英文:
How to secure a Websocket. Apache Vhost or ServerEndpointConfig
问题
我有一个通过Apache2-Vhost托管的Tomcat9 Web服务器。
如何保护运行在Tomcat上的WebSocket?
- 它是否通过Apache Vhost上的Let's Encrypt/Certbot证书来保护?
- 它是否在Tomcat的WebSocket类的
javax.websocket.server.ServerEndpointConfig.Configurator中?
@Override
public void modifyHandshake(ServerEndpointConfig config, HandshakeRequest request, HandshakeResponse response) {
SSLContext sslContext = SSLContext.getInstance("TLS");
config.getUserProperties().put(Constants.SSL_CONTEXT_PROPERTY, sslContext);
config.getUserProperties().put(Constants.SSL_PROTOCOLS_PROPERTY, sslContext);
}
英文:
I have a Tomcat9 webserver hosted via Apache2-Vhost.
How do I secure a websocket running on tomcat?
- Is it over a Apache Vhost certificat from letsencrypt/certbot?
- Is it in the
javax.websocket.server.ServerEndpointConfig.Configuratorof the Tomcat's Websocket class?
@Override
public void modifyHandshake(ServerEndpointConfig config, HandshakeRequest request, HandshakeResponse response) {
SSLContext csslContext = SSLContext.getInstance("TLS");
config.getUserProperties().put(Constants.SSL_CONTEXT_PROPERTY, csslContext);
config.getUserProperties().put(Constants.SSL_PROTOCOLS_PROPERTY, csslContext);
}
答案1
得分: 2
Websocket连接始终通过HTTP(S)请求启动,然后升级到Websocket。因此,保护客户端与Web服务器(或反向代理)之间的连接与保护“常规”HTTP连接完全相同。
您不应该需要编写任何代码来实现这一点,因此您在问题中提到的示例#1,其中您修改握手,不是您需要考虑的事情。
您应该考虑类似示例#1的情况,从证书颁发机构(CA)获取证书,并将其安装到反向代理(httpd)中。
英文:
A Websocket connection is always started via an HTTP(S) request, upgraded to Websocket. So securing the connection between the client and the web server (or reverse proxy) is exactly the same as securing a "regular" HTTP connection.
You should never need to write any code for this, so your example #1 in your question where you are modifying the handshake isn't anything you need to consider.
You should be looking at something like #1 where you get a certificate from a Certificate Authority (CA) and install it into the reverse-proxy (httpd).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论