知乎专栏 |
解压安装
chmod +x jdk-6u1-linux-i586.bin ./jdk-6u1-linux-i586.bin 输入"yes"回车 mv jdk1.6.0_01 /usr/local/ ln -s /usr/local/jdk1.6.0_01/ /usr/local/java
/etc/profile.d/java.sh
例 5.1. /etc/profile.d/java.sh
################################################ ### Java environment ################################################ export JAVA_HOME=/usr/local/java export JRE_HOME=/usr/local/java/jre export PATH=$PATH:/usr/local/java/bin:/usr/local/java/jre/bin export CLASSPATH="./:/usr/local/java/lib:/usr/local/java/jre/lib:/usr/local/memcached/api/java" export JAVA_OPTS="-Xms512m -Xmx1024m"
下载binary解压到/usr/local/
下载软件包
wget http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.13/bin/apache-tomcat-6.0.13.tar.gz wget http://archive.apache.org/dist/tomcat/tomcat-connectors/native/tomcat-native-1.1.10-src.tar.gz wget http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/source/jk-1.2.23/tomcat-connectors-1.2.23-src.tar.gz
tar zxvf apache-tomcat-6.0.13.tar.gz mv apache-tomcat-6.0.13 /usr/local/ ln -s /usr/local/apache-tomcat-6.0.13/ /usr/local/tomcat
tomcat-native
tar zxvf tomcat-native-1.1.10-src.tar.gz cd tomcat-native-1.1.10-src/jni/native ./configure --with-apr=/usr/local/apache/bin/apr-1-config --with-java-home=/usr/local/java/ make make install
catalina.sh
CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib" JAVA_OPTS="-Xss128k -Xms128m -Xmx1024m -XX:PermSize=128M -XX:MaxPermSize=256m -XX:MaxNewSize=256m"
启动
startup.sh
cd /usr/local/tomcat-6.0.18/bin tar zxvf tomcat-native.tar.gz cd tomcat-native-1.1.14-src/jni/native ./configure --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.6.0_11 make && make install
例 5.2. /etc/init.d/tomcat
# cat /etc/init.d/tomcat #!/bin/bash # description: Tomcat Start Stop Restart # processname: tomcat # chkconfig: 234 20 80 JAVA_HOME=/srv/java CATALINA_HOME=/srv/apache-tomcat # Source function library. . /etc/init.d/functions # Source networking configuration. . /etc/sysconfig/network if [ -f /etc/sysconfig/tomcat ]; then . /etc/sysconfig/tomcat fi prog=tomcat lockfile=/var/lock/subsys/$prog pidfile=${PIDFILE-/var/run/$prog.pid} lockfile=${LOCKFILE-/var/lock/subsys/$prog} RETVAL=0 OPTIONS="--pidfile=${pidfile}" start(){ # Start daemons. echo -n $"Starting $prog: " #daemon $prog $OPTIONS $CATALINA_HOME/bin/startup.sh RETVAL=$? echo [ $RETVAL -eq 0 ] && touch $lockfile return $RETVAL } stop() { echo -n $"Stopping $prog: " # killproc -p ${pidfile} -d 10 $httpd $CATALINA_HOME/bin/shutdown.sh RETVAL=$? echo [ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile} } case $1 in start) start ;; stop) stop ;; restart) start stop ;; esac exit 0
创建 /etc/init.d/tomcat 文件,复制并粘贴上面的启动脚本
vim /etc/init.d/tomcat chmod +x /etc/init.d/tomcat chkconfig --add tomcat chkconfig --level 234 tomcat on chkconfig --list tomcat
安装 Server JRE
cd /usr/local/src/ tar zxvf server-jre-7u21-linux-x64.gz mv jdk1.7.0_21 /srv/ ln -s /srv/jdk1.7.0_21 /srv/java
或者
curl -sS https://raw.github.com/netkiller/shell/master/java/server-jre.sh | bash
安装下面步骤安装Tomcat,注意不要使用root启动tomcat。这里使用www用户启动tomcat,这样的目的是让tomcat进程继承www用户权限。
cd /usr/local/src/ wget http://ftp.cuhk.edu.hk/pub/packages/apache.org/tomcat/tomcat-7/v7.0.40/bin/apache-tomcat-7.0.40.tar.gz tar zxvf apache-tomcat-7.0.40.tar.gz mv apache-tomcat-7.0.40 /srv/ ln -s /srv/apache-tomcat-7.0.40 /srv/apache-tomcat rm -rf /srv/apache-tomcat/webapps/* cat > /srv/apache-tomcat/bin/setenv.sh <<'EOF' export JAVA_HOME=/srv/java export JAVA_OPTS="-server -Xms512m -Xmx8192m -XX:PermSize=64M -XX:MaxPermSize=512m" export CATALINA_HOME=/srv/apache-tomcat export CLASSPATH=$JAVA_HOME/lib:$JAVA_HOME/jre/lib:$CATALINA_HOME/lib: export PATH=$PATH:$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$CATALINA_HOME/bin: EOF cp /srv/apache-tomcat/conf/server.xml{,.original} groupadd -g 80 www adduser -o --home /srv --uid 80 --gid 80 -c "Web Application" www chown www:www -R /srv/* su - www -c "/srv/apache-tomcat/bin/startup.sh"
或者运行下面脚本快速安装
curl -sS https://raw.github.com/netkiller/shell/master/apache/tomcat/install.sh | bash
安装Java 8
cd /usr/local/src/ tar zxf server-jre-8u20-linux-x64.gz mv jdk1.8.0_20 /srv/ ln -s /srv/jdk1.8.0_20 /srv/java cat >> /etc/profile.d/java.sh <<'EOF' export JAVA_HOME=/srv/java export JAVA_OPTS="-server -Xms512m -Xmx8192m" export CLASSPATH=$JAVA_HOME/lib:$JAVA_HOME/jre/lib:$CATALINA_HOME/lib: export PATH=$PATH:$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$CATALINA_HOME/bin: EOF
注意 | |
---|---|
Java 8 取消了 PermSize 与 MaxPermSize 配置项" |
cd /usr/local/src/ wget http://ftp.cuhk.edu.hk/pub/packages/apache.org/tomcat/tomcat-8/v8.0.12/bin/apache-tomcat-8.0.12.tar.gz tar zxf apache-tomcat-8.0.12.tar.gz mv apache-tomcat-8.0.12 /srv/ ln -s /srv/apache-tomcat-8.0.12 /srv/apache-tomcat rm -rf /srv/apache-tomcat/webapps/* cp /srv/apache-tomcat/conf/server.xml{,.original} cat > /srv/apache-tomcat/bin/setenv.sh <<'EOF' export JAVA_HOME=/srv/java export JAVA_OPTS="-server -Xms512m -Xmx8192m" export CATALINA_HOME=/srv/apache-tomcat export CLASSPATH=$JAVA_HOME/lib:$JAVA_HOME/jre/lib:$CATALINA_HOME/lib:/srv/IngrianJCE/lib/ext/IngrianNAE-5.1.1.jar export PATH=$PATH:$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$CATALINA_HOME/bin: EOF
启动 Tomcat
groupadd -g 80 www adduser -o --home /www --uid 80 --gid 80 -c "Web Application" www chown www:www -R /srv/apache-tomcat-* su - www -c "/srv/apache-tomcat/bin/startup.sh"
curl -s https://raw.githubusercontent.com/oscm/shell/master/web/tomcat/systemctl.sh | bash
$ git clone https://github.com/chexagon/redis-session-manager.git $ cd redis-session-manager/ $ mvn package $ ls target/redis-session-manager-with-dependencies-2.1.1-SNAPSHOT.jar redis-session-manager-with-dependencies-2.1.1-SNAPSHOT.jar $ cp target/redis-session-manager-with-dependencies-2.1.1-SNAPSHOT.jar /srv/apache-tomcat/apache-tomcat-8.5.11/lib/
如果Redis是 127.0.0.1 配置 conf/context.xml 加入下面一行,
<Manager className="com.crimsonhexagon.rsm.redisson.SingleServerSessionManager" />
完整的配置
<Manager className="com.crimsonhexagon.rsm.redisson.SingleServerSessionManager" endpoint="localhost:6379" sessionKeyPrefix="JSESSIONID::" saveOnChange="false" forceSaveAfterRequest="false" dirtyOnMutation="false" ignorePattern=".*\\.(ico|png|gif|jpg|jpeg|swf|css|js)$" connectionPoolSize="100" database="16" password="yourpassword" timeout="60000" pingTimeout="1000" retryAttempts="20" retryInterval="1000" />
例 5.3. Example /srv/apache-tomcat/conf
cat context.xml <?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!-- The contents of this file will be loaded for each web application --> <Context> <!-- Default set of monitored resources. If one of these changes, the --> <!-- web application will be reloaded. --> <WatchedResource>WEB-INF/web.xml</WatchedResource> <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource> <!-- Uncomment this to disable session persistence across Tomcat restarts --> <!-- <Manager pathname="" /> --> <Manager className="com.crimsonhexagon.rsm.redisson.SingleServerSessionManager" endpoint="localhost:6379" sessionKeyPrefix="JSESSIONID" saveOnChange="false" forceSaveAfterRequest="false" dirtyOnMutation="false" ignorePattern=".*\\.(ico|png|gif|jpg|jpeg|swf|css|js)$" connectionPoolSize="100" database="0" password="" timeout="60000" pingTimeout="1000" retryAttempts="20" retryInterval="1000" /> </Context>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html> <html> <head> <title>set session</title> </head> <body> <%= session.getId() %> <% session.setAttribute("neo", "netkiller"); %> </body> </html>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html> <html> <head> <title>get session</title> </head> <body> <%= session.getId() %> <br/> <br/> <%=(String)session.getAttribute("neo")%> </body> </html>
neo@MacBook-Pro-Neo ~ % keytool -genkey -v -alias tomcat -keyalg RSA -keystore conf/tomcat.keystore -validity 36500 输入密钥库口令: 再次输入新口令: 您的名字与姓氏是什么? [Unknown]: Neo 您的组织单位名称是什么? [Unknown]: SF 您的组织名称是什么? [Unknown]: IT 您所在的城市或区域名称是什么? [Unknown]: SZ 您所在的省/市/自治区名称是什么? [Unknown]: GD 该单位的双字母国家/地区代码是什么? [Unknown]: CN CN=Neo, OU=SF, O=IT, L=SZ, ST=GD, C=CN是否正确? [否]: Y 正在为以下对象生成 2,048 位RSA密钥对和自签名证书 (SHA256withRSA) (有效期为 36,500 天): CN=Neo, OU=SF, O=IT, L=SZ, ST=GD, C=CN [正在存储conf/tomcat.keystore] neo@MacBook-Pro-Neo ~ % ll conf/tomcat.keystore -rw-r--r-- 1 neo staff 2.6K 7 15 17:06 conf/tomcat.keystore
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/tomcat.keystore" certificateKeystorePassword="12345678" certificateKeystoreType="PKCS12" /> </SSLHostConfig> </Connector>
自签名证书生成命令:
keytool -genkey -alias tomcat -keyalg RSA -keystore /srv/apache-tomcat/conf/localhost-rsa.jks keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore "https.keystore" 加入有效期: keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore "e:\https.keystore" -validity 36000 # CN为域名 keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore tomcat.keystore -keypass "123456" -storepass "123456" -validity 365000 -dname "CN=www.netkiller.cn.cn,OU=tomcat,O=tomcat,L=SZ,ST=GD,C="
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="cert/www.netkiller.cn.pfx" certificateKeystoreType="PKCS12" certificateKeystorePassword="12345678" /> </SSLHostConfig> </Connector>
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="www.netkiller.cn" > <SSLHostConfig hostName="www.netkiller.cn"> <Certificate certificateKeystoreFile="cert/netkiller.pfx" certificateKeystorePassword="****" type="RSA"/> </SSLHostConfig> </Connector>
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
80 跳转 8080 方案
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
取消跳转
iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
查看规则
iptables -t nat -L
例 5.4. tomcat firewall
下面是完整的例子,仅供参考,复制到 /etc/sysconfig/iptables 文件中,重启iptables即可生效。
# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Mon Jul 22 15:58:35 2013 *nat :PREROUTING ACCEPT [7:847] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080 COMMIT # Completed on Mon Jul 22 15:58:35 2013 # Generated by iptables-save v1.4.7 on Mon Jul 22 15:58:35 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [42303:3464247] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Jul 22 15:58:35 2013
创建工作目录
mkdir /srv/apache-tomcat
每个端口一个目录
tar zxvf apache-tomcat-7.0.x.tar.gz mv apache-tomcat-7.0.x /srv/apache-tomcat/8080 tar zxvf apache-tomcat-7.0.x.tar.gz mv apache-tomcat-7.0.x /srv/apache-tomcat/9090
修改 Server port="8006" 与 Connector port="9090"端口,不要出现重复。
<Server port="8006" shutdown="SHUTDOWN"> <Connector port="9090" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
启动tomcat然后观察catalina.log日志文件,确认每个进程都正确启动。
创建测试文件
vim webapps/ROOT/index.jsp<%@ page contentType="text/html;charset=utf-8"%> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>helloworld!</title> </head> <body> <h1> <%="It works!"%> </h1> <% out.println("<h3>Hello World!</h3>"); %> <hr /> <%=new java.util.Date()%> </body> </html>
使用curl命令测试,测试结果类似下面结果。
$ curl http://192.168.6.9/index.jsp <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>helloworld!</title> </head> <body> <h1> It works! </h1> <h3>Hello World!</h3> <hr /> Mon Jul 22 16:41:46 HKT 2013 </body> </html>
mod_jk 安装
tar zxvf tomcat-connectors-1.2.23-src.tar.gz cd tomcat-connectors-1.2.23-src/native/ ./configure --with-apxs=/usr/local/apache/bin/apxs make make install chmod 755 /usr/local/apache/modules/mod_jk.so
httpd.conf 尾部加入
Include conf/mod_jk.conf
配置workers.properties
apache/conf/workers.properties# Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 worker.worker1.lbfactor=1 worker.worker1.cachesize=128 worker.worker1.cache_timeout=600 worker.worker1.socket_keepalive=1 worker.worker1.reclycle_timeout=300
mod_jk.conf
apache/conf/mod_jk.conf[chenjingfeng@d3010 Includes]$ cat mod_jk.conf <IfModule mod_jk.c> # Load mod_jk module LoadModule jk_module modules/mod_jk.so # Where to find workers.properties JkWorkersFile /usr/local/apache/conf/workers.properties # Where to put jk logs JkLogFile /usr/local/apache/logs/mod_jk.log # Set the jk log level [debug/error/info] JkLogLevel error # Select the log format JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " # JkOptions indicate to send SSL KEY SIZE, JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories # JkRequestLogFormat set the request format JkRequestLogFormat "%w %V %T" JkShmFile /usr/local/apache2/logs/mod_jk.shm # Send jsp,servlet for context * to worker named worker1 JkMount /status/* worker1 JkMount /*.jsp worker1 JkMount /*.jsps worker1 JkMount /*.do worker1 JkMount /*Servlet worker1 JkMount /jk/* worker1 </IfModule>
分别测试apache,tomcat
包含虚拟主机配置文件
# vi conf/httpd.conf# Virtual hosts Include conf/extra/httpd-vhosts.conf
虚拟主机中配置ProxyPass,ProxyPassReverse
# vi conf/extra/httpd-vhosts.conf<VirtualHost *:80> ServerName netkiller.8800.org ProxyPass /images ! ProxyPass /css ! ProxyPass /js ! ProxyPass /ajp ajp://localhost:8009/ajp ProxyPassReverse /ajp ajp://localhost:8009/ajp </VirtualHost>
反向代理和均衡负载模块
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ProxyPass /admin balancer://tomcatcluster/admin lbmethod=byrequests stickysession=JSESSIONID nofailover=Off timeout=5 maxattempts=3 ProxyPassReverse /admin balancer://tomcatcluster/admin <Proxy balancer://tomcatcluster> BalancerMember ajp://localhost:8009 route=web1 BalancerMember ajp://localhost:10009 smax=10 route=web2 BalancerMember ajp://localhost:11009 route=web3 BalancerMember ajp://localhost:12009 smax=10 route=web4 </Proxy>
RewriteEngine On RewriteRule ^/(.*) ajp://localhost:8009/ajp/$1 [P] RewriteRule ^/(.*\.(jsp|do|sevlet)) ajp://localhost:8009/ajp/$1 [P]
首先我并不建议使用 tomcat 实现SSL双向验证,这个工作可以交给 Web 服务器完成。但有些场景可能需要,可以参考下面例子。
服务器端证书
keytool -genkey -v -alias serverKey -dname "CN=localhost" -keyalg RSA -keypass xxxxxx -keystore server.ks -storepass xxxxxx
客户端证书
keytool -genkey -v -alias clientKey -dname "CN=SomeOne" -keyalg RSA -keypass xxxxxx -keystore client.p12 -storepass xxxxxx -storetype PKCS12 keytool -export -alias clientKey -file clientKey.cer -keystore client.p12 -storepass xxxxxx -storetype PKCS12
导入客户端证书
keytool -import -v -alias clientKey -file clientKey.cer -keystore server.ks -storepass xxxxxx
如果希望在 Windows 浏览器中访问,下导入证书方式,双击 client.p12 文件,安装提示导入
配置 Tomcat ,编辑 server.xml 文件
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="1024" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="server.ks" keystorePass="xxxxxx" truststoreFile="server.ks " truststorePass="xxxxxx" />