tomcat安装&let’s encrypt配置

###安装java

cd /home
tar -xf OpenJDK8U-jdk_x64_linux_hotspot_8u212b04.tar.gz
// temp
export PATH=$PWD/jdk8u212-b04/bin:$PATH
java -version

//final
vi /etc/profile
`
JAVA_HOME=/home/jdk8u212-b04
PATH=$PATH:$HOME/bin:$JAVA_HOME/bin
export JAVA_HOME
export PATH
`
log out and log in

wget -O- -q -T 1 -t 1 https://github.com/AdoptOpenJDK/openjdk8-binaries/releases/download/jdk8u212-b04/OpenJDK8U-jdk_x64_linux_hotspot_8u212b04.tar.gz.sha256.txt | sha256sum -c

###安装tomcat

sudo groupadd tomcat
sudo useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

cd /tmp
curl -O http://apache.mirrors.pair.com/tomcat/tomcat-8/v8.5.42/bin/apache-tomcat-8.5.42.tar.gz
sudo mkdir /opt/tomcat
sudo tar xzvf apache-tomcat-8*tar.gz -C /opt/tomcat --strip-components=1

cd /opt/tomcat
sudo chgrp -R tomcat /opt/tomcat
sudo chmod -R g+r conf
sudo chmod g+x conf
sudo chown -R tomcat webapps/ work/ temp/ logs/

sudo nano /etc/systemd/system/tomcat.service
修改Environment=JAVA_HOME=/home/jdk8u212-b04

sudo systemctl daemon-reload
sudo systemctl start tomcat
sudo systemctl status tomcat

sudo ufw allow 8080

sudo systemctl enable tomcat

现在应该可以用8080端口正常访问了

###转发80端口到8080端口

iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -I OUTPUT -p tcp -o lo --dport 80 -j REDIRECT --to-ports 8080

改完之后应该可以不用加端口号访问了，以后443转发8443也是同样的操作

iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -t nat -I OUTPUT -p tcp -o lo --dport 443 -j REDIRECT --to-ports 8443

###配置letsencrypt

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

sudo certbot certonly --webroot
这里需要输入两个东西，域名和tomcat ROOT所在地址
www.xxx.com
/opt/tomcat/webapps/ROOT

cd /etc/letsencrypt/live/www.xxx.com
cp cert.pem /opt/tomcat/conf
cp chain.pem /opt/tomcat/conf
cp privkey.pem /opt/tomcat/conf

chown tomcat:tomcat *.pem

///etc/letsencrypt/renewal-hooks/post/copy2tomcat.sh
cd /etc/letsencrypt/live/www.xxx.cc
cp cert.pem /opt/tomcat/conf
cp chain.pem /opt/tomcat/conf
cp privkey.pem /opt/tomcat/conf

cd /opt/tomcat/conf
chown tomcat:tomcat *.pem

service tomcat restart

然后转发443端口到8443端口之后，就可以通过https访问网站了

###重定向http到https

server.xml

 <Connector port="8080" protocol="HTTP/1.1" 
               redirectPort="443"/>

web.xml(</web-app>之前)

 <!-- Require HTTPS for everything except /img (favicon) and /css. -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HTTPSOnly</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HTTPSOrHTTP</web-resource-name>
            <url-pattern>*.ico</url-pattern>
            <url-pattern>/img/*</url-pattern>
            <url-pattern>/css/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

ps:修改完之后记得查看文件的权限，如果被改成root的话，需要再修改权限chown tomcat:tomcat web.xml

###自动更新证书（todo）

• https://www.digitalocean.com/community/tutorials/install-tomcat-9-ubuntu-1804
• https://adoptopenjdk.net/installation.html#x64_linux-jdk
• https://serverfault.com/questions/211536/iptables-port-redirect-not-working-for-localhost
• https://certbot.eff.org/lets-encrypt/ubuntubionic-other
• https://medium.com/@raupach/how-to-install-lets-encrypt-with-tomcat-3db8a469e3d2
• https://www.infoworld.com/article/3304289/how-to-configure-tomcat-to-always-require-https.html