让wildfly听端口443而不是8443 [英] make wildfly listen on port 443 not 8443
问题描述
所以我已经将 SSL 证书添加到我的 wildfly 9 并且它正在运行,但我想配置我的 standalone.xml 在端口443 上收听 https 在端口8443 作为默认配置,因此当我将值 $ {jboss.https.port:8443}更新为$ {jboss.https时。 port:443} 它会产生错误。
这就是我在 standalone.xml 中所拥有的:
so I have added a SSL certificate to my wildfly 9 and it's working, but I want to configure my standalone.xml to listen to https on port 443 not on port 8443 as the default configuration, so when I update the value ${jboss.https.port:8443} to ${jboss.https.port:443} it generate an error.
this what I have in my standalone.xml :
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<https-listener name="httpsServer" socket-binding="https" security-realm="ApplicationRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<location name="/images" handler="ImagesDirHandler"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
推荐答案
请提供有关您的环境和错误的更准确的详细信息。
Please, provide more accurate details about your environment and errors.
我和你有类似的需求。用户通过网络访问我们的系统,其中唯一的请求是在端口80或443上。当客户在端口80上调用系统时,wildfly重定向到端口8443,用户无法连接到系统。解决方案是让wildfly重定向到端口443而不是8443.按照一些说明寻找所有寻求帮助的问题:
I had similar needs like you. The users access our system trough a network where the only requests availables are on port 80 or 443. Than, when a costumer calls the system on port 80, wildfly redirects to port 8443 and the user cannot connect to the system. The solution was to make wildfly redirect to port 443 instead 8443. Follow some instruction for all looking for help in this issue:
- 如果是一个基于Linux的操作系统,最多1024个端口是
,只能与root特权绑定。 - 运行wildfly或任何其他web / app服务器不是一个好主意在面向生产的服务器中具有root权限。
- 在另一方面,尝试使用'常规'用户直接绑定到端口443或80生成wildfly,生成权限被拒绝,如错误。
上面描述的问题的解决方案是将wildfly绑定到端口8080/8443(没有root权限)并要求操作系统重定向流量从端口80到端口8080和端口443到端口8443.之后,配置wildfly将http请求重定向到端口443上的https请求而不是8443.
The solution for the problem I described above was to bind wildfly to ports 8080/8443 (without root privilegies) and ask the operational system to redirect traffic from port 80 to port 8080 and port 443 to port 8443. After it, config wildfly to redirect http requests to https requests on port 443 instead 8443.
所以,假设是wildfly正在使用端口8080上的http和端口8443上的https基于Linux的操作系统作为服务:
So, assuming wildfly is working with http on port 8080 and https on port 8443 in a Linux based OS as service:
1)停止wildfly: sudo service wildfly stop
1) Stop wildfly: sudo service wildfly stop
2)在启动/etc/init.d/wildfly脚本中添加iptables命令,如:
2) Add iptables commands in the startup /etc/init.d/wildfly script like:
if [ $launched -eq 0 ]; then
log_warning_msg "$DESC hasn't started within the timeout allowed"
log_warning_msg "please review file \"$JBOSS_CONSOLE_LOG\" to see the status of the service"
else
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
fi
PS:你添加来自iptables手册的名为nat的表上的规则:
PS: You add a rule on a table called "nat", from man pages of iptables:
nat:
nat:
当遇到创建新连接的数据包时,会查询此表。
This table is consulted when a packet that creates a new connection is encountered.
因此,如果您已请求<在规则创建之前,a href =https:// localhost:443 =nofollow noreferrer> https:// localhost:443 ,连接wal已经创建,因此不应用nat表。尝试从新设备。
So, if you have requested https://localhost:443 before the rule creation, the connection wal already created, so the nat table is not applied. Try from a new device.
其中 $ launch 是一个bash变量来表示wildfly的状态
Where $launched is a bash variable to represent the state of wildfly
2)在standalone.xml中,创建一个额外的套接字绑定条目:
2) In the standalone.xml, create an additional socket-binding entry:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="https-external" port="443"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
...
</socket-binding-group>
注意新的标签条目 <套接字绑定名称=https-externalport =443/>
Take attention to new tag entry <socket-binding name="https-external" port="443"/>
3)更改http-listener以重定向到https-external而不是https:
3) Change the http-listener to redirect to https-external instead https:
<http-listener name="default" socket-binding="http" redirect-socket="https-external" max-header-size=...
如果更改是重定向的 - socket = https-external
Where the change is redirect-socket="https-external"
4)重启wildfly:sudo service wildfly start
4) Restart wildfly: sudo service wildfly start
在wildfly启动后,验证console.log文件以查看任何错误报告。
After wildfly starts, verify the console.log file to see any errors report.
因此,如果您的web.xml部分确保机密传输:
Thus, if your web.xml section assure confidential transport:
....
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
Wildfly会将端口80或8080上的请求重定向到端口到端口443而不是8443.
Wildfly will redirect the requests on port 80 or 8080 to directly to port 443 instead 8443.
Obs:在制作之前制作/etc/init.d/wildfly脚本和standalone.xml文件配置的备份副本是个好主意。他们的变化。
Obs: It is a good idea to make backup copies of your /etc/init.d/wildfly script and standalone.xml file configuration before make any changes on them.
这篇关于让wildfly听端口443而不是8443的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
