Tomcat 8.5 - HTTP2 是否需要 Certificate/SSL
Tomcat 8.5 - Is Certificate/SSL required for HTTP2
我找到 Http2Protocol 文档,它不支持 HTTPS?
Some protocols (e.g. HTTP/2) only support HTTP upgrade over non-secure connections.
这是一个打字错误,还是我在使用 Tomcat HTTP2 时 必须 使用 HTTP 而不是 HTTPS 还是我遗漏了什么?
因为我将UpgradeProtocol添加到
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
对于 HTTP 连接器:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"/>
并使用 -Xbootclasspath/p:/path/to/alpn-boot.jar
将相关的 alpn jar 添加到 JAVA_OPT
但是没有找到匹配的规则:
org.apache.tomcat.util.digester.Digester.endElement No rules found matching 'Server/Service/UpgradeProtocol'.
我也尝试添加到连接器 openssl implementation 但结果相同
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
Because Java 8's TLS implementation does not support ALPN (which is required for HTTP/2 over TLS), you must be using an OpenSSL based TLS implementation to enable HTTP/2 support. See the sslImplementationName attribute of the Connector
我必须对 HTTP2 使用 Certificate/SSL 吗?
加密是de facto mandatory使用http/2:
Although the standard itself does not require usage of encryption, all
major client implementations (Firefox, Chrome, Safari, Opera, IE,
Edge) have stated that they will only support HTTP/2 over TLS ...
所以你需要一个完全配置的 SSLHostConfig 和 Certificate 以便 运行 HTTP/2 通过 TLS。
这样的连接器可能适合您:
<Connector SSLEnabled="true" maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<SSLHostConfig certificateVerification="none"
sslProtocol="TLS">
<Certificate certificateKeyAlias="myKeyAlias"
certificateKeystoreFile="/path/to/my/keystore.jks"
certificateKeystorePassword="myPassword"
certificateKeystoreType="JKS">
</Certificate>
</SSLHostConfig>
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
</Connector>
如果要使用NIO2,请将protocol更改为org.apache.coyote.http11.Http11Nio2Protocol。
如果您想在没有 OpenSSL 的情况下使用 SSL,而是使用 java 实现 JSSE,请更改 sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"(如果您的 JRE 提供)。
尽管浏览器不会在未加密的连接上升级到 http/2,但在技术上可以在没有 SSL 的 Apache Tomcat 上配置 http/2 连接器并使用它,例如使用 CURL - 手动执行 http/2 升级:
<Connector SSLEnabled="false" maxThreads="150" port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol" secure="false">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
</Connector>
CURL 调试输出:
$ curl http://localhost:8444 -v --http2
...
* Connected to localhost (::1) port 8444 (#0)
> GET / HTTP/1.1
> Host: localhost:8444
> User-Agent: curl/7.60.0
> Accept: */*
> Connection: Upgrade, HTTP2-Settings
> Upgrade: h2c
> HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
>
< HTTP/1.1 101
< Connection: Upgrade
< Upgrade: h2c
< Date: Mon, 28 Oct 2019 12:06:18 GMT
* Received 101
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Connection state changed (MAX_CONCURRENT_STREAMS == 200)!
< HTTP/2 200
< content-type: text/html;charset=UTF-8
< date: Mon, 28 Oct 2019 12:06:18 GMT
<
我找到 Http2Protocol 文档,它不支持 HTTPS?
Some protocols (e.g. HTTP/2) only support HTTP upgrade over non-secure connections.
这是一个打字错误,还是我在使用 Tomcat HTTP2 时 必须 使用 HTTP 而不是 HTTPS 还是我遗漏了什么?
因为我将UpgradeProtocol添加到
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
对于 HTTP 连接器:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"/>
并使用 -Xbootclasspath/p:/path/to/alpn-boot.jar
但是没有找到匹配的规则:
org.apache.tomcat.util.digester.Digester.endElement No rules found matching 'Server/Service/UpgradeProtocol'.
我也尝试添加到连接器 openssl implementation 但结果相同
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
Because Java 8's TLS implementation does not support ALPN (which is required for HTTP/2 over TLS), you must be using an OpenSSL based TLS implementation to enable HTTP/2 support. See the sslImplementationName attribute of the Connector
我必须对 HTTP2 使用 Certificate/SSL 吗?
加密是de facto mandatory使用http/2:
Although the standard itself does not require usage of encryption, all major client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS ...
所以你需要一个完全配置的 SSLHostConfig 和 Certificate 以便 运行 HTTP/2 通过 TLS。
这样的连接器可能适合您:
<Connector SSLEnabled="true" maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<SSLHostConfig certificateVerification="none"
sslProtocol="TLS">
<Certificate certificateKeyAlias="myKeyAlias"
certificateKeystoreFile="/path/to/my/keystore.jks"
certificateKeystorePassword="myPassword"
certificateKeystoreType="JKS">
</Certificate>
</SSLHostConfig>
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
</Connector>
如果要使用NIO2,请将protocol更改为org.apache.coyote.http11.Http11Nio2Protocol。
如果您想在没有 OpenSSL 的情况下使用 SSL,而是使用 java 实现 JSSE,请更改 sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"(如果您的 JRE 提供)。
尽管浏览器不会在未加密的连接上升级到 http/2,但在技术上可以在没有 SSL 的 Apache Tomcat 上配置 http/2 连接器并使用它,例如使用 CURL - 手动执行 http/2 升级:
<Connector SSLEnabled="false" maxThreads="150" port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol" secure="false">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
</Connector>
CURL 调试输出:
$ curl http://localhost:8444 -v --http2
...
* Connected to localhost (::1) port 8444 (#0)
> GET / HTTP/1.1
> Host: localhost:8444
> User-Agent: curl/7.60.0
> Accept: */*
> Connection: Upgrade, HTTP2-Settings
> Upgrade: h2c
> HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
>
< HTTP/1.1 101
< Connection: Upgrade
< Upgrade: h2c
< Date: Mon, 28 Oct 2019 12:06:18 GMT
* Received 101
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Connection state changed (MAX_CONCURRENT_STREAMS == 200)!
< HTTP/2 200
< content-type: text/html;charset=UTF-8
< date: Mon, 28 Oct 2019 12:06:18 GMT
<