WebServerConfig.java 3.0 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576
  1. package com.zhentao.utils;
  2. import org.apache.catalina.Context;
  3. import org.apache.catalina.connector.Connector;
  4. import org.apache.tomcat.util.descriptor.web.SecurityCollection;
  5. import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
  6. import org.springframework.beans.factory.annotation.Value;
  7. import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
  8. import org.springframework.boot.web.server.WebServerFactoryCustomizer;
  9. import org.springframework.context.annotation.Bean;
  10. import org.springframework.context.annotation.Configuration;
  11. @Configuration
  12. public class WebServerConfig {
  13. @Value("${server.port}")
  14. private int httpsPort;
  15. @Value("${server.http.port:8080}")
  16. private int httpPort;
  17. @Value("${server.ssl.key-store}")
  18. private String keyStore;
  19. @Value("${server.ssl.key-store-password}")
  20. private String keyStorePassword;
  21. @Value("${server.ssl.key-alias}")
  22. private String keyAlias;
  23. @Bean
  24. public WebServerFactoryCustomizer<TomcatServletWebServerFactory> customizer() {
  25. return factory -> {
  26. // 配置HTTPS连接器
  27. Connector httpsConnector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
  28. httpsConnector.setPort(httpsPort);
  29. httpsConnector.setSecure(true);
  30. httpsConnector.setScheme("https");
  31. // 配置SSL
  32. org.apache.coyote.http11.Http11NioProtocol protocol =
  33. (org.apache.coyote.http11.Http11NioProtocol) httpsConnector.getProtocolHandler();
  34. protocol.setSSLEnabled(true);
  35. protocol.setKeystoreFile(keyStore);
  36. protocol.setKeystorePass(keyStorePassword);
  37. protocol.setKeyAlias(keyAlias);
  38. // 仅启用TLS 1.2和1.3
  39. protocol.setSslProtocol("TLSv1.2+TLSv1.3");
  40. protocol.setCiphers("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," +
  41. "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
  42. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
  43. "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
  44. factory.addAdditionalTomcatConnectors(httpsConnector);
  45. // 配置HTTP到HTTPS的重定向
  46. factory.addContextCustomizers(context -> {
  47. SecurityConstraint securityConstraint = new SecurityConstraint();
  48. securityConstraint.setUserConstraint("CONFIDENTIAL");
  49. SecurityCollection collection = new SecurityCollection();
  50. collection.addPattern("/*");
  51. securityConstraint.addCollection(collection);
  52. context.addConstraint(securityConstraint);
  53. });
  54. // 配置HTTP连接器(用于重定向)
  55. Connector httpConnector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
  56. httpConnector.setPort(httpPort);
  57. httpConnector.setSecure(false);
  58. httpConnector.setScheme("http");
  59. httpConnector.setRedirectPort(httpsPort);
  60. factory.addAdditionalTomcatConnectors(httpConnector);
  61. };
  62. }
  63. }