[精讚] [會員登入]
374

[JAVA] 撰寫驗證伺服器 #3 -- 建立IDP伺服器

僅僅只是做個記錄,這篇的參考效用非常之微小

此文完整連結 http://n.sfs.tw/11811

複製連結 [JAVA] 撰寫驗證伺服器 #3 -- 建立IDP伺服器@新精讚
(文章歡迎轉載,務必尊重版權註明連結來源)
2018-08-28 12:49:17 最後編修
2017-09-25 21:08:28 By 張○○
 

說真的很複雜,沒有基礎做來痛苦,此篇僅供記錄.

系統

CentOS7 最小安裝的環境,要建立IDP伺服器

一、基本安裝

1. 安裝基本套件

# yum install vim ntpdate httpd mod_ssl wget

2. 設定語系,如果有需要的話(例如中文字亂碼)

# cp /usr/share/i18n/locales/zh_TW /etc/sysconfig/i18n

3. 安裝 mongo, mariadb

# vim /etc/yum.repos.d/mongodb-org-3.4.repo

 內容如下

[mongodb-org-3.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.4.asc

# yum install -y mongodb-org policycoreutils-python &&  semanage port -a -t mongod_port_t -p tcp 27017
# yum install mariah mariadb-server -y

二、安裝 java

下載 Server JRE (v-8u144) http://www.oracle.com/technetwork/java/javase/downloads/server-jre8-downloads-2133154.html
Server JRE (v-8u181) http://www.oracle.com/technetwork/java/javase/downloads/server-jre8-downloads-2133154.html

上傳後解壓且搬移

# tar zxvf server-jre-8u144-linux-x64.tar.gz

# mv  jdk1.8.0_144/ /opt/jdk8

三. 安裝 wildfly

1. 下載頁面 http://wildfly.org/downloads/ 選擇TGZ,版本找最新的(150mb左右)

2. 解壓

# tar zxvf wildfly-13.0.0.Final.tar.gz

# mv wildfly-13.0.0.Final/ /opt/wildfly

3. 設定服務

# cp /opt/wildfly/docs/contrib/scripts/init.d/wildfly.conf /etc/default
# vim /etc/default/wildfly.conf

內容如下:

JAVA_HOME="/opt/jdk8"

JBOSS_HOME="/opt/wildfly"

JBOSS_USER=wildfly
JBOSS_MODE=standalone

JBOSS_CONFIG=standalone.xml

STARTUP_WAIT=60

SHUTDOWN_WAIT=60

JBOSS_CONSOLE_LOG="/var/log/wildfly/console.log"

JBOSS_OPTS="-b 127.0.0.1"

4. 啟動設定

# cp /opt/wildfly/docs/contrib/scripts/init.d/wildfly-init-redhat.sh /etc/init.d/wildfly

 修改設定檔 vi /etc/init.d/wildfly 把前面修改為

# Source function library.
. /etc/init.d/functions

# Load Java configuration.
# 加入3行
[ -r /etc/java/java.conf ] && . /etc/java/java.conf
export JAVA_HOME

NAME=$(basename ${0})
# 這行註解
# NAME=$(readlink -f ${0} | xargs basename)

# 修改增加 .conf

# Load wildfly init.d configuration.
if [ -z "$JBOSS_CONF" ]; then
        JBOSS_CONF="/etc/default/${NAME}.conf"
fi

# 其餘不變

# useradd -s /sbin/nologin wildfly
# chown -R wildfly:wildfly /opt/wildfly
# mkdir /var/log/wildfly
# chown -R wildfly:wildfly /var/log/wildfly

5. 設定別名 vi /etc/profile 最上面加入

alias vi='vim'

export JAVA_HOME="/opt/jdk8"
export PATH=$JAVA_HOME/bin:$PATH

6. 第一次啟動 wildfly

重設服務
# systemctl daemon-reload

開機啟動

# systemctl enable wildfly

啟動

# systemctl start wildfly

7. 觀察服務啟動狀態

# ss -ltn

觀察三個連線LISTEN

LISTEN      0      128  127.0.0.1:8080  *:*
LISTEN      0      128  127.0.0.1:8443  *:*
LISTEN      0      50   127.0.0.1:9990  *:*

四、設定防火牆和SELINUX

1. 防火牆

# firewall-cmd --add-service=http --permanent
# firewall-cmd --add-service=https --permanent

重啟

# service firewalld restart

2. selinux

# setsebool -P httpd_can_network_relay on
# setsebool -P httpd_can_network_connect_db on
# setsebool -P httpd_can_network_connect on

3. 預留未來 Load Balancing

# semanage port -a -t http_port_t -p udp 23364
# semanage port -a -t http_port_t -p tcp 6666

4.  加入 Shared Memory Table

# mkdir /var/cache/mod_cluster
# chcon -v --type=httpd_cache_t /var/cache/mod_cluster
# chcon -v --user=system_u /var/cache/mod_cluster

五、設定 APACHE + MOD_CLUSTER

這個作法是把APACHE當前端,後端proxy轉給wildfly

1. 下載JBOSS so檔

下載頁 http://mod-cluster.jboss.org/mod_cluster/downloads/1-3-1-Final-bin

下載

# wget http://downloads.jboss.org/mod_cluster//1.3.1.Final/linux-x86_64/mod_cluster-1.3.1.Final-linux2-x64-so.tar.gz
# tar zxvf mod_cluster-1.3.1.Final-linux2-x64-so.tar.gz

# mv *.so /usr/lib64/httpd/modules/
# cp *.so /etc/httpd/modules/

2. 加入模組

# vi /etc/httpd/conf.modules.d/02-modcluster.conf

內容

LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule advertise_module modules/mod_advertise.so

3. 關掉原來的 proxy

vi /etc/httpd/conf.modules.d/00-proxy.conf

把下面這行註解

# LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

4. 設定httpd.conf

vi /etc/httpd/conf/httpd.conf

ServerName oidc.boe.ttct.edu.tw

5. 加入wildfly.conf

# cd /etc/httpd/conf.d/

# mv ssl.conf ssl.conf.bak

vi /etc/httpd/conf.d/wildfly.conf

MemManagerFile /var/cache/mod_cluster
#Listen 443 https
RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

<VirtualHost *:80>
    DocumentRoot /var/www/html
    ServerName oidc.xx.edu.tw
    <Directory "/var/www/html">
        Options -Indexes
        AllowOverride All
        Require all granted
    </Directory>
# RewriteCond %{HTTPS} off
# RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]

</VirtualHost>

    ServerName oidc.xx.edu.tw 請修改

   倒數二行是讓HTTP自動轉址到HTTPS,請先註解,或刪除

5. 啟動APACHE

# systemctl enable httpd
# systemctl start httpd

六、申請免費的SSL

申請頁面 https://letsencrypt.org/

先確認你的APACHE有正常啟動,打開你的網頁連到你的網址。

安裝

# yum install epel-release certbot-apache
# certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): user@example.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: y
Starting new HTTPS connection (1): supporters.eff.org

Which names would you like to activate HTTPS for?

-------------------------------------------------------------------------------
1: n.sfs.tw
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for n.sfs.tw
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/wildfly-le-ssl.conf
Deploying Certificate for n.sfs.tw to VirtualHost /etc/httpd/conf.d/wildfly-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/wildfly.conf to ssl vhost in /etc/httpd/conf.d/wildfly-le-ssl.conf

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://n.sfs.tw

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=n.sfs.tw
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/oidc.boe.ttct.edu.tw/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/oidc.boe.ttct.edu.tw/privkey.pem
   Your cert will expire on 2017-12-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

這樣你的 wildfly.conf 會多出這幾行

RewriteEngine on
RewriteCond %{SERVER_NAME} =oidc.boe.ttct.edu.tw
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

並多一個檔案wildfly-le-ssl.conf

七、修改proxy到wildfly

vi /etc/httpd/conf.d/wildfly-le-ssl.conf

加入這些:

  ServerSignature Off
  ProxyPreserveHost On
  AllowEncodedSlashes NoDecode
  <Location /mcm>
     SetHandler mod_cluster-manager
     Order deny,allow
     Deny from all
     Allow from ip 211.75.194.240/29
  </Location>
  <Location />
     ProxyPass "http://127.0.0.1:8080/"
     ProxyPassReverse "http://127.0.0.1:8080/"
     Order deny,allow
     Allow from all
     CreateBalancers 0
  </Location>

全部看起來是這樣的:

重啟APACHE和WILDFLY

# systemctl restart wildfly
# systemctl restart httpd

下一篇建構程式

你可能感興趣的文章

[NetBeans] 使用git複製別人的專案 NetBeans使用git複製別人的專案及版本控制

[JAVA] 撰寫驗證伺服器 #1 僅僅只是做個記錄,這篇的參考效用不大

如何在linux下執行java 原生的java應用程式可以使用簡單的方法在console下面寫出來,適合作簡單的應用

在Centos7 下安裝 Wildfly10 wildfly以前叫JBoss,2014.11.20改名叫Wildfly,起始版本是Wildfly8,現在已經出到Wil

[JAVA] 撰寫驗證伺服器 #2 -- 安裝測試專案 僅僅只是做個記錄,這篇的參考效用非常微小

[Wildfly10] 發佈war檔 deploy war file onto wildfly10

[JAVA] 撰寫驗證伺服器 #3 -- 建立IDP伺服器 僅僅只是做個記錄,這篇的參考效用非常之微小

[JAVA] JWS, JWT, JWE, JOSE是什麼? [JAVA] JWS, JWT, JWE, JOSE是什麼?非常的複雜,儘量來搞清楚..

我有話要說


限制:留言最高字數1000字,超過部分會被截掉。請注意:留言不可帶有網址,會被濾掉。 限制:未登入訪客,每則留言間隔需超過10分鐘,每日最多5則留言。

訪客留言

[無留言]

隨機好文

為什麼要買長達二十年的保單? 為什麼要買長達二十年的保單?找一個可以說服我買二十年保單的理由。

UTF-8 BOM (Byte Order Mark) 的問題 在 Michael Kaplan 那看到 Every character has a story #4: U+feff

[Freebsd] 使用 ADSL 撥接上網 Freebsd上要使用 ADSL 撥接上網,該如何設定?

安裝SPHINX支援中文 新版本的 sphinx 和舊版不同,網路上很多範例和教學是不能用的。此文是安裝和設定方法分享

為什麼要重造輪子? 什麼輪子?造什麼輪子?我為什麼要重造輪子?