12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 |
- package com.zhentao.utils;
- import org.apache.catalina.Context;
- import org.apache.catalina.connector.Connector;
- import org.apache.tomcat.util.descriptor.web.SecurityCollection;
- import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
- import org.springframework.beans.factory.annotation.Value;
- import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
- import org.springframework.boot.web.server.WebServerFactoryCustomizer;
- import org.springframework.context.annotation.Bean;
- import org.springframework.context.annotation.Configuration;
- @Configuration
- public class WebServerConfig {
- @Value("${server.port}")
- private int httpsPort;
- @Value("${server.http.port:8080}")
- private int httpPort;
- @Value("${server.ssl.key-store}")
- private String keyStore;
- @Value("${server.ssl.key-store-password}")
- private String keyStorePassword;
- @Value("${server.ssl.key-alias}")
- private String keyAlias;
- @Bean
- public WebServerFactoryCustomizer<TomcatServletWebServerFactory> customizer() {
- return factory -> {
- // 配置HTTPS连接器
- Connector httpsConnector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
- httpsConnector.setPort(httpsPort);
- httpsConnector.setSecure(true);
- httpsConnector.setScheme("https");
- // 配置SSL
- org.apache.coyote.http11.Http11NioProtocol protocol =
- (org.apache.coyote.http11.Http11NioProtocol) httpsConnector.getProtocolHandler();
- protocol.setSSLEnabled(true);
- protocol.setKeystoreFile(keyStore);
- protocol.setKeystorePass(keyStorePassword);
- protocol.setKeyAlias(keyAlias);
- // 仅启用TLS 1.2和1.3
- protocol.setSslProtocol("TLSv1.2+TLSv1.3");
- protocol.setCiphers("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," +
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
- factory.addAdditionalTomcatConnectors(httpsConnector);
- // 配置HTTP到HTTPS的重定向
- factory.addContextCustomizers(context -> {
- SecurityConstraint securityConstraint = new SecurityConstraint();
- securityConstraint.setUserConstraint("CONFIDENTIAL");
- SecurityCollection collection = new SecurityCollection();
- collection.addPattern("/*");
- securityConstraint.addCollection(collection);
- context.addConstraint(securityConstraint);
- });
- // 配置HTTP连接器(用于重定向)
- Connector httpConnector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
- httpConnector.setPort(httpPort);
- httpConnector.setSecure(false);
- httpConnector.setScheme("http");
- httpConnector.setRedirectPort(httpsPort);
- factory.addAdditionalTomcatConnectors(httpConnector);
- };
- }
- }
|