20211921 李楚涵 實踐八
一、生成金鑰
keytool -genkey -alias -keyalg RSA -keysize 2048 -validity 天數 -storetype PKCS12 -keypass 金鑰密碼 -storepass 系統訪問金鑰庫密碼 -dname "CN=通用名, OU=單位, O=組織名, L=BeiJing, ST=BeiJing, C=CN" -keystore D://test//檔名.jks
keytool -genkeypair -alias hik -keypass hik123456 -keyalg RSA -keysize 1024 -storepass hik123456 -validity 3650 -dname "CN=hik, OU=單位, O=hik, L=BeiJing, ST=XiAn, C=CN" -keystore D://aaa/hik.jks
二、配置檔案
server:
port: 8081
ssl:
enabled: true
key-store-type: JKS
key-store-password: hik123456
key-store: classpath:hik.jks
三、配置檔案
package com.hk.springdemo1.config;
import org.apache.catalina.Context;
import org.apache.catalina.connector.Connector;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class HttpConnectorConfig {
public Connector initConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
// 如果現在使用者使用普通的http方式進行訪問
connector.setScheme("http");
// 使用者訪問的埠號是8080
connector.setPort(80);
// 如果該連線為跳轉,則表示不是一個新的連線物件
connector.setSecure(false);
// 設定轉發操作埠號
connector.setRedirectPort(443);
return connector;
}
@Bean
public TomcatServletWebServerFactory servletContainerFactory() {
TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory() {
/**
* 該方法主要進行請求處理的上下文配置, 定義新的安全訪問策略。
*/
@Override
protected void postProcessContext(Context context) {
// 該方法主要進行請求處理的上下文配置, 定義新的安全訪問策略。
SecurityConstraint securityConstraint = new SecurityConstraint();
// 定義使用者訪問約束要求
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
// 匹配所有的訪問對映路徑
collection.addPattern("/*");
// 最佳路徑對映訪問配置
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
// 連線初始化配置
factory.addAdditionalTomcatConnectors(this.initConnector());
return factory;
}
}
http://localhost:8085/query
nginx配置
生成證書
keytool -genkey -alias hikxian -keypass 123456 -keyalg RSA -keysize 1024 -validity 365 -keystore E:/keystore/hik.keystore -storepass 123456
匯出證書
keytool -export -alias hikxian -keystore E:/keystore/hik.keystore -storepass 123456 -rfc -file E:/keystore/hik.cer
try {
BASE64Encoder encoder = new BASE64Encoder();
//讀取檔案內容
FileInputStream is = new FileInputStream("E:/keystore/hik.keystore");
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(is, "123456".toCharArray());
System.out.println("-----BEGIN RSA PRIVATE KEY-----");
PrivateKey key = (PrivateKey) ks.getKey("hikxian", "123456".toCharArray());
System.out.println("-----END RSA PRIVATE KEY-----");
String encoded = encoder.encode(key.getEncoded());
System.out.println(encoded);
is.close();
} catch (Exception e){
}
將輸出的內容儲存到自己新建的key檔案,可以新建一個文字文件然後改一下字尾
http {
include mime.types;
default_type application/octet-stream;
#access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
#gzip on;
server {
listen 8085;
server_name localhost;
return 301 https://$server_name$request_uri;
}
# HTTPS server
server {
listen 443 ssl;
server_name localhost;
ssl on;
ssl_certificate E:/keystore/hik.cer;
ssl_certificate_key E:/keystore/hik.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#此地址為API請求地址
proxy_pass http://localhost:8081;
}
}