黑白格子

  • 首页
  • 所有文章
  • 文章分类
  • 关于页面
  • 友链

  • 搜索
随笔 脚本 Shell MAC IE SSL iptables 网络 k8s docker ubuntu web 镜像 Nginx Linux Windows cloud-init

linux下tomcat开通443端口

发表于 2020-07-03 | 分类于 Linux | 0 | 阅读次数 548

问题现象:

linux下 yum 方式安装 Tomcat 后配置https,定义端口为 443 后无法正常启动服务

1. 定义端口为默认的 8443 可以正常启动服务和监听端口:
root@centos7 ~ # vim /etc/tomcat/server.xml
    <Connector port="8443"
                    protocol="HTTP/1.1"
                    maxThreads="150"
                    SSLEnabled="true"
                    scheme="https"
                    secure="true"
                    clientAuth="false"
                    keystoreFile="/etc/tomcat/test.seekerhcl.cn.jks"
                    keystorePass="123456"
                    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                             TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                             TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                             TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                             TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                             TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
                    sslProtocol="TLS" />
root@centos7 ~ # rpm -q tomcat
tomcat-7.0.76-3.el7_4.noarch
root@centos7 ~ # systemctl start tomcat.service 
root@centos7 ~ # netstat -anpt | grep java
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      6168/java           
tcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      6168/java           
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      6168/java           
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      6168/java           
root@centos7 ~ # 
2. 定义 https 端口443 不可以正常监听对应端口:
root@centos7 ~ # vim /etc/tomcat/server.xml
    <Connector port="443"
                    protocol="HTTP/1.1"
                    maxThreads="150"
                    SSLEnabled="true"
                    scheme="https"
                    secure="true"
                    clientAuth="false"
                    keystoreFile="/etc/tomcat/test.seekerhcl.cn.jks"
                    keystorePass="123456"
                    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                             TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                             TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                             TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                             TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                             TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
                    sslProtocol="TLS" />
root@centos7 ~ # systemctl restart tomcat.service 
root@centos7 ~ # netstat -anpt | grep java
tcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      49091/java          
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      49091/java          
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      49091/java         

问题分析:

查看日志文件发现以下错误,原来是权限问题,紧接着我们通过 ps 查看进程信息会发现程序用户是tomcat,因为 linux 下非 root

用户不能打开1024以下的端口,所以问题就比较清楚了

Caused by: java.net.BindException: Permission denied (Bind failed) :443

root@centos7 ~ # cat /var/log/tomcat/catalina.2018-04-07.log 
Apr 07, 2018 12:29:48 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:642)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:667)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        ... 12 more
Caused by: java.net.BindException: Permission denied (Bind failed) <null>:443
        at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
        ... 13 more
Caused by: java.net.BindException: Permission denied (Bind failed)
        at java.net.PlainSocketImpl.socketBind(Native Method)
        at java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:387)
        at java.net.ServerSocket.bind(ServerSocket.java:375)
        at java.net.ServerSocket.<init>(ServerSocket.java:237)
        at java.net.ServerSocket.<init>(ServerSocket.java:181)
        at javax.net.ssl.SSLServerSocket.<init>(SSLServerSocket.java:136)
        at sun.security.ssl.SSLServerSocketImpl.<init>(SSLServerSocketImpl.java:113)
        at sun.security.ssl.SSLServerSocketFactoryImpl.createServerSocket(SSLServerSocketFactoryImpl.java:87)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:256)
        at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)
root@centos7 ~ # ps aux | grep java
tomcat    3921  0.3  3.1 3585548 120932 ?      Ssl  00:29   0:02 /usr/lib/jvm/jre/bin/java -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
root      5054  0.0  0.0 110376   896 pts/0    S+   00:40   0:00 grep --color=auto java

解决方案:

tomcat https 端口依旧监听在大于 1024 的端口上,使用 iptables 来做个转换,这样访问 https 时我们就不用手动在域名后面写端口号了
root@centos7 ~ # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
  • 本文作者: 黑白格子
  • 本文链接: https://www.clhuang.cn/?p=66
  • 版权声明: 本博客所有文章除特别声明外,均采用CC BY-NC-SA 4.0 许可协议。转载请注明出处!
# 随笔 # 脚本 # Shell # MAC # IE # SSL # iptables # 网络 # k8s # docker # ubuntu # web # 镜像 # Nginx # Linux # Windows # cloud-init
netstat查看服务端口监听在ipv6但是通过ipv4地址可正常访问
notepad++ 添加JSON格式化插件
黑白格子

黑白格子

54 日志
11 分类
17 标签
Creative Commons
0%
© 2021 黑白格子
主题 - NexT.Mist
网站已稳定运行:
陕ICP备16020191号