如何保护 WebSocket。Apache 虚拟主机或 ServerEndpointConfig

huangapple go评论109阅读模式
英文:

How to secure a Websocket. Apache Vhost or ServerEndpointConfig

问题

我有一个通过Apache2-Vhost托管的Tomcat9 Web服务器。

如何保护运行在Tomcat上的WebSocket?

  1. 它是否通过Apache Vhost上的Let's Encrypt/Certbot证书来保护?
  2. 它是否在Tomcat的WebSocket类的javax.websocket.server.ServerEndpointConfig.Configurator中?
@Override
public void modifyHandshake(ServerEndpointConfig config, HandshakeRequest request, HandshakeResponse response) {

  SSLContext sslContext = SSLContext.getInstance("TLS");

  config.getUserProperties().put(Constants.SSL_CONTEXT_PROPERTY, sslContext);
  config.getUserProperties().put(Constants.SSL_PROTOCOLS_PROPERTY, sslContext);
}
英文:

I have a Tomcat9 webserver hosted via Apache2-Vhost.

How do I secure a websocket running on tomcat?

  1. Is it over a Apache Vhost certificat from letsencrypt/certbot?
  2. Is it in the javax.websocket.server.ServerEndpointConfig.Configurator of the Tomcat's Websocket class?
@Override
public void modifyHandshake(ServerEndpointConfig config, HandshakeRequest request, HandshakeResponse response) {

  SSLContext csslContext = SSLContext.getInstance("TLS");

  config.getUserProperties().put(Constants.SSL_CONTEXT_PROPERTY, csslContext);
  config.getUserProperties().put(Constants.SSL_PROTOCOLS_PROPERTY, csslContext);
}

答案1

得分: 2

Websocket连接始终通过HTTP(S)请求启动,然后升级到Websocket。因此,保护客户端与Web服务器(或反向代理)之间的连接与保护“常规”HTTP连接完全相同。

您不应该需要编写任何代码来实现这一点,因此您在问题中提到的示例#1,其中您修改握手,不是您需要考虑的事情。

您应该考虑类似示例#1的情况,从证书颁发机构(CA)获取证书,并将其安装到反向代理(httpd)中。

英文:

A Websocket connection is always started via an HTTP(S) request, upgraded to Websocket. So securing the connection between the client and the web server (or reverse proxy) is exactly the same as securing a "regular" HTTP connection.

You should never need to write any code for this, so your example #1 in your question where you are modifying the handshake isn't anything you need to consider.

You should be looking at something like #1 where you get a certificate from a Certificate Authority (CA) and install it into the reverse-proxy (httpd).

huangapple
  • 本文由 发表于 2020年7月30日 01:01:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/63158774.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定