[OS]CentOS – AuctionPro

remark : Tomcat8 특정 아이피만 허용 To allow access only for the clients connecting from localhost:

Vim


<Valve className="org.apache.catalina.valves.RemoteAddrValve"
   allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>

<Valve className="org.apache.catalina.valves.RemoteAddrValve"

allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>

Vim


<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
   allow="10.0.0.0/8, 127.0.0.1, ::1"/>

<Valve className="org.apache.catalina.valves.RemoteCIDRValve"

allow="10.0.0.0/8, 127.0.0.1, ::1"/>

To allow unrestricted access for the clients connecting from localhost but for all other clients only to port 8443:

Vim


<Valve className="org.apache.catalina.valves.RemoteAddrValve"
   addConnectorPort="true"
   allow="127\.\d+\.\d+\.\d+;\d*|::1;\d*|0:0:0:0:0:0:0:1;\d*|.*;8443"/>

<Valve className="org.apache.catalina.valves.RemoteAddrValve"

addConnectorPort="true"

allow="127\.\d+\.\d+\.\d+;\d*|::1;\d*|0:0:0:0:0:0:0:1;\d*|.*;8443"/>

Vim


<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
   addConnectorPort="true"
   allow="127.0.0.1;\d*|::1;\d*|10.0.0.0/8;8443"/>

<Valve className="org.apache.catalina.valves.RemoteCIDRValve"

addConnectorPort="true"

allow="127.0.0.1;\d*|::1;\d*|10.0.0.0/8;8443"/>

Remark : SSL certificate 1. Install Let’s Encrypt client (Certbot)

Vim


# yum install epel-release
# yum install certbot python2-certbot-apache mod_ssl

# yum install epel-release

# yum install certbot python2-certbot-apache mod_ssl

2. Get an SSL Certificate

Vim


# sudo certbot --apache -d test.com -d www.test.com

Or

# sudo certbot --apache -d sub.test.com

# sudo certbot --apache -d test.com -d www.test.com

# sudo certbot --apache -d sub.test.com

Vim


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@domain.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/domain.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/domain.com-le-ssl.conf

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): admin@domain.com

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: N

Starting new HTTPS connection (1): supporters.eff.org

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for domain.com

Waiting for verification...

Cleaning up challenges

Created an SSL vhost at /etc/httpd/conf.d/domain.com-le-ssl.conf

Deploying Certificate to VirtualHost /etc/httpd/conf.d/domain.com-le-ssl.conf

Vim


Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: No redirect - Make no further changes to the webserver configuration.

2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

2.1 delete SSL (필요시)

Vim


# sudo certbot delete --cert-name example.com

# sudo certbot delete --cert-name example.com

3. check the newly created SSL certificate

Vim


# ls /etc/letsencrypt/live/domain.com/

cert.pem chain.pem fullchain.pem privkey.pem

# ls /etc/letsencrypt/live/domain.com/

cert.pem chain.pem fullchain.pem privkey.pem

Conform

[카테고리:] [OS]CentOS

Tomcat8 특정 아이피만 허용

Let’s Encrypt / open SSL/TLS

firewalld zone 추가

firewall 특정 아이피 막기

firewalld 방화벽