§HTTPS の設定
Play can be configured to serve HTTPS. To enable this, simply tell Play which port to listen to using the https.port system property. For example:
./start -Dhttps.port=9443
§SSL 証明書
§SSL Certificates from a keystore
By default, Play will generate itself a self-signed certificate, however typically this will not be suitable for serving a website. Play uses Java key stores to configure SSL certificates and keys.
Signing authorities often provide instructions on how to create a Java keystore (typically with reference to Tomcat configuration). The official Oracle documentation on how to generate keystores using the JDK keytool utility can be found here. There is also an example in the Generating X.509 Certificates section.
キーストアを作成したら、以下のシステムプロパティを使って Play がこれを使用するよう設定することができます:
- https.keyStore - 秘密鍵と証明書を含むキーストアへのパス。このプロパティが指定されない場合はキーストアを生成します
- https.keyStoreType - キーストアタイプ。デフォルトは
JKSです - https.keyStorePassword - パスワード。デフォルトは空パスワードです
- https.keyStoreAlgorithm - キーストアアルゴリズム。デフォルトはプラットフォームのデフォルトアルゴリズムです
§SSL Certificates from a custom SSL Engine
Another alternative to configure the SSL certificates is to provide a custom SSLEngine. This is also useful in cases where a customized SSLEngine is required, such as in the case of client authentication.
§in Java, an implementation must be provided for play.server.SSLEngineProvider
import play.server.ApplicationProvider;
import play.server.SSLEngineProvider;
import javax.net.ssl.*;
import java.security.NoSuchAlgorithmException;
public class CustomSSLEngineProvider implements SSLEngineProvider {
private ApplicationProvider applicationProvider;
public CustomSSLEngineProvider(ApplicationProvider applicationProvider) {
this.applicationProvider = applicationProvider;
}
@Override
public SSLEngine createSSLEngine() {
try {
// change it to your custom implementation
return SSLContext.getDefault().createSSLEngine();
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
}§in Scala, an implementation must be provided for play.server.api.SSLEngineProvider
import javax.net.ssl._
import play.core.ApplicationProvider
import play.server.api._
class CustomSSLEngineProvider(appProvider: ApplicationProvider) extends SSLEngineProvider {
override def createSSLEngine(): SSLEngine = {
// change it to your custom implementation
SSLContext.getDefault.createSSLEngine
}
}Having created an implementation for play.server.SSLEngineProvider or play.server.api.SSLEngineProvider, the following system property configures Play to use it:
- play.http.sslengineprovider - The path to the class implementing
play.server.SSLEngineProviderorplay.server.api.SSLEngineProvider:
Example:
./start -Dhttps.port=9443 -Dplay.http.sslengineprovider=mypackage.CustomSSLEngineProvider
§HTTP を無効にする
HTTP ポートへのバインドを無効にしたい場合は、以下のようにして http.port システムプロパティに disabled を設定してください:
./start -Dhttp.port=disabled -Dhttps.port=9443 -Dhttps.keyStore=/path/to/keystore -Dhttps.keyStorePassword=changeme
§Production usage of HTTPS
If Play is serving HTTPS in production, it should be running JDK 1.8. JDK 1.8 provides a number of new features that make JSSE feasible as a TLS termination layer. If not using JDK 1.8, using a reverse proxy in front of Play will give better control and security of HTTPS.
If you intend to use Play for TLS termination layer, please note the following settings:
SSLParameters.setUseCipherSuiteorder()- Reorders cipher suite order to the server’s preference.- -Djdk.tls.ephemeralDHKeySize=2048 - Increases the key size in a DH key exchange.
- -Djdk.tls.rejectClientInitiatedRenegotiation=true - Rejects client renegotiation.
Next: クラウドサービスへデプロイする
このドキュメントの翻訳は Play チームによってメンテナンスされているものではありません。 間違いを見つけた場合、このページのソースコードを ここ で確認することができます。 ドキュメントガイドライン を読んで、お気軽にプルリクエストを送ってください。