New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

サーバにデプロイするとChromeで動かない(https化の検討) #21

Closed
yuu-nkjm opened this Issue Aug 22, 2016 · 6 comments

Comments

Projects
None yet
3 participants
@yuu-nkjm
Member

yuu-nkjm commented Aug 22, 2016

Let's Encrypt - Free SSL/TLS Certificates https://letsencrypt.org/

これを使えば簡単にHTTPS化できた.magcruise-citywalk-serverをデプロイするサーバは,HTTPS通信ができることを前提としても良いかも.

@ayakix

This comment has been minimized.

Contributor

ayakix commented Aug 22, 2016

おぉ〜知りませんでした。

@yuu-nkjm

This comment has been minimized.

Member

yuu-nkjm commented Aug 22, 2016

@yuu-nkjm yuu-nkjm closed this Sep 12, 2016

@yuu-nkjm yuu-nkjm reopened this Sep 13, 2016

@yuu-nkjm

This comment has been minimized.

Member

yuu-nkjm commented Sep 13, 2016

httpsで繋いだときは,wsでなくwssで繋がないとダメみたい.接続しているプロトコルを見て,httpsだったらwssにhttpだったらwsに振り分ける必要がある. apacheをプロキシにつかうなら,tomcat側のエンドポイントも二箇所必要かな.

@takawitter

This comment has been minimized.

Member

takawitter commented Sep 13, 2016

ご存知かも知れませんがapacheをフロントに使う場合はmod_proxy_ajpに加えてmod_proxy_wstunnelも必要です.

ProxyPass /app/ws ws://127.0.0.1:8080/app/ws
ProxyPassReverse /app/ws ws://127.0.0.1:8080/app/ws
ProxyPass /app ajp://127.0.0.1:8009/app

てな感じで,本来のajpの設定に加えてwebsocket用のProxyPass(Reverse)を設定する必要があります.

yuu-nkjm added a commit that referenced this issue Sep 13, 2016

@yuu-nkjm

This comment has been minimized.

Member

yuu-nkjm commented Sep 13, 2016

@takawitter
ありがとうございます! 僕の環境の設定はこんな感じです.

<IfModule mod_proxy_ajp.c>
  <Location /magcruise-citywalk>
    ProxyPass ajp://localhost:8009/magcruise-citywalk
    ProxyPassReverse ajp://localhost:8009/magcruise-citywalk
    Header set Access-Control-Allow-Origin "*"
    Require all granted
  </Location>
</IfModule>
<IfModule mod_proxy_wstunnel.c>
  <Location /magcruise-citywalk/websocket/>
    ProxyPass  ws://localhost:8080/magcruise-citywalk/websocket/
    ProxyPassReverse  ws://localhost:8080/magcruise-citywalk/websocket/
    Require all granted
  </Location>
</IfModule>

これで,ws://wasedasai.magcruise.org/magcruise-citywalk/websocket/activitywss://wasedasai.magcruise.org/magcruise-citywalk/websocket/activity も繋がるのは何でなんでしょ.頑張ってTomcatのSSL化をしたけど,不要だったのか?不要だったのですね….

「HTTPSで受けてwssもしくはHTTPで受けてws」にしないといけないと思ったのに,「HTTPSで受けてwsもしくはHTTPで受けてws」で良かったのか.

@yuu-nkjm

This comment has been minimized.

Member

yuu-nkjm commented Sep 13, 2016

哀しみのtomcat SSL対応のログ

Let's Encryptで取得した証明書を使ってTomcatでSSL通信

中間証明書を取得

https://letsencrypt.org/certificates/
Intermediate Certificates
Let's Encrypt Authority X3 (IdenTrust cross-signed): [txt] [pem] [der]

をダウンロードして,root.pemとして保存

必要なファイルのコピー

必要なファイルを適当なディレクトリ(ここではcerts)に集める.

mkdir certs
mv root.pem certs/
cp /etc/letsencrypt/live/game.magcruise.org/fullchain.pem certs/
cp /etc/letsencrypt/live/game.magcruise.org/privkey.pem certs/

c_rehashの実行

c_rehash certs

openssl コマンドで pkcs12 形式に変換

cd certs
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out tomcat.p12 -name tomcat
# 適当なパスワードをつける

keytool コマンドでキーストア形式に変換

keytool -importkeystore -srckeystore tomcat.p12 -destkeystore tomcat.keystore -srcstoretype PKCS12
# 適当なパスワードをつける.

出来上がったtomcat.keystoreは適当なところに保存

server.xmlの修正

`````` /etc/tomcat/server.xml```で以下を追記

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" keystoreFile="/path/to/tomcat.keystore" keystorePass="*******" />

tomcatを再起動したら,localhost:8443で接続出来た.

@yuu-nkjm yuu-nkjm closed this Sep 13, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment