目錄
對應漏洞
項目說明
nginx設置https
生成證書
nginx配置文件
tomcat設置https
生成證書
tomcat配置(所有模塊都可用共用一個證書配置)
復制jdk認證證書
修改應用里通過nginx調用的url
重啟應用
項目說明
nginx設置https
生成證書
nginx配置文件
tomcat設置https
生成證書
tomcat配置(所有模塊都可用共用一個證書配置)
復制jdk認證證書
修改應用里通過nginx調用的url
重啟應用
對應漏洞
User credentials are sent in clear text
Severity Medium
Reported by module /Crawler/12-Crawler_User_Credentials_Plain_Text.jsDescription
User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted
channel (HTTPS) to avoid being intercepted by malicious users.Impact
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.Recommendation
Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted
connection (HTTPS)
項目說明
webapp分為多個模塊,模塊間通過nginx和sso模塊相互調用
nginx設置https
生成證書
- 創建ssl目錄
cd $nginx_home
mkdir ssl
cd ssl - 建立服務器私鑰(過程需要輸入密碼,請記住這個changeit)生成RSA密鑰
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key - 使用上面的密鑰和CSR對證書進行簽名,以下命令生成v1版證書
openssl x509 -req -days 3650 -sha256 -in server.csr -signkey server.key -out servernew.crt - 把生成的證書導入java安全認證文件(關鍵步驟)
keytool -import -v -trustcacerts -alias nginx -file servernew.crt -keystore "$JAVA_HOME/jre/lib/security/cacerts"
輸入密碼:changeit
nginx配置文件
- server配置打開https
server {
listen 8026 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/ssl/servernew.crt;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;- 轉發改為https
location /bp-sso {
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_pass https://bp-sso;
proxy_set_header Host $host:8026;
proxy_set_header X-Forwarded-For $remote_addr;
}tomcat設置https
生成證書
- 創建key目錄
cd $tomcat_home/conf
mkdir key
cd key - 創建密鑰和證書
keytool -genkey -v -alias tomcat -validity 3650 -keysize 2048 -keyalg RSA -keystore tomcat.keystore
要求輸入密碼:changeit
keytool -export -alias tomcat -keystore tomcat.keystore -file server.crt
輸入密碼: changeit - 把生成的證書導入java安全認證文件(關鍵步驟)
keytool -import -v -trustcacerts -alias tomcat -file server.crt -keystore "$JAVA_HOME/jre/lib/security/cacerts"
changeit
tomcat配置(所有模塊都可用共用一個證書配置)
- 注釋掉原來的端口號
<!--
<Connector port="8285" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->- 把8443端口號改為原來要用的端口號,並添加https配置
<Connector port="8285" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/opthb/bin/apache-tomcat-8.0.44_sso/conf/key/tomcat.keystore"
keystorePass="changeit"
/>復制jdk認證證書
cd $JAVA_HOME/jre/lib/security
cp cacerts jssecacerts
修改應用里通過nginx調用的url
應用內部用過nginx調用的url都要改成https方式,例如:
重啟應用
nginx和tomcat都改好以后,重啟所有應用