Конфигурация Tomcat 9 для порта 443

Я работаю с Tomcat 9.0.16 на Debian 9.6. Запуск моего приложения через порт 8080 работает без проблем. Поэтому я уверен, что мое приложение не является проблемой.

Я пытаюсь настроить Tomcat для использования порта 443. У меня есть сертификат (не самоподписанный), и я считаю, что он у меня в правильном формате... PKCS12

Это мой соединитель из server.xml:

    <Connector port="443"
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150"
           scheme="https"
           secure="true"
           SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig hostname="radar.bellhowell.net"
             protocols="TLSv1.3,TLSv1.2,TLSv1.1,TLSv1">
             <Certificate
                    certificateFile="/radar-certs/radar_certificate.p12"
                    certificateChainFile="/radar-certs/radar_chain.p12"
                    certificateKeyFile="/radar-certs/radar_bellhowell_net_key.pem"
                    certificateKeyPassword="YPbATR1iN28!8qT3"
                    type="RSA" />
    </SSLHostConfig>
</Connector>

У меня также есть эти разъемы в том же файле, который может или не может быть необходимым.

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443" />
<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443" />

Это один цикл запуска от catalina.out:

<6>Pausing ProtocolHandler ["http-apr-8080"]
<6>Pausing ProtocolHandler ["http-apr-80"]
<6>Pausing ProtocolHandler ["https-openssl-apr-443"]
<6>Stopping service [Catalina]
<6>Closing WebApplicationContext for namespace 'radar-servlet': startup date [Tue May 28 10:05:36 EDT 2019]; parent: Root WebApplicationContext
<6>Closing Root WebApplicationContext: startup date [Tue May 28 10:05:26 EDT 2019]; root of context hierarchy
<6>Shutting down ExecutorService 'myScheduler'
<6>Closing JPA EntityManagerFactory for persistence unit 'default'
<4>The web application [radar] registered the JDBC driver [org.postgresql.Driver] but failed to unregister it when the web application was stopped. To prevent a memory <4>The web application [radar] appears to have started a thread named [Tomcat JDBC Pool Cleaner[22756955:1559052328829]] but has failed to stop it. This is very likely  java.lang.Object.wait(Native Method)
 java.util.TimerThread.mainLoop(Timer.java:552)
 java.util.TimerThread.run(Timer.java:505)
<6>Stopping ProtocolHandler ["http-apr-8080"]
<6>Destroying ProtocolHandler ["http-apr-8080"]
<6>Stopping ProtocolHandler ["http-apr-80"]
<6>Destroying ProtocolHandler ["http-apr-80"]
<6>Stopping ProtocolHandler ["https-openssl-apr-443"]
<6>Destroying ProtocolHandler ["https-openssl-apr-443"]
<4>Problem with JAR file [/usr/share/tomcat9/lib/catalina-jmx-remote.jar], exists: [false], canRead: [false]
<4>Match [Server/Service/Connector/SSLHostConfig] failed to set property [hostname] to [radar.bellhowell.net]
<4>The protocol [TLSv1.2] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
<4>The protocol [TLSv1.1] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
<4>The protocol [TLSv1] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
<6>Server version name:   Apache Tomcat/9.0.16 (Debian)
<6>Server built:          Feb 26 2019 08:17:32 UTC
<6>Server version number: 9.0.16.0
<6>OS Name:               Linux
<6>OS Version:            4.9.0-8-amd64
<6>Architecture:          amd64
<6>Java Home:             /usr/lib/jvm/java-8-openjdk-amd64/jre
<6>JVM Version:           1.8.0_212-8u212-b01-1~deb9u1-b01
<6>JVM Vendor:            Oracle Corporation
<6>CATALINA_BASE:         /usr/share/tomcat9-root
<6>CATALINA_HOME:         /usr/share/tomcat9
<6>Command line argument: -Djava.util.logging.config.file=/usr/share/tomcat9-root/conf/logging.properties
<6>Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
<6>Command line argument: -Djava.net.preferIPv4Stack=true
<6>Command line argument: -Djava.net.preferIPv4Addressess=true
<6>Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
<6>Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
<6>Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
<6>Command line argument: -Dignore.endorsed.dirs=
<6>Command line argument: -Dcatalina.base=/usr/share/tomcat9-root
<6>Command line argument: -Dcatalina.home=/usr/share/tomcat9
<6>Command line argument: -Djava.io.tmpdir=/usr/share/tomcat9-root/temp
<6>Loaded APR based Apache Tomcat Native library [1.2.21] using APR version [1.7.0].
<6>APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
<6>APR/OpenSSL configuration: useAprConnector [true], useOpenSSL [true]
<6>OpenSSL successfully initialized [OpenSSL 1.1.0j  20 Nov 2018]
<6>Initializing ProtocolHandler ["http-apr-8080"]
<6>Initializing ProtocolHandler ["http-apr-80"]
<2>Failed to initialize component [Connector[HTTP/1.1-80]]
<2>org.apache.catalina.LifecycleException: Protocol handler initialization failed
<2>    at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
<2>    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
<2>    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
<2>    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
<2>    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1055)
<2>    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
<2>    at org.apache.catalina.startup.Catalina.load(Catalina.java:589)
<2>    at org.apache.catalina.startup.Catalina.load(Catalina.java:612)
<2>    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
<2>    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
<2>    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
<2>    at java.lang.reflect.Method.invoke(Method.java:498)
<2>    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
<2>    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
<2>Caused by: java.lang.Exception: Socket bind failed: [13] [Permission denied]
<2>    at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:336)
<2>    at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085)
<2>    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098)
<2>    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
<2>    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
<2>    at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
<2>    ... 13 more
<2>
<6>The ["https-openssl-apr-443"] connector has been configured to support negotiation to [h2] via ALPN
<6>Initializing ProtocolHandler ["https-openssl-apr-443"]
<2>Failed to initialize component [Connector[HTTP/1.1-443]]
<2>org.apache.catalina.LifecycleException: Protocol handler initialization failed
<2>    at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
<2>    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
<2>    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
<2>    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
<2>    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1055)
<2>    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
<2>    at org.apache.catalina.startup.Catalina.load(Catalina.java:589)
<2>    at org.apache.catalina.startup.Catalina.load(Catalina.java:612)
<2>    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
<2>    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
<2>    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
<2>    at java.lang.reflect.Method.invoke(Method.java:498)
<2>    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
<2>    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
<2>Caused by: java.lang.Exception: Socket bind failed: [13] [Permission denied]
<2>    at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:336)
<2>    at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085)
<2>    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098)
<2>    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
<2>    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
<2>    at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
<2>    ... 13 more
<2>
<6>Server initialization in [761] milliseconds
<6>Starting service [Catalina]
<6>Starting Servlet engine: [Apache Tomcat/9.0.16 (Debian)]
<2>Unable to create directory for deployment: [/usr/share/tomcat9/etc/Catalina/localhost]
<6>Deploying web application archive [/usr/share/tomcat9-root/webapps/radar.war]
<6>At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were fountime and JSP compilation time.
<6>Root WebApplicationContext: initialization started
<6>Refreshing Root WebApplicationContext: startup date [Tue May 28 10:23:59 EDT 2019]; root of context hierarchy
<6>Loading XML bean definitions from ServletContext resource [/WEB-INF/classes/main/resources/security-config.xml]
<6>You are running with Spring Security Core 5.0.3.RELEASE
<6>Spring Security 'config' module version is 5.0.3.RELEASE
<6>Expressions were enabled for method security but no SecurityExpressionHandler was configured. All hasPermision() expressions will evaluate to false.
<6>Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; se; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 200, Root bean: class [org.springframework.security.web.context.r; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMeot bean: class [org.springframework.security.web.header.HeaderWriterFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidatnitMethodName=null; destroyMethodName=null, order = 500, Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCanty.config.http.HttpConfigurationBuilder$SecurityContextHolderAwareRequestFilterBeanFactory#0; factoryMethodName=getBean; initMethodName=null; destroyMethodName=null, orication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanNam=null, order = 2100, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; depenull; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2300, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0><6>Loading XML bean definitions from ServletContext resource [/WEB-INF/classes/main/resources/applicationContext.xml]
<6>Building JPA container EntityManagerFactory for persistence unit 'default'
<6>Initialized JPA EntityManagerFactory for persistence unit 'default'
<6>Creating filter chain: Ant [pattern='/rest/user/authenticate'], []
<6>Creating filter chain: Ant [pattern='/rest/user/reset'], []
[DEBUG] 2019-05-28 10:24:08.359 [main] JwtAuthenticationFilter - constructor called
<6>Creating filter chain: Ant [pattern='/rest/**'], [org.springframework.security.web.context.SecurityContextPersistenceFilter@3b8bb9a0, org.springframework.security.we.bh.radar.jwt.JwtAuthenticationFilter@2c80d2e0, org.springframework.security.web.header.HeaderWriterFilter@232cc375, org.springframework.security.web.servletapi.Security.web.authentication.AnonymousAuthenticationFilter@3b71b6b1, org.springframework.security.web.access.ExceptionTranslationFilter@4a3cc680, org.springframework.security.w<6>Initializing ExecutorService  'myScheduler'
[DEBUG] 2019-05-28 10:24:08.974 [main] JwtSecretProvider - These are the secrets:
[DEBUG] 2019-05-28 10:24:08.975 [main] JwtSecretProvider - HS256 FWbd7/awCYZnUZpz3+2t1hWz8cYjehxe/3DuAUEmkfM=
[DEBUG] 2019-05-28 10:24:08.975 [main] JwtSecretProvider - HS512 yru+6pv5trSFzVJPK+HZ3qUYCdNlJt4BWFGrjqhSGU3poR48pq3yQsmf6aMyaa3iOGGlDcsHmcjEgVCBcdboyQ==
[DEBUG] 2019-05-28 10:24:08.976 [main] JwtSecretProvider - HS384 vQF20hkaZ9HaoW0URF8jldQ7jE1DGDEuYrSP7Km9qiNsEUqrnHbYKnx3MbAXie0I
[DEBUG] 2019-05-28 10:24:09.494 [main] DaoBase - constructor (), this = com.bh.radar.dao.DaoEngagement@1da0ad22
[DEBUG] 2019-05-28 10:24:09.544 [main] DaoBase - constructor (), this = com.bh.radar.dao.DaoDeliverableTask@67534bfc
[DEBUG] 2019-05-28 10:24:09.566 [main] DaoBase - constructor (), this = com.bh.radar.dao.DaoDeliverablePhoto@561797fd
[DEBUG] 2019-05-28 10:24:09.582 [main] DaoBase - constructor (), this = com.bh.radar.dao.DaoIncident@289e504f
[DEBUG] 2019-05-28 10:24:09.599 [main] DaoBase - constructor (), this = com.bh.radar.dao.DaoIncidentPhoto@59c08dd4
[DEBUG] 2019-05-28 10:24:09.615 [main] DaoBase - constructor (), this = com.bh.radar.dao.DaoUser@6777bc90
[DEBUG] 2019-05-28 10:24:09.636 [main] DaoBase - constructor (), this = com.bh.radar.dao.DaoEmailAddress@7de9d7c7
[DEBUG] 2019-05-28 10:24:09.724 [myScheduler-1] UtilComplianceTask - compliance task fired
<6>Root WebApplicationContext: initialization completed in 9832 ms
<6>FrameworkServlet 'radar': initialization started
<6>Refreshing WebApplicationContext for namespace 'radar-servlet': startup date [Tue May 28 10:24:09 EDT 2019]; parent: Root WebApplicationContext
<6>Loading XML bean definitions from ServletContext resource [/WEB-INF/radar-servlet.xml]
<6>Mapped "{[/rest/deliverable/photo/add/{id}/{photoKey}],methods=[POST],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.Str.web.multipart.MultipartFile,int,short)
<6>Mapped "{[/rest/deliverable/photo/markNA/{id}/{photoKey}],methods=[POST],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.<6>Mapped "{[/rest/deliverable/photo/delete/{id}],methods=[DELETE],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> c<6>Mapped "{[/rest/deliverable/task/delete/{id}],methods=[DELETE],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> co<6>Mapped "{[/rest/engagement/retrieve],methods=[GET],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> com.bh.radar.e<6>Mapped "{[/rest/engagement/retrieve/{inStoreNum}],methods=[GET],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> cing)
<6>Mapped "{[/rest/engagement/stores/retrieve],methods=[GET],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> com.bh.<6>Mapped "{[/rest/engagement/create],methods=[POST],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> com.bh.radar.enper,java.lang.String)
<6>Mapped "{[/rest/engagement/update/{engagementId}],methods=[PUT],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> com.bh.radar.bo.BoEngagementWrapper)
<6>Mapped "{[/rest/engagement/{id}/addReport],methods=[POST],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> com.bh.b.multipart.MultipartFile,int)
<6>Mapped "{[/rest/engagement/emailDaily/{engagementId}],methods=[GET],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.Strin<6>Mapped "{[/rest/engagement/emailFinal/{engagementId}],methods=[GET],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.Strin<6>Mapped "{[/rest/engagement/uniqueStores],methods=[GET],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> com.bh.rad<6>Mapped "{[/rest/engagement/uniqueCityStates],methods=[GET],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> com.bh<6>Mapped "{[/rest/incident/photo/add/{incidentFk}],methods=[POST],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> cipart.MultipartFile,int)
<6>Mapped "{[/rest/incident/photo/delete/{id}],methods=[DELETE],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> com.<6>Mapped "{[/rest/reports/byStore],methods=[GET],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> com.bh.radar.endpog.String)
<6>Mapped "{[/rest/reports/byCity],methods=[GET],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.String> com.bh.radar.endpoiString,java.lang.String)
<6>Mapped "{[/rest/user/authenticate],methods=[POST],consumes=[application/json],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.ar.bo.BoUser)
<6>Mapped "{[/rest/user/reset],methods=[POST],consumes=[application/json],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.lang.Ster)
<6>Mapped "{[/rest/user/register],methods=[POST],consumes=[application/json],produces=[application/json]}" onto public org.springframework.http.ResponseEntity<java.langUser)
<6>Looking for @ControllerAdvice: WebApplicationContext for namespace 'radar-servlet': startup date [Tue May 28 10:24:09 EDT 2019]; parent: Root WebApplicationContext
<6>Looking for @ControllerAdvice: WebApplicationContext for namespace 'radar-servlet': startup date [Tue May 28 10:24:09 EDT 2019]; parent: Root WebApplicationContext
<6>FrameworkServlet 'radar': initialization completed in 1417 ms
<6>Deployment of web application archive [/usr/share/tomcat9-root/webapps/radar.war] has finished in [16,289] ms
<6>Deploying web application directory [/usr/share/tomcat9-root/webapps/radarui]
<6>At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were fountime and JSP compilation time.
<6>Deployment of web application directory [/usr/share/tomcat9-root/webapps/radarui] has finished in [1,419] ms
<6>Starting ProtocolHandler ["http-apr-8080"]
<6>Server startup in [17,790] milliseconds

Я нашел здесь несколько постов в различных блогах, в которых упоминается, что я настраиваю Java для использования IPv4, поэтому вот мой сценарий setenv.sh:

# setup the environment for running tomcat

#update the LD_LIBRARY_PATH with the path to updated apr and libcatnative libraries
# export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/usr/share/apr/lib"
export LD_LIBRARY_PATH='$LD_LIBRARY_PATH:/usr/local/apr/lib'

# force tomcat to use IPv4
export JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addressess=true"

# set locations for tomcat components
export CATALINA_HOME="/usr/share/tomcat9"
export CATALINA_BASE="/usr/share/tomcat9-root"
export CATALINA_TMPDIR="/usr/share/tomcat9-root/temp"

# set the location of the catalina PID file for `catalina.sh`
# the user who will start tomcat must have write permissions for $CATALINA_BASE
export CATALINA_PID="$CATALINA_BASE/tomcat.pid"

Когда я писал этот вопрос, я заметил, что, несмотря на мой JAVA_OPTS в setenv.shмне кажется, что Tomcat, или, более конкретно, APR, все еще использует IPv6. Нужно ли перестраивать APR с тем же JAVA_OPTS, что и в setenv.sh?

Реальный вопрос, наверное, что я делаю не так? И какая дополнительная информация вам нужна от меня?

Обновление Если я вызываю catalina.sh запускается как root, я не получаю ошибки выше... Я сделал chown root:tomcat /etc/authbind/byport/443 а также chown root:tomcat /etc/authbind/byport/80 и попробовал снова как пользователь без полномочий root, который является членом группы tomcat и все еще получает ошибки.

Суть моего вопроса в том, что я специально пытаюсь настроить вещи так, чтобы я мог запустить tomcat от имени пользователя без полномочий root. Поскольку я не ставлю tomcat за другим сервером, я чувствую, что запуск от имени пользователя без полномочий root является важным шагом безопасности.

1 ответ

Благодарим @dave_thompson_085 за то, что я выбрал правильный путь!

  1. Как предполагает Дэйв, IPv6 не был моей проблемой.
  2. Я не уверен, что различие между PEM и PKCS12 имеет значение, так как я не внес никаких изменений и преодолел блокпост, вызвавший мой вопрос.
  3. Я запускаю Tomcat с помощью команды $CATALINA_HOME/bin/catalina.sh start меняя его на authbind --deep $CATALINA_HOME/bin/catalina.sh start избавил меня от проблем с инициализацией порта 443

Теперь я занимаюсь другими вопросами. Так что спасибо за помощь!

Другие вопросы по тегам