配置 linux3 和 linux4 为 tomcat 服务器,网站默认首页内容分别为“tomcatA”和“tomcatB”,采用修改配置文件端口形式,仅使用域名访问 80 端口 http 和 443 端口 https。

安装tomcat

[root@linux3 ~]# yum install java-1.8.0-openjdk tomcat

准备tomcat使用的证书

crt转换为pfx

[root@linux3 tls]# openssl pkcs12 -export -out skills.pfx -inkey skills.key -in skills.crt
Enter Export Password:
Verifying - Enter Export Password:
[root@linux3 tls]#

pfx转jks

[root@linux3 tls]# keytool -importkeystore -srckeystore skills.pfx -srcstoretype PKCS12 -destkeystore skills.jks -deststoretype JKS
Importing keystore skills.pfx to skills.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore skills.jks -destkeystore skills.jks -deststoretype pkcs12".
[root@linux3 tls]#

配置tomcat

修改tomcat启动用户

修改文件/lib/systemd/system/tomcat.service 将User修改为root
修改完成后使用 systemctl daemon-reload重载文件

修改配置文件/etc/tomcat/server.xmlConnector元素处附近添加

    <Connector port="80" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443" />
    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
            clientAuth="false" sslProtocol="TLS"
            keystoreFile="/etc/pki/tls/skills.pfx"
            keystorePass="123456" />

编辑网页首页内容并测试

[root@linux3 ~]# echo tomcatA > /usr/share/tomcat/webapps/ROOT/index.html
[root@linux3 ~]# curl 127.0.0.1
tomcatA
[root@linux3 ~]#

Linux4相同操作。

nginx反向代理部分

/etc/nginx/nginx.conf 修改

    upstream tomcat_server{
        server linux3.skills.lan;
        server linux4.skills.lan;
    }

    server {
        listen 443 ssl http2;
        server_name tomcat.skills.lan;
        # SSL 证书和私钥文件路径
        ssl_certificate /etc/pki/tls/skills.crt;
        ssl_certificate_key /etc/pki/tls/skills.key;

        # 其他 SSL 配置选项,如协议版本、密码套件等
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers HIGH:!aNULL:!MD5;
        location / {
            proxy_pass http://tomcat_server;
            proxy_set_header Host $host;
        }
    }

测试

[root@linux2 nginx]# curl https://tomcat.skills.lan -k
tomcatA
[root@linux2 nginx]# curl https://tomcat.skills.lan -k
tomcatB
[root@linux2 nginx]#
文章目录