由于官方仓库不能使用sun的java包,利用yum安装tomcat 时会默认安装openjdk 作为依赖包,但是openjdk并不好用。tomcat跟apache、php不同,它无需编译即可运行,故可不需要安装源码包,tar.gz包 和rpm包不存在内在性能问题。 并且tomcat 漏洞频出,如果手动安装的话,需要我们时刻维护它,而官方仓库中的tomcat 可以经常得到更新。
tomcat虽然简单,手动安装其实并不容易,常常考虑不周全,我见过很多人用root来运行tomcat,不多解释。
而rpm包很好的解决了这个问题。
下面的办法可以两全其美。
1、使用了sun的java
2、使用了仓库中的tomcat
环境centos 6 x64
下载并安装最新的sun jdk
|
1
|
# rpm -ivh jdk-7u25-linux-amd64.rpm
|
输出java 变量
|
1
2
3
4
5
6
7
8
|
# export JAVA_HOME=/usr/java/default
# export PATH=$PATH:$JAVA_HOME/bin
# export CLASSPATH=.:$JAVA_HOME/jre/lib:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jar
# cat > /etc/profile.d/java.sh <<EOF
export
JAVA_HOME=
/usr/java/default
export
PATH=\$PATH:\$JAVA_HOME
/bin
export
CLASSPATH=.:\$JAVA_HOME
/jre/lib
:\$JAVA_HOME
/lib
:\$JAVA_HOME
/lib/tools
.jar
EOF
|
修正java 变量(解决多个java版本并存问题)
|
1
2
3
4
5
6
7
8
|
# alternatives --install /usr/bin/java java /usr/java/default/bin/java 400
# alternatives --install /usr/bin/java java /usr/java/default/jre/bin/java 400
# alternatives --install /usr/bin/javac javac /usr/java/default/bin/javac 400
# alternatives --set java /usr/java/default/bin/java
# java -version
java version
"1.7.0_25"
Java(TM) SE Runtime Environment (build 1.7.0_25-b15)
Java HotSpot(TM) 64-Bit Server VM (build 23.25-b01, mixed mode)
|
安装tomcat
|
1
|
# yum install tomcat tomcat-webapps tomcat-admin-webapps log4j mysql-connector-java
|
jvm优化(请根据具体情况优化)
|
1
2
|
# echo JAVA_HOME=\"/usr/java/default/\" >> /etc/tomcat/tomcat.conf
# echo JAVA_OPTS=\"-server -Xms256M -Xmx512M -XX:PermSize=64M -XX:MaxPermSize=128M\" >>/etc/tomcat/tomcat.conf
|
tomcat启用apr或NIO,关闭客户端DNS查询,优化性能
|
1
2
|
# rpm-ivh epel-release-6-7.noarch.rpm
# yum install tomcat-native apr apr-util --enablerepo=epel
|
apr 在安装后就会被tomcat自动启用,启动日志里会有“http-apr”字样。
使用NIO,修改/etc/tomcat/server.xml,
将
|
1
2
3
|
<Connector port=
"8080"
protocol=
"HTTP/1.1"
connectionTimeout=
"20000"
redirectPort=
"8443"
/>
|
改为
|
1
2
3
|
<
Connector
port
=
"8080"
protocol
=
"org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout
=
"20000"
redirectPort
=
"8443"
/>
|
其它优化,伪装header,禁用dns查询,gzip压缩
|
1
2
3
4
5
6
7
8
9
|
<
Connector
port
=
"8080"
protocol
=
"HTTP/1.1"
connectionTimeout
=
"20000"
server
=
"nginx"
enableLookups
=
"false"
URIEncoding
=
"UTF-8"
compression
=
"on"
useSendfile
=
"false"
compressionMinSize
=
"2048"
noCompressionUserAgents
=
"gozilla,traviata"
redirectPort
=
"8443"
/>
|
编辑/etc/tomcat/tomcat-users.xml,
在大约倒数第10行左右添加一个用户,以便登录tomcat manager
|
1
2
|
<role rolename=
"manager"
/>
<user username=
"tomcat"
password=
"s3cret"
roles=
"manager"
/>
|
隐藏tomcat版本号和标识
|
1
2
3
|
cd
/usr/share/tomcat/lib
mkdir
-p org
/apache/catalina/util
echo
"server.info=Apache tomcat"
> org
/apache/catalina/util/ServerInfo
.properties
|
启动tomcat
|
1
2
|
# chkconfig tomcat on
# /etc/init.d/tomcat start
|
查看进程
|
1
2
3
|
# ps aux |grep tomcat
tomcat 2052 0.8 13.9 1304208 142968 ? Sl 22:10 0:05
/usr/bin/java
-Xmx512M -Xms256M -classpath .:
/usr/java/default/jre/lib
:
/usr/java/default/lib
:
/usr/java/default/lib/tools
.jar:
/usr/share/tomcat6/bin/bootstrap
.jar:
/usr/share/tomcat6/bin/tomcat-juli
.jar:
/usr/share/java/commons-daemon
.jar -Dcatalina.base=
/usr/share/tomcat6
-Dcatalina.home=
/usr/share/tomcat
-Djava.endorsed.
dirs
= -Djava.io.tmpdir=
/var/cache/tomcat6/temp
-Djava.util.logging.config.
file
=
/usr/share/tomcat/conf/logging
.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
root 2152 0.0 0.0 6420 592 pts
/0
S+ 22:21 0:00
grep
tomcat
|
如果没有防火墙,直接访问IP 加 8080端口即可看到tomcat的欢迎主页,侧边栏有tomcat manager。
页面测试
|
1
2
3
4
5
6
7
8
9
10
|
cat
>
/var/lib/tomcat/webapps/ROOT/test
.jsp <<EOF
<HTML>
<HEAD>
<TITLE>JSP测试页面<
/TITLE
>
<
/HEAD
>
<BODY>
<%out.println(
"<h1>Hello World! </h1>"
);%>
<
/BODY
>
<
/HTML
>
EOF
|
访问http://your-ip:8080/test.jsp,应该能看到hello world
查看日志,没有发现异常
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
# cat /var/log/tomcat/catalina.out
Sep 02, 2013 10:23:04 PM org.apache.coyote.http11.Http11NioProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-8080
Sep 02, 2013 10:23:04 PM org.apache.coyote.ajp.AjpAprProtocol pause
INFO: Pausing Coyote AJP/1.3 on ajp-8009
Sep 02, 2013 10:23:05 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Sep 02, 2013 10:23:05 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextDestroyed()
Sep 02, 2013 10:23:05 PM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextDestroyed()
Sep 02, 2013 10:23:05 PM org.apache.coyote.http11.Http11NioProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-8080
Sep 02, 2013 10:23:06 PM org.apache.coyote.ajp.AjpAprProtocol destroy
INFO: Stopping Coyote AJP/1.3 on ajp-8009
Sep 02, 2013 10:23:08 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.22.
Sep 02, 2013 10:23:08 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
Sep 02, 2013 10:23:08 PM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector
INFO: Using a shared selector for servlet write/read
Sep 02, 2013 10:23:08 PM org.apache.coyote.http11.Http11NioProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Sep 02, 2013 10:23:08 PM org.apache.coyote.ajp.AjpAprProtocol init
INFO: Initializing Coyote AJP/1.3 on ajp-8009
Sep 02, 2013 10:23:08 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 827 ms
Sep 02, 2013 10:23:08 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Sep 02, 2013 10:23:08 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
Sep 02, 2013 10:23:08 PM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
Sep 02, 2013 10:23:09 PM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Sep 02, 2013 10:23:09 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory ROOT
Sep 02, 2013 10:23:09 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory examples
Sep 02, 2013 10:23:10 PM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
Sep 02, 2013 10:23:10 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
Sep 02, 2013 10:23:10 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory sample
Sep 02, 2013 10:23:10 PM org.apache.coyote.http11.Http11NioProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Sep 02, 2013 10:23:10 PM org.apache.coyote.ajp.AjpAprProtocol start
INFO: Starting Coyote AJP/1.3 on ajp-8009
Sep 02, 2013 10:23:10 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1350 ms
|
网上有很多教程修改tomcat的监听端口,有些误人子弟。修改端口分为两种情况。
1)高位端口(1024以上),这里以8088为例。
编辑文件/etc/tomcat/server.xml,将下列文本内容中的8080改为8088即可
|
1
2
3
|
<Connector port=
"8080"
protocol=
"HTTP/1.1"
connectionTimeout=
"20000"
redirectPort=
"8443"
/>
|
2)低位端口
如果想让tomcat监听在1024以下的端口,比如80,如果你按照上面的方法修改成功了,几乎可以证明,你在用特权用户(root)身份运行tomcat 。这犯了安全大忌。
这个时候需要曲线救国,可以让iptables帮忙将80端口的请求重定向到本机的8080端口。
|
1
|
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
|
另一种更流行的方法是在tomcat前端加上nginx反向代理,或者叫tomcat的负载均衡集群,nginx额外还可以缓存静态文件,做动静分离。
示例配置文件/etc/nginx/conf.d/tomcat.conf,内容如下。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
proxy_cache_path
/var/cache/nginx/proxy_cache
levels=1:2 keys_zone=static:10m inactive=1d max_size=1g;
upstream tomcat {
server 127.0.0.1:8080;
keepalive 16;
}
server {
listen 80;
server_name tomcat.example.com;
charset utf-8;
access_log
/var/log/nginx/tomcat
.access.log main;
root
/usr/share/nginx/html
;
index index.html index.htm index.jsp;
location / {
proxy_pass http:
//tomcat
;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_http_version 1.1;
proxy_set_header Connection
""
;
}
location ~* ^.+\.(js|css|ico|gif|jpg|jpeg|png|html|htm)$ {
proxy_pass http:
//tomcat
;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_http_version 1.1;
proxy_set_header Connection
""
;
proxy_cache static;
proxy_cache_key $host$uri$is_args$args;
proxy_cache_valid 200 302 1d;
proxy_cache_valid 404 1m;
proxy_cache_valid any 1h;
add_header X-Cache $upstream_cache_status;
expires 7d;
}
location ~ /\.ht {
deny all;
}
}
|
反向代理的“坏处”是tomcat无法正确获得客户端地址,需要修改tomcat配置文件server.xml的日志配置
|
1
2
3
4
5
6
7
8
|
<
Valve
className
=
"org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader
=
"x-forwarded-for"
proxiesHeader
=
"x-forwarded-by"
protocolHeader
=
"x-forwarded-proto"
/>
<
Valve
className
=
"org.apache.catalina.valves.AccessLogValve"
directory
=
"logs"
prefix
=
"tomcat8082_access_log."
suffix
=
".txt"
pattern
=
"%h %l %u %t "%r" %s %b"
/>
|
有时候,我们想给tomcat多开几个实例,每个实例监听不同的端口,其实tomcat配置文件支持多端口,也就是多加几个<Service>段,尽管与多实例有些区别,但效果上和多实例相同。
示例:
|
1
2
3
4
|
mkdir
-p
/usr/share/tomcat/webapps8081/ROOT
mkdir
-p
/usr/share/tomcat/webapps8082/ROOT
mkdir
-p
/etc/tomcat/Catalina
chown
-R tomcat:tomcat
/etc/tomcat/Catalina
|
(tomcat 分别监听8080,8081,8082三个端口 ,配置文件/etc/tomcat/server.xml,注意字段 Service name 、Connect port、defaulthost、Host name、appBase)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
<?
xml
version
=
'1.0'
encoding
=
'utf-8'
?>
<
Server
port
=
"8005"
shutdown
=
"SHUTDOWN"
>
<
Listener
className
=
"org.apache.catalina.core.AprLifecycleListener"
SSLEngine
=
"on"
/>
<
Listener
className
=
"org.apache.catalina.core.JasperListener"
/>
<
Listener
className
=
"org.apache.catalina.core.JreMemoryLeakPreventionListener"
/>
<
Listener
className
=
"org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
/>
<
Listener
className
=
"org.apache.catalina.core.ThreadLocalLeakPreventionListener"
/>
<
GlobalNamingResources
>
<
Resource
name
=
"UserDatabase"
auth
=
"Container"
type
=
"org.apache.catalina.UserDatabase"
description
=
"User database that can be updated and saved"
factory
=
"org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname
=
"conf/tomcat-users.xml"
/>
</
GlobalNamingResources
>
<
Service
name
=
"Catalina"
>
<
Connector
port
=
"8080"
protocol
=
"HTTP/1.1"
maxThreads
=
"300"
minSpareThreads
=
"15"
connectionTimeout
=
"20000"
enableLookups
=
"false"
redirectPort
=
"8443"
URIEncoding
=
"UTF-8"
/>
<
Engine
name
=
"Catalina"
defaultHost
=
"localhost"
>
<
Realm
className
=
"org.apache.catalina.realm.LockOutRealm"
>
<
Realm
className
=
"org.apache.catalina.realm.UserDatabaseRealm"
resourceName
=
"UserDatabase"
/>
</
Realm
>
<
Host
name
=
"localhost"
appBase
=
"webapps"
unpackWARs
=
"true"
autoDeploy
=
"true"
>
<
Valve
className
=
"org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader
=
"x-forwarded-for"
proxiesHeader
=
"x-forwarded-by"
protocolHeader
=
"x-forwarded-proto"
/>
<
Valve
className
=
"org.apache.catalina.valves.AccessLogValve"
directory
=
"logs"
prefix
=
"localhost_access_log."
suffix
=
".txt"
pattern
=
"%h %l %u %t "%r" %s %b"
/>
</
Host
>
</
Engine
>
</
Service
>
<
Service
name
=
"Catalina8081"
>
<
Connector
port
=
"8081"
protocol
=
"HTTP/1.1"
maxThreads
=
"300"
minSpareThreads
=
"15"
connectionTimeout
=
"20000"
enableLookups
=
"false"
redirectPort
=
"8443"
URIEncoding
=
"UTF-8"
/>
<
Engine
name
=
"Catalina"
defaultHost
=
"tomcat8081"
>
<
Realm
className
=
"org.apache.catalina.realm.LockOutRealm"
>
<
Realm
className
=
"org.apache.catalina.realm.UserDatabaseRealm"
resourceName
=
"UserDatabase"
/>
</
Realm
>
<
Host
name
=
"tomcat8081"
appBase
=
"webapps8081"
unpackWARs
=
"true"
autoDeploy
=
"true"
>
<
Valve
className
=
"org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader
=
"x-forwarded-for"
proxiesHeader
=
"x-forwarded-by"
protocolHeader
=
"x-forwarded-proto"
/>
<
Valve
className
=
"org.apache.catalina.valves.AccessLogValve"
directory
=
"logs"
prefix
=
"tomcat8081_access_log."
suffix
=
".txt"
pattern
=
"%h %l %u %t "%r" %s %b"
/>
</
Host
>
</
Engine
>
</
Service
>
<
Service
name
=
"Catalina8082"
>
<
Connector
port
=
"8082"
protocol
=
"HTTP/1.1"
maxThreads
=
"300"
minSpareThreads
=
"15"
connectionTimeout
=
"20000"
enableLookups
=
"false"
redirectPort
=
"8443"
URIEncoding
=
"UTF-8"
/>
<
Engine
name
=
"Catalina"
defaultHost
=
"tomcat8082"
>
<
Realm
className
=
"org.apache.catalina.realm.LockOutRealm"
>
<
Realm
className
=
"org.apache.catalina.realm.UserDatabaseRealm"
resourceName
=
"UserDatabase"
/>
</
Realm
>
<
Host
name
=
"tomcat8082"
appBase
=
"webapps8082"
unpackWARs
=
"true"
autoDeploy
=
"true"
>
<
Valve
className
=
"org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader
=
"x-forwarded-for"
proxiesHeader
=
"x-forwarded-by"
protocolHeader
=
"x-forwarded-proto"
/>
<
Valve
className
=
"org.apache.catalina.valves.AccessLogValve"
directory
=
"logs"
prefix
=
"tomcat8082_access_log."
suffix
=
".txt"
pattern
=
"%h %l %u %t "%r" %s %b"
/>
</
Host
>
</
Engine
>
</
Service
>
</
Server
>
|
tomcat目录下有upload目录,想要和程序分离?
解决方法,修改server.xml
添加一行
|
1
2
3
4
|
<
Host
......
<Context
docBase
=
"/data/upload"
path
=
"/upload"
/>
</
Host
>
|
想要监控tomcat ? 你得开启jmx 功能
1、给tomcat添加jmx支持
|
1
2
|
cd
/usr/share/tomcat/libs
wget http:
//mirrors
.ustc.edu.cn
/apache/tomcat/tomcat-7/v7
.0.64
/bin/extras/catalina-jmx-remote
.jar
|
2、给tomcat增加启动参数,修改/etc/tomcat6/tomcat.conf
|
1
|
JAVA_OPTS=-Dcom.sun.management.jmxremote.port=8999 -Dcom.sun.management.jmxremote.ssl=
false
-Dcom.sun.management.jmxremote.authenticate=
true
|
3、nagios jmx 插件
https://exchange.nagios.org/directory/Plugins/Java-Applications-and-Servers/check_jmx/details
(未完待续)
更新20150911
1、由tomcat6更新为tomcat7
2、添加nginx反向代理内容
更新20161018
1、添加程序与上传文件的分离
本文转自 紫色葡萄 51CTO博客,原文链接:http://blog.51cto.com/purplegrape/932811,如需转载请自行联系原作者
