1、安装基础库及工具
yum -y install apr-devel gcc gcc-c++ make openssl-devel openssl java-11-openjdk-* libffi-devel redhat-rpm-config lrzsz2、编译安装native,默认tomcat包中bin目录下有
tar xf apache-tomcat-10.0..tar.gz \
&& cd apache-tomcat-10.0.2/bin \
&& tar xf tomcat-native.tar.gz \
&& cd tomcat-native-1.2.26-src/native/ \
&& ./configure --with-apr=/usr/ --with-java-home=/usr/lib/jvm/java-11-openjdk --with-ssl \
&& make \
&& make install3、配置环境变量
echo -e 'export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/apr/lib \nexport LD_RUN_PATH=$LD_RUN_PATH:/usr/local/apr/lib' >> /etc/profile.d/jdk11.sh
Source /etc/profile.d/jdk11.sh4、修改运行模式为APR
cat $CATALINA_HOME/conf/server.xml
<Connector port="8080" protocol="org.apache.coyote.http11.Http11AprProtocol"//将HTTP/1.1修改为当前值
connectionTimeout="20000"
redirectPort="8443" />5、重启服务
$CATALINA_HOME/bin/catalina.sh stop
$CATALINA_HOME/bin/catalina.sh start6、查看运行模式是否为APR
查看$CATALINA_HOME/logs/catalina.out日志输出,初始化协议处理器是否为["http-apr-8080"]7、配置模版
<?xml version='1.0' encoding='utf-8'?>
<!-- port from 9040 -9049 -->
<Server port="9041" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="9040" protocol="HTTP/1.1"
connectionTimeout="30000"
redirectPort="9043"
URIEncoding="utf-8"
maxThreads="1000"
acceptCount="2000"
minSpareThreads="100"
maxSpareThreads="250"
enableLookups="false"
disableUploadTimeout="true"
server="devops-1.0"/>
<Engine name="Catalina" defaultHost="test.nagios.org">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="test.devops.service" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
<Host name="stageproduct.devops.service" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="StageProductService." suffix=".log" timestamp="true"
pattern="%h %l %u %t "%r" %s %b" resolveHosts="false"/>
<Context path="" docBase="/devops/StageProductService" caseSensitive="false" ></Context>
</Host>
<Host name="stagemobile.devops.com" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Alias>stagemobile1.devops.com</Alias>
<Alias>stagemobile2.devops.com</Alias>
<Alias>stagemobile3.devops.com</Alias>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="StageMobile." suffix=".log" timestamp="true"
pattern="%h %l %u %t "%r" %s %b" resolveHosts="false"/>
<Context path="" docBase="/devops/StageMobile" caseSensitive="false" ></Context>
</Host>
<Host name="stagemerchant.devops.service" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="StageMerchantService." suffix=".log" timestamp="true"
pattern="%h %l %u %t "%r" %s %b" resolveHosts="false"/>
<Context path="" docBase="/devops/StageMerchantService" caseSensitive="false" ></Context>
</Host>
<Host name="stageorder.devops.service" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="StageOrderService." suffix=".log" timestamp="true"
pattern="%h %l %u %t "%r" %s %b" resolveHosts="false"/>
<Context path="" docBase="/devops/StageOrderService" caseSensitive="false" ></Context>
</Host>
</Engine>
</Service>
</Server>8、安全加固
1、删除默认目录
rm -rf $CATALINA_HOME/webapps/*
2、管理用户注释(默认已注释)
cat $CATALINA_HOME/conf/tomcat-users.xml
<!--
<role rolename="tomcat"/>
<role rolename="rile1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
-->
3、隐藏版本号
cat $CATALINA_HOME/conf/server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionsTimeout="20000"
redirectPort="8443"
server="GOME1.0"/>
4、关闭自动部署
cat $CATALINA_HOME/conf/server.xml
<Host name="localhost" appBase="webapps" unpackWARs="false" autoDeploy="false"/>
5、禁止列目录(默认已关闭)
cat $CATALINA_HOME/conf/web.xml
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
6、禁用AJP端口(默认已注释)
若前端是apache,会使用AJP这个连接器;若前端是nginx做反向代理,不使用AJP连接器
<!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/> -->
7、服务权限控制
chown -R devops.devops$CATALINA_HOME
sudo su - devops -c "$CATALINA_HOME/bin/catalina.sh start"
8、配置JVM
cat $CATALINA_HOME/bin/catalina.sh
JAVA_OPTS="-server
-Xmn192m
-Xms512m
-Xmx512m
-XX:MetaspaceSize=192m
-XX:MaxMetaspaceSize=192m
-XX:SurvivorRatio=65536
-XX:MaxTenuringThreshold=0
-Xnoclassgc
-XX:+DisableExplicitGC
-XX:+UseParNewGC
-XX:+UseConcMarkSweepGC
-XX:+UseCMSCompactAtFullCollection
-XX:CMSFullGCsBeforeCompaction=0
-XX:+CMSClassUnloadingEnabled
-XX:-CMSParallelRemarkEnabled
-XX:CMSInitiatingOccupancyFraction=90
-XX:SoftRefLRUPolicyMSPerMB=0
-XX:+PrintClassHistogram
-XX:+PrintGCDetails
-XX:+PrintGCTimeStamps
-XX:+PrintHeapAtGC
-Xloggc:log/gc.log"
9、限制访问
cat $CATALINA_HOME/conf/server.xml
<Context path="/myapp" reloadable="true" docBase="/var/www/myapp">
<valueclassName="org.apache.catalina.values.RemoteAddrValue"
allow="192.168.[1-5].*,192.168.[10-15].*" deny="″ />
</Context>
