I brief introduction

In fact, I didn't want to write this, but after the domain name was filed yesterday, I configured https for a long time. It's really urgent. There are so many cheating tutorials on csdn. I've taken a lot of detours. While I still remember now, I'll record it. It may also be used later. After writing this article, I'll be ready to review it, It's really one step away from being rolled to death

II method

2.1 Tomcat method
  this method is not recommended because the engineering code and configuration need to be modified. When I first failed to configure nginx forwarding, I also tried this method. The method is ok, but it is far less convenient than nginx, so why not use nginx forwarding? But maybe this method will be used in the future, so record it

1. To apply for a certificate, you can generally apply for a domain name free of charge where you buy it. I applied for it in Alibaba cloud. For reference: if you buy an Alibaba cloud domain name, you can buy a free DV single domain name certificate, which is valid for one year. You can continue to apply when it expires

2. Download the Tomcat version of the certificate and copy the pfx file to the resource directory of the project

3. Configure application Yaml file

server:
  ssl:
    enabled: true
    key-store-password: pfx-password.txt Password in
    key-store-type: PKCS12
    key-store: classpath:Yours.pfx file name

4. Add relevant configurations under SpringBoot startup

  @Bean
    public ServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint securityConstraint = new SecurityConstraint();
                securityConstraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                securityConstraint.addCollection(collection);
                context.addConstraint(securityConstraint);
            }
        };
        tomcat.addAdditionalTomcatConnectors(httpConnector());
        return tomcat;
    }

    @Bean
    public Connector httpConnector() {
        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
        connector.setScheme("http");
        //The port number of the http that the Connector listens on
        connector.setPort(8080);
        connector.setSecure(false);

        //After listening to the port number of http, turn to the port number of https
        connector.setRedirectPort(443);
        return connector;
    }

5. Try running your project on your server because you may encounter many port conflicts. Be honest and practical. lsof -i: port number to kill the conflicting process

6. Go to your domain name resolution to configure domain name resolution. For my Alibaba cloud, please refer to the Alibaba cloud domain name resolution wizard

7. Finally, just run the project again, but this method is still not recommended. It is inconvenient, and there will be many inexplicable problems, so use nginx

2.2 Nginx forwarding

Recommended method! As long as you don't follow the tutorials on csdn

1. To apply for a certificate, you can generally apply for a domain name for free. I applied for it in Alibaba cloud: if you buy an Alibaba cloud domain name, you can buy a free DV single domain name certificate, which is valid for one year. You can continue to apply when it expires

2. Download the nginx version of the certificate, including the key and pem files

3. Check whether you have installed ssl modules in nginx. In the nginx/sbin directory (you may not see the sbin directory, but there is no problem. You can directly execute the instruction with the path), the instruction nginx - V (the directory instruction / usr/local/nginx/sbin/nginx-V is changed to your directory)
  if configure arguments is displayed: -- with http_ ssl_ Module means that the module is installed correctly. Please skip to step 5, otherwise you need to reinstall the module

4. Enter your nginx directory, that is, the directory where the compressed package is decompressed, and use the command/ configure --with-http_ssl_module, if you have no other settings for nginx, it is recommended to directly execute make install to reinstall, which will overwrite the original version to ensure that there is no problem with the installation. Otherwise, execute make (I haven't tried... But csdn says it's OK, why don't you try?), After installation, check according to step 3 to ensure there is no problem

5. Copy your pem and key files to the directory of nginx configuration file

6. Add relevant ports to Alibaba cloud network security group. Alibaba cloud please refer to Alibaba cloud port configuration and turn on firewall restrictions (443,80, the port of your project)

 #Firewall configuration process based on Centor OS 7
    1. Firewall status settings
        firewall-cmd --state #Check the firewall status. For security, it is recommended to turn on the firewall
        systemctl start firewalld.service   #Turn on the firewall
        systemctl enable firewalld.service  #Set the firewall to start automatically. It is recommended to set it
        systemctl is-enabled firewalld.service;echo $? #Check whether the setting is successful. enabled and 0 are displayed, indicating that the setting is successful

    2.Open port
        firewall-cmd --zone=public --add-port=Port number/tcp --permanent #--permanent takes effect permanently. It will become invalid after restart without this parameter
        firewall-cmd --zone=public --add-port=1000-2000/tcp --permanent #Batch add 1000-2000
        firewall-cmd --reload       #Reload firewall
        firewall-cmd --list-ports   #Check the port opening, including 443, 80 and project ports

7. Configure nginx configuration file. If you are not sure which configuration file is used, use the command ps -ef | grep nginx to view it. Finally, the path of the current configuration file will be displayed. The steps to modify the configuration file are as follows

 1.Comment out the default configuration, and the whole paragraph needs to be commented out
    server{
        listen 80;
        ......
        ......
    }

    2.add to https Port listening
    server {
        listen       443 ssl;
       server_name  Your domain name;

       ssl_certificate      Yours pem File address;
      ssl_certificate_key  Yours key File address;
      #The address can use the relative path to the configuration file. For example, if your file is in the same level directory as conf, you can write the file name directly
      #It is best to use absolute paths

      ssl_session_cache    shared:SSL:1m;
      ssl_session_timeout  5m;

      ssl_ciphers  HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers  on;

       location / {
    	proxy_pass   http://ip of your server: the port of your project;
           root   html;
           index  index.html index.htm;
       }
   }

   3.Add port 80 listening and forced conversion
   server {
    	listen 80; #Domain name access is mapped to port 80 by default
    	server_name Your domain name;
	location / {
        	proxy_pass   http://ip of your server: the port of your project;
       	 index  index.html index.htm;
        	proxy_set_header Host $host;
      	  proxy_set_header X-Real-Ip $remote_addr;
     	   proxy_set_header X-Forwarded-For $remote_addr;
  	  }
    	rewrite ^(.*)$ https://Your domain name: 443/  permanent;
	}

8. Restart nginx and use the command nginx -s reload (execute / usr/local/nginx/sbin/nginx -s reload with directory, and change it to your directory before)

9. Domain name resolution, configure two A records www and @, and fill in your ip value. TTL does not need to be modified

III other

If you upgrade the website to https, please note that all http links in the website will fail