重定向到HTTPS。我正在使用wildfly 9.在谷歌搜索后我发现了以下内容,但它无法正常工作。
我希望有人
I want to redirect the request from HTTP to HTTPS. I am using wildfly 9. After a google search I found the following, but it is not working. I hope somebody
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<https-listener name="https" socket-binding="https" security-realm="SSLRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/9"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
推荐答案
首先,我基于WildFly 9.0。 1.Final,我假设您只是尝试通过HTTPS启用SSL,并且不担心身份验证。我花了大约一天时间搞清楚这一切。废弃此文档:
First, I am basing this off of WildFly 9.0.1.Final and I am assuming you're merely trying to enable SSL via HTTPS and am not worried about authentication. I just spent about a day figuring this all out. Work off this documentation:
https:// docs.jboss.org/author/display/WFLY9/Admin+Guide
您要做的第一件事就是按照文档中的说明创建密钥库。
The first thing you want to do is create your keystore as outlined in the documentation.
https://docs.jboss.org/author/display/WFLY9/Admin+Guide#AdminGuide-EnableSSL
真正重要的问题是回答正确的是要求
你的名字和姓氏。在那里,您需要放置
应用程序服务器的主机名(例如localhost)。
在{jboss.home} / standalone / configuration文件夹中打开一个终端窗口并输入以下命令:
The really important question to answer correctly is the one asking for your first and last name. In there, you need to put the hostname of the application server (e.g. localhost). Open a terminal window in the folder {jboss.home}/standalone/configuration and enter the following command:
keytool -genkey -alias MY_ALIAS -keyalg RSA -keystore MY_KEYSTORE_FILENAME -validity 365`
注意:,MY_ALIAS,MY_KEYSTORE_FILENAME和MY_PASSWORD是任意的,您可以根据需要进行设置。
NOTE:, MY_ALIAS, MY_KEYSTORE_FILENAME, and MY_PASSWORD are arbitrary and you can set them as you wish.
下一步是修改同一{jboss.home} / standalone / configuration目录中的 standalone-XXX.xml 文件。我正在使用 standalone-full.xml 文件,但我相信这也适用于其他人。
The next step is to modify the standalone-XXX.xml file in the same {jboss.home}/standalone/configuration directory. I am using the standalone-full.xml file, however I believe this will work for the others as well.
下一步我上面链接的文档告诉我们将SSL密钥库引用放在ManagementRealm中。这可能会导致很多混乱。出于此响应的目的,我试图让WildFly通过端口8443启用SSL以访问我的应用程序。虽然我也为管理控制台启用了SSL(通过端口9993),这是为了以后的。
The next step in the documentation I linked to above tells us to put the SSL keystore reference in the ManagementRealm. This can lead to a good deal of confusion. For the purposes of this response, I am trying to get WildFly to enable SSL over port 8443 for access to my applications. While I also enabled SSL for the management console (via port 9993), that's for later.
我建议将密钥库信息放在 ApplicationRealm 中如下:
I suggest putting the keystore information in the ApplicationRealm as follows:
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="MY_KEYSTORE_FILENAME" relative-to="jboss.server.config.dir" keystore-password="MY_PASSWORD" alias="MY_ALIAS" key-password="MY_PASSWORD"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
注意:,本节中对默认文件的唯一更改应该是是server-identityities标签。除非您有其他理由对其进行修改,否则应保留身份验证标记。)
NOTE:, the only changes to the default file in this section should be the server-identities tag. The authentication tag should be left alone unless you have other reasons to modify it).
注意:,MY_KEYSTORE_FILENAME,MY_ALIAS和MY_PASSWORD必须与您在创建密钥时提供的值。
NOTE:, MY_KEYSTORE_FILENAME, MY_ALIAS and MY_PASSWORD must match the values you provided when creating the key.
现在,文档有点棘手。您现在需要向下滚动一下以执行下一步,但不幸的是它并没有告诉您这样做。现在您已经在Wildfly中安装了密钥库并在相应的安全领域中进行了配置,您需要安装HTTPS侦听器并将其链接到密钥库。
Now, the documentation gets a bit tricky. You now need to scroll down a bit to do the next step, though unfortunately it doesn't tell you to do so. Now that you have the keystore installed in Wildfly and configured within the appropriate security realm, you need to install the HTTPS listener and link it to the keystore.
https://docs.jboss.org/author/display/WFLY9/Admin +指南#AdminGuide-HTTPSlistener
HTTPS侦听器
Https侦听器提供对服务器的安全访问。最
重要配置选项是安全领域,它定义了SSL
安全上下文。
Https listener provides secure access to the server. The most important configuration option is security realm which defines SSL secure context.
不幸的是,文档确实如此不与security-realm属性保持一致(以前在ManagementRealm中安装密钥库,并在此处在ssl-realm中引用它)。由于我将密钥库放在ApplicationRealm中,我们需要这样引用它。
Unfortunately, the documentation does not remain consistent with the security-realm attribute (previously installing the keystore in ManagementRealm and here referencing it in the ssl-realm). Since I put the keystore in the ApplicationRealm, we need to reference it as such.
另外,为了澄清,你需要把它放在下位子系统中即可。这是我在http-listener标签下面插入的内容:
Additionally, just to clarify, you need to put this within the undertow subsystem. Here is what I inserted, right underneath the http-listener tag:
<https-listener name="httpsServer" socket-binding="https" security-realm="ApplicationRealm"/>
以下是下位子系统的全部内容。
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<https-listener name="httpsServer" socket-binding="https" security-realm="ApplicationRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/9"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
此外, socket-binding-group 标记定义了端口他们自己:
And also, the socket-binding-group tag which defines the ports themselves:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="iiop" interface="unsecure" port="3528"/>
<socket-binding name="iiop-ssl" interface="unsecure" port="3529"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
注意:,您会注意到HTTPS侦听器中我们引用了name = httpsServer(此值'httpServer'是任意的,可以设置为您想要的任何值),socket-binding =https(此值'https'必须与套接字绑定组中列出的https套接字匹配)和安全性 - realm =ApplicationRealm(此值'ApplicationRealm'必须是您安装密钥库的安全领域)。
NOTE:, you will notice in the HTTPS listener we referenced name="httpsServer" (this value 'httpServer' is arbitrary and can be set to whatever you wish), socket-binding="https" (this value 'https' must match the https socket listed in the socket-binding group) and security-realm="ApplicationRealm" (this value 'ApplicationRealm' must be whatever security realm you installed the keystore in).
使用此配置,您应该找到端口8443(安全) )和8080(不安全)都适用于访问WildFly的应用程序服务。端口9990(不安全)仍可用于访问Web管理UI,但9993(安全管理UI)不能。
With this configuration, you should find that ports 8443 (secure) and 8080 (unsecure) both work for accessing WildFly's application service. Port 9990 (unsecure) still works for accessing the web administration UI, however 9993 (secure admin UI) does not.
安全管理员控制台
我找到了这些说明并且效果很好。
I found these instructions and they worked perfectly.
第一步是创建SSL密钥:
First step is to create the SSL key:
keytool -genkeypair -alias serverkey -keyalg RSA -keysize 2048 -validity 7360 -keystore server.keystore -keypass mypassword -storepass mypassword
注意:请记住,当您要求提供名字/姓氏时,应使用您的服务器名称。
NOTE: Remember, your server name should be used when it asks for first name / last name.
接下来,在standalone-XXX.xml中配置ManagementRealm以包含密钥库。在下面的server-identity标签中添加:
Next, configure the ManagementRealm in the standalone-XXX.xml to include the keystore. Add in the server-identities tag below:
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="serverkey" key-password="mypassword"/>
</ssl>
</server-identities>
以下是完整的ManagementRealm的样子:
Below is what the full ManagementRealm looks like:
<security-realm name="ManagementRealm">
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="serverkey" key-password="mypassword"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
接下来,standalone-XXX.xml的 management-interfaces 部分file使用HTTP套接字绑定,我们想将它绑定到HTTPS套接字(具体来说,管理-http套接字)。
Next, the management-interfaces section of the standalone-XXX.xml file uses an HTTP socket binding and we want to bind it to the HTTPS socket (specifically, the management-https socket).
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
注意:查看接口如何引用ManagementRealm安全领域。我只是通过引用ApplicationRealm来尝试它,而没有创建一个单独的密钥库,它仍然以某种方式工作。最好不要将这些代码用于这两种目的。
NOTE: see how the interface references the ManagementRealm security-realm. I tried it by just referencing the ApplicationRealm, without creating a separate keystore and it still worked somehow. It's probably best practice to not reuse that code for both purposes.
注意:以下是管理层中引用的管理-https套接字定义 - 接口。
NOTE: below is the management-https socket definition referenced in the management-interface.
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
注意:对于任何套接字定义,您都可以(如果需要) )更改端口号。
NOTE: for any of the socket definitions, you can (if needed) change the port number.
将HTTP重定向到HTTPS
在您的网站中.xml文件,在web-app标记中插入以下代码块。
In your web.xml file, insert the following chunk of code within the web-app tag.
<security-constraint>
<web-resource-collection>
<web-resource-name>WEB_APPLICATION_NAME</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
注意:您需要将应用程序的名称放在它所说的位置WEB_APPLICATION_NAME。我不能确定在所有情况下会是什么,但对我来说,如果部署的war文件是MyApp.war,那么我将MyApp放在那里。
NOTE: You need to put the name of your application where it says WEB_APPLICATION_NAME. I can't be sure of what that would be in all scenarios, but for me, if the war file being deployed is MyApp.war, then I put MyApp there.
您可以使用CONFIDENTIAL,INTEGRAL或NONE作为传输保证。请注意以下网址: https://docs.oracle.com/cd/E19798 -01 / 821-1841 / bncbk / index.html 将描述差异,但它也说明机密和INTEGRAL实际上是相同的。
You can use either CONFIDENTIAL, INTEGRAL or NONE for the transport-guarantee. Note the below URL: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html which will describe the differences, however it also states that CONFIDENTIAL and INTEGRAL are effectively the same.
安装完代码后,您就完成了。继续使用https通过端口8443进行测试,然后使用http通过端口8080进行测试。您会注意到当您使用http / 8080时,它会回复并且您的浏览器会切换到https / 8443。如果你像我一样并且不相信它,你可以卷曲它。
Once that code is installed, you're done. Go ahead and test it out using https via port 8443 and then using http via port 8080. You will notice that when you use http/8080, it replies and your browser switches to https/8443. If you are like me and didn't trust it, you can curl it.
curl -vv -k -L -X GET http://localhost:8080/MyApp/rest/endpoint
您将看到类似于以下,证明重定向正在起作用:
You will see output similar to the following, demonstrating the redirect is working:
在DNS缓存中找不到主机名
尝试127.0.0.1 .. 。$
连接到localhost(127.0.0.1)端口8080(#0)
GET / MyApp / rest / endpoint HTTP / 1.1
用户代理: curl / 7.35.0
主机:localhost:8080
接受: /
HTTP /1.1 302找到了
连接:keep-alive
X-Powered-By:Undertow / 1
服务器WildFly / 9未列入黑名单
b $ b服务器:WildFly / 9
位置: https:// localhost:8443 / MyApp / rest / endpoint
内容长度:0
日期:星期五,2015年9月4日18:42:0 8 GMT
HTTP/1.1 302 Found
Connection: keep-alive
X-Powered-By: Undertow/1
Server WildFly/9 is not blacklisted
Server: WildFly/9
Location: https://localhost:8443/MyApp/rest/endpoint
Content-Length: 0
Date: Fri, 04 Sep 2015 18:42:08 GMT
连接#0到主机localhost保持不变
向此URL发出另一个请求:' https:// localhost:8443 / MyApp / rest / endpoint '
找到主机localhost的包:0x8d68f0
主机名在DNS缓存中找不到
尝试127.0.0.1 ...
连接到localhost(127.0.0.1)端口8443(#1)
成功设置证书验证位置:
CAfile:none
CApath:/ etc / ssl / certs
SSLv3,TLS握手,客户端问候(1):
SSLv3,TLS握手,服务器问候(2):
SSLv3,TLS握手,CERT(11):
SSLv3,TLS握手,服务器密钥交换(12) :
SSLv3,TLS握手,服务器完成(14):
SSLv3,TLS握手,客户端密钥交换(16):
SSLv3,TLS更改密码,客户问候(1):
SSLv3,TLS握手,Fini shed(20):
SSLv3,TLS更改密码,客户端问候(1):
SSLv3,TLS握手,已完成(20):
SSL连接使用ECDHE-RSA-DES-CBC3-SHA
服务器证书:
subject:C = US; ST =未知; L =未知; O =组织; OU =未知; CN = localhost
开始日期:2015-09-04 15:23:06 GMT
到期日期:2016-09-03 15:23:06 GMT
发行人:C = US; ST =未知; L =未知; O =组织; OU =未知; CN = localhost
SSL证书验证结果:自签名证书(18),无论如何都继续。
GET / MyApp / rest / endpoint HTTP / 1.1
用户-Agent:curl / 7.35.0
主持人:localhost:8443
接受: /
Connection #0 to host localhost left intact
Issue another request to this URL: 'https://localhost:8443/MyApp/rest/endpoint'
Found bundle for host localhost: 0x8d68f0
Hostname was NOT found in DNS cache
Trying 127.0.0.1...
Connected to localhost (127.0.0.1) port 8443 (#1)
successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs
SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using ECDHE-RSA-DES-CBC3-SHA
Server certificate:
subject: C=US; ST=Unknown; L=Unknown; O=Org; OU=Unknown; CN=localhost
start date: 2015-09-04 15:23:06 GMT
expire date: 2016-09-03 15:23:06 GMT
issuer: C=US; ST=Unknown; L=Unknown; O=Org; OU=Unknown; CN=localhost
SSL certificate verify result: self signed certificate (18), continuing anyway.
GET /MyApp/rest/endpoint HTTP/1.1
User-Agent: curl/7.35.0
Host: localhost:8443
Accept: /
HTTP / 1.1 200 Forbidden
连接:keep-alive
X-Powered-By:Undertow / 1
服务器WildFly / 9未列入黑名单< br>
服务器:WildFly / 9
内容类型:application / json
内容长度:42
日期:星期五,9月4日2015 18:42:08 GMT
HTTP/1.1 200 Forbidden
Connection: keep-alive
X-Powered-By: Undertow/1
Server WildFly/9 is not blacklisted
Server: WildFly/9
Content-Type: application/json
Content-Length: 42
Date: Fri, 04 Sep 2015 18:42:08 GMT
连接#1到主机localhost保持原样
Connection #1 to host localhost left intact
这篇关于Wildfly 9 http到https的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
