Shulou(Shulou.com)06/02 Report--

Java is paired with tomcat, and tomcat is used to run java programs

The latest version of Tomcat is 9.0.

Tomcat is not as capable of handling static HTML as Nginx/Apache servers.

Java containers include resin, weblogic, etc.

Tomcat server is a free and open source Web application server, which is widely used in small and medium-sized systems and not many concurrent users. It is the first choice for developing and debugging JSP web pages.

Tomcat official website: http://tomcat.apache.org/

General JAVA application architecture model:

First of all, the website we built before, php, has a nginx reverse proxy in front, that is, lb01, and there is our web server behind. The web server is nginx plus php, and the database is left behind. This is a classic routine, but in the tomcat java program, there is a slight change, that is, tomecat himself is a server, and he can handle dynamic requests like java. His should be like this. The previous nginx reverse proxy must be added, followed by tomcat, and then let him connect to the database, but note that as long as tomcat is dealing with java programs or jsp pages, so for some static requests, it is not very good at processing, and the efficiency is not high, so for websites with java programs such as tomcat, we must do a good job of separation of movement and movement, give dynamic processing to tomcat, and leave the static to nginx to handle by itself. It's best to separate the static and static, put the static pages together and give them to tomcat dynamically. If you find here, it's called JVM that takes the place of php, which is actually the core of tomcat.

Let's take a look at what is JVM (java Virtual Machine) and what has he accomplished? This virtual machine can run on any system. As long as the environment of the java virtual machine is ready, you can run this java program.

Jdk:java develpement kit is not only the environment tool that java runs, but also the necessary environment for JVM tomcat to run.

Oracle JDK: commercial software official

Openjdk: the yum installation of open source software under linux is openjdk.

= =

Environment preparation and Software selection

Clone 2 new hosts from CentOS7 template

Unit 1: the IP is planned to be 10.0.0.17DB 172.16.1.9, and the host name is web03

Station 2: IP is planned to be 10.0.0.18DB 172.16.1.10, and the host name is web04

Prepare lb01 (CentOS6) and need nginx reverse proxy function on it

Download related software package: http://pan.baidu.com/s/1IpioA

Note: the versions of jdk and Tomcat are no different for operation and maintenance, and the installation methods are highly consistent.

= =

# deploy jdk

Open the web03 server

Mkdir-p / server/tools/

Cd / server/tools/

# upload tomcat package and jdk package to linux and upload jdk-8u60-linux-x64.tar.gz apache-tomcat-8.0.27.tar.gz

# tomcat is a project of the apache Foundation, a software, a web service called httpd,apache is an overall project, a lot of software

Rz

Ll-h

Mkdir-p / application/

#-C extract to the specified directory

Tar xf jdk-8u60-linux-x64.tar.gz-C / application/

Ls-l / application/

# be sure to create a soft link, otherwise the following steps will be wrong

Ln-s / application/jdk1.8.0_60/ / application/jdk

# configure some environment variables related to java. In java, there are more environment variables. Configure them in / etc/profile. Note that you need to put single quotation marks on both sides of the EOF. If you do not add them, you will parse the environment variables directly. We do not need to parse them here.

Cat > > / etc/profile/etc/profile

Source / etc/profile

# there is another problem. Some of the software we unzipped are compressed packages downloaded from the Internet, which normally belong to our root users, but sometimes they become like this, become numbers, for example, 10 here, which means that the corresponding user of this file, for example, uid 10, does not exist, which will lead to permission problems sometimes. So in the end, we should change the owner.

Ll / application/jdk/ / application/tomcat/

Chown-R root.root / application/jdk/ / application/tomcat/

Ll / application/jdk/ / application/tomcat/

# check the tomcat version information and other information, showing the version 8.0.27 of tomcat, as well as the configuration of the system, the version of JVM, that is, the version of JDK, which means that your JDK and tomcat are deployed successfully

/ application/tomcat/bin/version.sh

The information is displayed as follows:

Using CATALINA_BASE: / application/tomcat

Using CATALINA_HOME: / application/tomcat

Using CATALINA_TMPDIR: / application/tomcat/temp

Using JRE_HOME: / application/jdk

Using CLASSPATH: / application/tomcat/bin/bootstrap.jar:/application/tomcat/bin/tomcat-juli.jar

Server version: Apache Tomcat/8.0.27

Server built: Sep 28 2015 08:17:25 UTC

Server number: 8.0.27.0

OS Name: Linux

OS Version: 2.6.32-696.el6.x86_64

Architecture: amd64

JVM Version: 1.8.0_60-b27

JVM Vendor: Oracle Corporation

# sometimes tomcat starts and shuts down slowly, so you can install rngd service (entropy service, increase entropy pool) to speed up

Yum install rng-tools-y

# start the service

Systemctl start rngd

Systemctl enable rngd

# enable and disable tomcat@@br/ > @ @

/ application/tomcat/logs/catalina.out

Tail-f / application/tomcat/logs/catalina.out@@br/ > @ @

# Note that ss-lntup looks at the port, not grep tomcat, ss-lntup | the grep tomcat statement is invalid and cannot find the result

# ps-ef | tomcat process can be found in grep tomcat. Generally, we can only check java instead of checking it.

# the interface it uses by default is port 8080, and there are several ports, 8080, 8009, 8005

Ss-lntup | grep java

# close tomcat. Note that tomcat is usually slow to close.

/ application/tomcat/bin/shutdown.sh

# be sure to check the port after shutdown, and also check the process. Be sure to check that the process and the port are gone to make sure that the tomcat is closed, otherwise sometimes the port is gone and the process is still there. If you start again, there will be several tomcat, which will fail.

Ss-lntup | grep java

Ps-ef | grep java

# Let's start again

/ application/tomcat/bin/startup.sh

# if you look at the startup log, take a look at the following

Org.apache.catalina.startup.Catalina.start Server startup in 1244 ms indicates that your service is started. If you look at the log, you will mainly look at the word startup.

Org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8080"] saw this to indicate that the service was turned off

# self-boot of tomcat and java

Chmod + x / etc/rc.d/rc.local

Echo "/ application/tomcat/bin/startup.sh" > > / etc/rc.d/rc.local

# when you open the browser, you can see that the tomcat lion cub represents a successful configuration

Http://10.0.0.9:8080

PS:

# if the firewall is turned on, port 8080 may be added to the firewall

Firewall-cmd-zone=public-add-port=8080/tcp-permanent

Sudo firewall-cmd-reload

=

Description of Tomcat directory structure

├── bin # startup.sh shutdown.sh catalina.sh (Core)

├── conf # server.xml (main profile) tomcat-users.xml

├── lib

├── LICENSE

├── logs # log directory catalina.out tomcat real-time log

├── NOTICE

├── RELEASE-NOTES

├── RUNNING.txt

├── temp

├── webapps # site directory

└── work

Cd / application/tomcat/

Ll

Tree-L 1

.

├── bin

├── conf

├── lib

├── LICENSE

├── logs

├── NOTICE

├── RELEASE-NOTES

├── RUNNING.txt

├── temp

├── webapps

└── work

Or

Find-maxdepth 1

.

. / RELEASE-NOTES

. / NOTICE

. / RUNNING.txt

. / temp

. / bin

. / lib

. / conf

. / LICENSE

. / webapps

. / work

. / logs

# bin directory contains the management commands in tomcat, which are mainly used. Enable startup.sh and disable shutdown,sh. Some of them are used under windows and sh are used under linux, so tomcat is compatible with linux and win.

# startup.sh or shutdown.sh finally calls a catalina.sh, which is the tomcat main script

Ls bin/

Bootstrap.jar configtest.bat setclasspath.sh tomcat-native.tar.gz

Catalina.bat configtest.sh shutdown.bat tool-wrapper.bat

Catalina.sh daemon.sh shutdown.sh tool-wrapper.sh

Catalina-tasks.xml digest.bat startup.bat version.bat

Commons-daemon.jar digest.sh startup.sh version.sh

Commons-daemon-native.tar.gz setclasspath.bat tomcat-juli.jar#tomcat 's configuration file directory, the core main configuration file is called server.xml, which is a bit similar to our nginx.conf, and the rest is to pave the way for him.

# tomcat-users.xml this is used to configure the web page to manage tomcat, to manage and control tomcat, and will configure it later

# these configuration files are very important, and their permissions are all 600.

Ll conf/

Total 212

-rw- 1 root root 12374 Sep 28 2015 catalina.policy

-rw- 1 root root 7106 Sep 28 2015 catalina.properties

-rw- 1 root root 1577 Sep 28 2015 context.xml

-rw- 1 root root 3387 Sep 28 2015 logging.properties

-rw- 1 root root 6458 Sep 28 2015 server.xml

-rw- 1 root root 1744 Sep 28 2015 tomcat-users.xml

-rw- 1 root root 1846 Sep 28 2015 tomcat-users.xsd

-rw- 1 root root 167302 Sep 28 2015 web.xmllib/ are generally library files. If you want to add some plug-ins and functions to tomcat, you can put these plug-ins and functions into lib

Don't worry about LICENSE, don't worry about licenses, RUNNING.txt, don't worry about these text files

Logs\ is the log, log directory. By default, there are no files in it. Catalina.out files are tomcat real-time logs, the main access logs.

Ll / application/tomcat/logs/

-rw-r--r-- 1 root root 35545 Nov 6 20:52 catalina.2019-11-06.log

-rw-r--r-- 1 root root 29444 Nov 6 20:52 catalina.out

-rw-r--r-- 1 root root 0 Nov 6 20:31 host-manager.2019-11-06.log

-rw-r--r-- 1 root root 1948 Nov 6 20:52 localhost.2019-11-06.log

-rw-r--r-- 1 root root 705 Nov 6 20:52 localhost_access_log.2019-11-06.txt

-rw-r--r-- 1 root root 0 Nov 6 20:31 manager.2019-11-06.log

The main log is called catalina.out, which is often read by our operators and developers.

The logs in catalina.2019-11-06.log and catalina.out are actually exactly the same.

Cd / application/tomcat/logs/

Catalina.2019-11-06.log

Catalina.out

/ application/tomcat/bin/shutdown.sh

Md5sum catalina.2019-11-06.log catalina.out

8317309f486c811f97229725c5d37a72 catalina.2019-11-06.log

8317309f486c811f97229725c5d37a72 catalina.out

Or

Diff catalina.out catalina.2019-11-06.log

What's the difference between catalina.2019-11-06.log and catalina.out?

The log of the catalina.out file will continue to be written here, and the file will continue to grow until the disk is full.

Then the file catalina.2019-11-06.log is called the cutting log.

The file catalina.out is to record real-time information of tomcat.

Catalina.out # records the running information of tomcat in real time. The file will be bigger and bigger, and it will be emptied regularly. After catalina.out is cut, it should be emptied, but it will not. With time, the file will become bigger and bigger, so it is best to empty this file regularly, because he has a cutting log and OK it.

Catalina. Time .log # catalina.out file daily log cut file, plus this time, cut once a day

Access log per site

# this is to manage our hosts, manage the host operation log, and you will record some operations by clicking on the tomcat web page

Host-manager. Time .log

# localhost these are all access logs

Localhost_access_log. Time .txt

Localhost. Time .log

# manager is also an operation log

Manager. Time .log

But now these logs are empty. One is host-manager and the other is manager.

Both host-manager and manager are empty.

Localhost_acess_log access Log

Localhost, there's nothing here.

# localhost.2019-11-06.log simple record, off, on, etc., startup status, etc.

Cat localhost.2019-11-06.log

Temp\ is temporary.

Webapps\ is similar to the html directory and site directory of our nginx.

Work\ understand, a working directory

=

Tomcat management function

What is the management function of tomcat that tomcat_users.xml uses to manage and control the management functions of tomcat?

There are three buttons on the right side of the http://10.0.0.9:8080/ page

Server Status statu

Managed by Manager App

Host Manager host's

You can't click on these three buttons at the beginning. Click on them to bring up the dialog box where you want to enter your user name and password.

These three buttons are called the management function of tomcat, but this function is not open to the public, that is, it is generally used when testing. In the actual production environment, do not open this, it is too dangerous.

How to turn on this management function?

Cd / application/tomcat/

# vim conf/tomcat-users.xml

All configuration files of # tomcat are in this xml format. The first line is configured with some character sets, versions, etc., which is somewhat similar to the first line of the shell script #! / bin/sh

#

# paste on it, be sure to make sure that the end of this part is, the beginning is above, the end is

Sed-i.ori '38a\ n\ n\ n' / application/tomcat/conf/tomcat-users.xml

# similar to the following

# several rolename role names are specified here, such as manager-gui, which is equivalent to a function. Username is the user name and password, and then which function does the user belong to?

# corresponds to the page clicked by the three buttons Server Status,Manager App,Host Manager of this tomcat page

Tail-5 / application/tomcat/conf/tomcat-users.xml

# after changing the configuration file, be sure to restart tomcat

/ application/tomcat/bin/shutdown.sh

# check whether the port and process are still running

Ss-lntup | grep java

Ps-ef | grep java

/ application/tomcat/bin/startup.sh

Ss-lntup | grep java

Ps-ef | grep java

# # opening http://10.0.0.9:8080/

# Click the Server Status button

Enter the account password into tomcat

Here, we mainly focus on the information in the service Server Information column.

Tomcat version, JDK version, system version, hostname, ip address, etc.

Then take a look at the following JVM internal information, take a look at the OK, this JVM is more in-depth can not be too familiar with

# Click the Manager App button

Enter the account password into tomcat

What is the main purpose of Applications? Say that your catalogs, what are under the catalog, is this kind of / docs

Deploy

WAR file to deploy can also be deployed here, we did not deploy wordpress, that is PHP, we deployed java, in fact, various WAR packages, compressed packages of website programs, which can be uploaded here.

But this is all on the web page, and we don't have to use it.

# Click the Host Manager button

Enter the account password into tomcat

Add Virtual Host, this is the management of the virtual host. He usually doesn't manage it here.

Note that the above three functions are relatively dangerous. If the actual production environment is not open, OK will be done.

=

Deploy the jpress site (jpress is similar to wordpress is a blog system)

Environment: enable web03 and db01,Linux Tomcat JDK MySQL (Mariadb)

Db01:

Yum-y install mariadb-server

Systemctl start mariadb.service

Systemctl enable mariadb.service

Mysql-uroot-poldboy123

Create database jpress DEFAULT CHARACTER SET utf8

Show databases

Grant all on jpress.* to jpress@'localhost' identified by '123456'

Select user,host from mysql.user

Flush privileges

Press ctrl+d to exit mysql mode

# try whether web03 can connect to db01, but web03 has no mysql command. Copy one from db01.

[root@web03 tomcat] # mysql

-bash: mysql: command not found

[root@web03 tomcat] #

Enter commands on db01

Scp / application/mysql/bin/mysql 172.16.1.9:/bin/ to enter yes and then enter the password of the opposite side root

Mysql-uroot-poldboy123

# enable remote access for client users in database

Grant all on jpress.* to 'jpress'@'172.16.1.0/255.255.255.0' identified by' 123456'

Select user,host from mysql.user

Go back to web03:

Which mysql

Mysql-version

Ping 10.0.0.51

Mysql-ujpress-p123456-h 172.16.1.51

Ctrl+d exits mysql

Prepare the program code:

# upload the program code to the webapps directory

Cd / application/tomcat/webapps/

Ll

# upload the jpress-web-newest.war file (this is called war package, which is essentially a compressed package) to webapps, and the war package uploaded will be decompressed automatically by the system.

Rz

Ll

Switch to the new web03 window and see if there are any decompression logs:

Tail-f / application/tomcat/logs/catalina.out

There are the following logs

12-Nov-2019 22:02:20.441 INFO [localhost-startStop-3] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive / application/apache-tomcat-8.0.27/webapps/jpress-web-newest.war has finished in 5501 ms

Going back to the old web03 window, ll can see that it has been unzipped and there is an extra folder jpress-web-newest

Ll

The above is uploading WAR and then automatically decompressing the deployment. This is the function of automatic deployment.

# # deploy our website on the web page

The browser enters the following URL:

Http://10.0.0.9:8080/jpress-web-newest

Back to db01, before filling in the database information, be sure to make sure that the database does not have a table, otherwise, it will prompt you to connect to the database.

Mysql-uroot-poldboy123

Show tables from jpress

There is no table below.

Empty set (0.00 sec)

Go back to the browser:

Click next-database name jpress, user name jpress, password 123456, database host 172.16.1.51, click next-website name: old boy education-jpress, administrator oldboy, login password oldboy, click complete-although the page is being restarted, it will not restart automatically, so we need to restart manually.

/ application/tomcat/bin/shutdown.sh

Ss-lntup | grep java

Ps-ef | grep java

# found that the port is gone, but the process is still there

Pkill java

Pkill java

# OK the process is gone

Ps-ef | grep java

/ application/tomcat/bin/startup.sh

# Discovery port, all processes are available

Ss-lntup | grep java

Ps-ef | grep java

Http://10.0.0.9:8080/jpress-web-newest/

Http://10.0.0.9:8080/jpress-web-newest/admin/login

User name and password are all oldboy. Click the login button.

Write an article

Go back to db01:

Show tables from jpress

+-+

| | Tables_in_jpress |

+-+

| | jpress_attachment |

| | jpress_comment |

| | jpress_content |

| | jpress_mapping |

| | jpress_metadata |

| | jpress_option |

| | jpress_taxonomy |

| | jpress_user |

+-+

8 rows in set (0.00 sec)

=

# Tomcat main configuration file introduces server.xml

Cat/ application/tomcat/conf/server.xml

# 8005 is called shutdown port, which means that if you send some data to port 8005, you can turn off tomcat. You can use telnet or nc to send a shutdown to this 8005. If you pay attention to uppercase, your tomcat will be turned off. This is still quite dangerous. In practice, the port and the password for closing will be changed.

# this part configures the file tomcat-users.xml corresponding to the management function and management function of our tomcat, but note that this management function should not be used in practice, do not use it

# our tomcat default access port 8080, and then the protocol he uses, the connection timeout. This unit is not seconds, but milliseconds. Another is 8443 related to HTTPS configuration, which is OK.

# this 8009 is called AJP, this is an interface, which is mainly used to communicate with Apache, apache, so we can use nginx later, regardless of

# what is written here is equivalent to a virtual host, and then the name of the virtual host is name= "localhost", the site directory of appBase= "webapps", whether unpackWARs= "true" automatically decompresses these WAR packages, and whether autoDeploy= "true" automatically deploys these true, so it will automatically deploy the WAR package, decompress and deploy.

# here is the format of the log, which is in this directory directory= "logs", what kind of prefix= "localhost_access_log" in front of the log, what kind of suffix= ".txt" behind it, the format of the date, etc. Pattern= "h% l% u% t"% r "% s% b"

Example: simplify our access path

Change http://10.0.0.9:8080/jpress-web-newest/ to http://10.0.0.9:8080/jpress

At present, http://10.0.0.9:8080/jpress opens a 404 error and cannot find it.

Add this command to the server.xml configuration file, in the

/ application/tomcat/webapps/ROOT/index.jsp

Echo default-8081 > / application/tomcat_1/webapps/ROOT/index.jsp

Echo default-8082 > / application/tomcat_2/webapps/ROOT/index.jsp

# then give it a try

Http://10.0.0.9:8080/

Http://10.0.0.9:8081/

Http://10.0.0.9:8082/

# after deployment and debugging, you can package these tomcat directly to them. After packing, which machine is deployed in the future, just unpack and decompress it.

Production experience: package the configured instances to facilitate batch configuration of multiple instances in the future

Cd /

Tar zcf / server/tomcat_muti.tar.gz application/tomcat/ application/tomcat_1/ application/tomcat_2

=

# tomcat and reverse proxy (Tomcat reverse proxy cluster)

After tomcat has deployed so much, which one do you use, ah, reverse proxy cluster. Here, you need to deploy nginx in front, and then send the request to the corresponding tomcat. It's just a little easier. You don't have to send it to nginx, and then send it to PHP. In tomcat, you can directly reverse proxy, throw it back, and throw it on tomcat.

You need to learn to configure here.

First of all, on the load balancing server, configure a pond, after configuring the pond, and then configure a location, throw it into the pond, but you don't have to write here, you don't have to write port 80, you don't have to write 8081 8082, just OK, here IP write 9, you can configure this yourself.

In the lb01 operation of CentOS6, just change IP to 10.0.0.9. Remember to take a snapshot of lb01 first.

Mv / application/nginx/conf/nginx.conf {, .ori}

Egrep-v'# | ^ $'/ application/nginx/conf/nginx.conf.default > / application/nginx/conf/nginx.conf

Vim / application/nginx/conf/nginx.conf

Cat / application/nginx/conf/nginx.conf

……

Upstream web_pools {

Server 10.0.0.9:8081

Server 10.0.0.9:8082

}

……

Location / {

Root html

Index index.jsp index.html index.htm

Proxy_pass http://web_pools;

}

The following are the main ones:

Cat / application/nginx/conf/nginx.conf

Worker_processes 1

Events {

Worker_connections 1024

}

Http {

Include mime.types

Default_type application/octet-stream

Sendfile on

Keepalive_timeout 65

Upstream web_pools {

Server 10.0.0.9:8081

Server 10.0.0.9:8082

}

Server {

Listen 80

Server_name localhost

Location / {

Root html

Index index.jsp index.html index.htm

Proxy_pass http://web_pools;

}

Error_page 500 502 503 504 / 50x.html

Location = / 50x.html {

Root html

}

}

}

/ application/nginx/sbin/nginx-t

/ application/nginx/sbin/nginx-s reload

# close the browser, and then visit 10.0.0.5, you will automatically jump to 10.0.0.9VR 8081 or 10.0.0.9VR 8082.

Http://10.0.0.5/######zabbix Monitoring tomcat

We do not use some of the functions brought by tomcat. For the functions that come with, you can refer to the Tomcat built-in function test: meminfo.jsp

Append the above to a file, and then access it, which is not recommended

Cat > / application/tomcat/webapps/ROOT/meminfo.jsp / etc/hosts

# remember to restart after configuration, of course you don't need this pass, you can use pkill

Pkill java

Pkill java

# kill all java processes

Ps-ef | grep java

Or

/ application/tomcat/bin/shutdown.sh

/ application/tomcat/bin/startup.sh

# check whether the remote monitoring function is enabled. Yes, there is a remote monitoring port 12345.

Ss-lntup | grep 12345

# then you need to deploy the zabbix client on web03, so the next thing you need to do is to deploy the zabbix client on web03. Because zabbix monitors the tomcat, he has no way to get the remote data in the catalina.sh with the client. Unless you customize and customize the monitoring items on the command line, he has no way to get it, so how does zabbix monitor the tomcat? The one you use is JavaGateway. You need to install this.

Go to the monitoring server M01:

# install zabbix_java_gateway (java program) and also need jdk (openjdk) (do it once)

Rpm-ivh http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm

Yum install zabbix-java-gateway-y

# configure server

Vim / etc/zabbix/zabbix_server.conf

Search Java and find # JavaGateway=

Change to

JavaGateway=127.0.0.1

There is also a # JavaGatewayPort=10052 below, which is the port of javagateway. The default is fine.

StartJavaPollers=0

Change to

# is the number of processes running at the beginning for java monitoring. Javagateway can directly access 12345 of the information configuration of our tomcat server, web03, and this client.

StartJavaPollers=5

# restart the zabbix server after configuration

Systemctl restart zabbix-server.service

Systemctl start zabbix-java-gateway.service

Systemctl enable zabbix-java-gateway.service

# you will see port 10052, the port of JavaGateway. When this is ready, you only need to operate on the web page.

Ss-lntup | grep java

Ping 172.16.1.9

# operate on the zabbix management page, where we clone a backup

Configuration-host-point backup- point clone-host name web03, group cancel Discovered hosts group, agent agent interface point remove button, JMX interface point add button, the first box enter 172.16.1.9, the last box enter 12345

Point template-linked template all click the unlink button-link indicator-enter JMX, select Template App Apache Tomcat JMX point small add-point big add button-then wait, the JMX of web03 availability turns green

This completes a monitoring of tomcat, through javagateway.

=

# Security optimization and summary of tomcat

Necessary for interview

Optimization of security

Let your tomcat run as an ordinary user, not necessarily root

Disturbance monitoring mode

The first one runs as an ordinary user, and then there are some security concerns

This shutdwon port must be changed, and the closed, closed code must also be changed to something else.

There is also an AJP, AJP. Although we don't use it very often, we still have to change this port.

There is also what we call management, that is, web page management, which he can achieve because, because you, this / application/tomcat/webapps, there are many directories by default, you can delete these default directories, there are host-manager, manager deleted, leave a site jpress-web-newest is OK, that is, disable this kind of management

Power-down startup: run as an ordinary user. This power-down startup also has another name called prison mode, and it must be done. Tomcat is relatively easy to do, and nginx is troublesome to do. If your prison mode is to run as an ordinary user, this port must be greater than 1000 and less than 1000 must be used by root, so tomcat is easier to do.

Then here added some access control, you can configure, file list, file list is not to let you see my website directory, directory structure

Of course, these versions can be configured. This version, as well as the one you just visited, is configured with web.xml, because it will display your default version by default, and your version will be exposed by default, so you can specify some new jsp files, these jsp files, which you have to write. If you want to use the default, he will betray you again. This shows the version information. There are other these, this is familiar with, some access control, similar to our nginx allow deny, for some more dangerous directories, you can add this, just what path, is like this.

And then I'll give you access or no access, and so on.

Then we start, close the script, take back the permissions of the script, do not give everyone the right to execute, just become 744, not 755

Then the log will be OK.

This is the optimization of tomcat security, which you need to be able to say, one assignment is you have to complete, our tomcat load balancing, the other is to complete our tomcat monitoring, this is what you need to do, and then these are the things that you can say skillfully.

Tomcat security optimization

Extend:

# Tomcat Security Optimization

Shut down port protection 8005 SHUTDOWN

Ajp connection Port Protection 8009 comment

Disable the management side

Reduce the right to start: lower the user rights to start

Pkill java

Useradd tomcat

Cp-a / application/tools/tomcat8_1 / home/tomcat/

Chown-R tomcat.tomcat / home/tomcat/tomcat8_1/

#-c command: change the user's account to USER, and then change back to the original user after executing the command (command).

Su-c'/ home/tomcat/tomcat8_1/bin/startup.sh' tomcat

# Tomcat performance optimization

Tomcat performance depends on your memory size.

The best policy: optimize the code

Best strategy: jvm optimization mechanism-garbage collection mechanism to reclaim unwanted memory

Optimize jvm-- and optimize garbage collection strategy

Optimize the catalina.sh profile. Add the following code to the catalina.sh configuration file:

# tomcat template for allocating 1G memory

JAVA_OPTS= "- Djava.awt.headless=true-Dfile.encoding=UTF-8-server-Xms1024m-Xmx1024m-XX:NewSize=512m-XX:MaxNewSize=512m-XX:PermSize=512m-XX:MaxPermSize=512m"

The worst policy: add enough memory

The worst policy: restart tomcat at 0: 00 every day.

=

# reasons why Tomcat starts slowly in CentOS7

Check the real-time log and find that the reason is that the random number is jammed, which causes the tomcat to start slowly.

Whether there is enough entropy to generate random numbers can be seen with the following command

What is entropy? the Linux kernel uses entropy to describe the randomness of data. Entropy is a physical quantity that describes the degree of disorder of a system. The greater the entropy of a system, the worse the order of the system, that is, the greater the uncertainty. The kernel maintains an entropy pool to collect ambient noise from device drivers and other sources. In theory, the data in the entropy pool is completely random, and the sequence of true random numbers can be generated. In order to track the randomness of the data in the entropy pool, the kernel estimates the randomness of the data when it is added to the pool, a process called entropy estimation. The entropy estimate describes the number of random digits contained in the pool, and the higher the value, the better the randomness of the data in the pool.

[root@oldboy tools] # cat / proc/sys/kernel/random/entropy_avail

seven

In order to speed up the speed of random numbers provided by / dev/random, you can make a lot of interruptions by operating the peripherals of the device (such as network transmission of data, keystrokes, moving the mouse, and typing several different commands on the command line, commonly known as Juqi.

Cat / dev/random consumes energy

Yum install rng-tools # install rngd service (entropy service, increase entropy pool)

Systemctl start rngd # start the service

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.