Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation [2019/02/19 12:43]
urbanl Upraven tomcat.service - přidáno umístění PID file 		tutorial:adm:server_preparation [2019/11/26 09:00]
fiserp [Tomcat]
Line 23: Line 23:
 yum update -y yum update -y
 # other recommended packages installation # other recommended packages installation
-yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc telnet+yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc telnet policycoreutils-python
 # enable haveged after OS start # enable haveged after OS start
 systemctl start haveged.service systemctl start haveged.service
Line 197: Line 197:
  
 <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note> <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
-===== Java - CentOS7 ===== 
- 
-Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository. 
- 
-Installation: 
-<code bash> 
-yum install -y java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel 
-</code> 
- 
-Then create the file ''/etc/profile.d/java.sh'' with following: 
-<file bash java.sh> 
-[ -d /usr/lib/jvm/java-openjdk ] && export JAVA_HOME=/usr/lib/jvm/java-openjdk 
-</file> 
- 
-===== Java - Debian ===== 
- 
-Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository. 
- 
-Installation: 
-<code bash> 
-apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless 
-</code> 
- 
-Then create the file ''/etc/profile.d/java.sh'' with following: 
-<file bash java.sh> 
-[ -d /usr/lib/jvm/java-1.8.0-openjdk-amd64 ] && export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64 
-</file> 
  
 ===== Tomcat ===== ===== Tomcat =====
  
-  * Create a new group and add user for the tomcat to run under (for Debian, use /usr/sbin/nologin in the useradd): +<note warning>This version of Tomcat install guide is suspected not to work properly with newer versions of IdM (we are currently investigating the issue). Please use [[https://wiki.czechidm.com/tutorial/adm/server_preparation?rev=1550580216|this revision]] of the guide to install and configure Tomcat.</note>
- +
-<code> +
-groupadd -r tomcat +
-useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat +
-getent passwd tomcat +
-tomcat:x:995:993::/opt/tomcat:/bin/nologin +
-</code> +
- +
-  * change working directory into /opt/tomcat+
  
 +Installation - CentOS7:
 <code bash> <code bash>
-mkdir /opt/tomcat +yum install -y tomcat java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel
-cd /opt/tomcat+
 </code> </code>
  
-  * Download Apache Tomcat 8.5.x from the website [[https://tomcat.apache.org/download-80.cgi]] to **/opt/tomcat/** +Installation Debian:
-    * In our exapmle the version is 8.5.8. +
- +
-  * extract files from archive: +
 <code bash> <code bash>
-tar xzf apache-tomcat-8.5.8.tar.gz+apt install -y tomcat8
 </code> </code>
  
-  * create a new symbolic link to current user version (we presume there may be more versions at the server in future due to upgrades/updates) 
  
-<code bash> +==== Start Tomcat automatically after system startup CentOS ==== 
-cd /opt/tomcat +  
-ln -s apache-tomcat-8.5.8 current +
-</code>+
  
-  * Set rights on files for tomcat user (still working under root):+  * Make some adjustments to systemd unit.
  
 <code bash> <code bash>
-chown -R root:root /opt/tomcat +systemctl edit tomcat.service
-chown root:tomcat /opt/tomcat +
-chmod 750 /opt/tomcat +
-cd /opt/tomcat/current +
-chmod o+rX -R .+
-chgrp -R tomcat conf/ bin/ lib/ +
-chmod g+rwx conf +
-chmod g+r conf/* +
-chown -R tomcat webapps/ work/ temp/ logs/+
 </code> </code>
- +Or if you want use diferent editor than nanovimuse this comands:
- +
-==== Start Tomcat automatically after system startup ==== +
- +
-  * Create startup script (systemd unit), in which we also set the basic JVM parameters: +
 <code bash> <code bash>
-vim /etc/systemd/system/tomcat.service+export SYSTEMD_EDITOR="/bin/vim" 
 +sudo -E  systemctl edit tomcat.service
 </code> </code>
 +  * Add these lines and save the file:
  
-  * File content of ''/etc/systemd/system/tomcat.service'': +<code>
- +
-<file ini tomcat.service> +
-# Systemd unit file for tomcat +
-[Unit] +
-Description=Apache Tomcat Web Application Container +
-After=syslog.target network.target +
 [Service] [Service]
-Type=forking +SyslogFacility=local3
- +
-PIDFile=/opt/tomcat/current/temp/tomcat.pid +
- +
-Environment=JAVA_HOME=/usr/lib/jvm/java-openjdk +
-Environment=CATALINA_PID=/opt/tomcat/current/temp/tomcat.pid +
-Environment=CATALINA_HOME=/opt/tomcat/current +
-Environment=CATALINA_BASE=/opt/tomcat/current+
 Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC' Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
 Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8' Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8'
- +</code>
-ExecStart=/opt/tomcat/current/bin/startup.sh +
-ExecStop=/opt/tomcat/current/bin/shutdown.sh +
- +
-User=tomcat +
-Group=tomcat +
- +
-[Install] +
-WantedBy=multi-user.target +
-</file>+
  
   * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more.   * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more.
- +  * Tomcat will be started under user tomcat:tomcat.
-  * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''+
-  * For Debian, change the JAVA\_HOME to ''JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64''.+
   * After every systemd configuration change it is necessary to reload:   * After every systemd configuration change it is necessary to reload:
  
Line 329: Line 250:
 [root@tomcat1 logs]# ps -u tomcat -fwww [root@tomcat1 logs]# ps -u tomcat -fwww
 UID        PID  PPID  C STIME TTY          TIME CMD UID        PID  PPID  C STIME TTY          TIME CMD
-tomcat    1602     1  1 09:44 ?        00:00:02 /usr/lib/jvm/java-openjdk/bin/java -Djava.util.logging.config.file=/opt/tomcat/current/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Xms512M -Xmx1024M -server -XX:+UseParallelGC -classpath /opt/tomcat/current/bin/bootstrap.jar:/opt/tomcat/current/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/current -Dcatalina.home=/opt/tomcat/current -Djava.io.tmpdir=/opt/tomcat/current/temp org.apache.catalina.startup.Bootstrap start+tomcat   14221     1  0 10:17 ?        00:00:03 /usr/lib/jvm/jre/bin/java -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
 </code> </code>
   * Stop Apache Tomcat:   * Stop Apache Tomcat:
Line 339: Line 260:
 systemctl enable tomcat systemctl enable tomcat
 </code> </code>
 +==== Start Tomcat automatically after system startup - Debian ====
  
-==== Apache Tomcat configuration ====+  * In file ''/etc/default/tomcat8'' set the basic JVM parameters. If they are there already, change them.
  
-=== Interface Management ===+<file ini tomcat8>
  
-Apache Tomcat offers two applications for tomcat management available at:+CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC" 
 +JAVA_OPTS="-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8"
  
-  * http://localhost:8080/manager 
-  * http://localhost:8080/host-manager 
- 
-If you want to use them, it is necessary to do following steps. 
- 
-First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. 
- 
-Create user like this: 
- 
-Create the a new user in the file  ''/opt/tomcat/current/conf/tomcat-users.xml'' and assign him roles "manager-gui" and "admin-gui". 
-The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access 
- 
-The file ''/opt/tomcat/current/conf/tomcat-users.xml'' looks like this: 
-<file xml tomcat-users.xml> 
-<?xml version="1.0" encoding="UTF-8"?> 
-<tomcat-users xmlns="http://tomcat.apache.org/xml" 
-              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
-              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" 
-              version="1.0"> 
-  <role rolename="manager-script"/> 
-  <role rolename="manager-gui"/> 
-  <role rolename="manager-jmx"/> 
-  <role rolename="manager-status"/> 
-  <role rolename="admin-gui"/> 
-  <user username="admin" password="*****store it somewhere safe*****" roles="manager-gui,manager-status,admin-gui"/> 
-</tomcat-users> 
 </file> </file>
  
-If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IPIf you see ''403 Access Denied'' it might be you did not do this setting.+  * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more. 
 +  * Tomcat will be started under user ''tomcat8:tomcat8''. 
 +  * Test start:
  
-Add your IP address into application configuration files. In files ''/opt/tomcat/current/webapps/manager/META-INF/context.xml'' and ''/opt/tomcat/current/webapps/host-manager/META-INF/context.xml'' add net mask for your IP (both files should have the same content):+<code>
  
-In my case, I want to access to Tomcat management from network 192.168.0.0/24:+systemctl start tomcat8
  
-<file xml context.xml> +</code
-<?xml version="1.0" encoding="UTF-8"?> +  * Check that Tomcat runs with desirable parameters:
-<Context antiResourceLocking="false" privileged="true" +
-  <Valve className="org.apache.catalina.valves.RemoteAddrValve" +
-         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.\d+\.\d+" /> +
-</Context> +
-</file> +
- +
-Again, restart the tomcat:+
 <code bash> <code bash>
-systemctl restart tomcat+[root@tomcat1 logs]# ps -u tomcat8 -fwww 
 +UID        PID  PPID  C STIME TTY          TIME CMD 
 +tomcat8    742      0 13:20 ?        00:00:03 /usr/lib/jvm/java-8-openjdk-amd64/bin/java -Djava.util.logging.config.file=/var/lib/tomcat8/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Xms512M -Xmx1024M -server -XX:+UseParallelGC -classpath /usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat8 -Dcatalina.home=/usr/share/tomcat8 -Djava.io.tmpdir=/tmp/tomcat8-tomcat8-tmp org.apache.catalina.startup.Bootstrap start
 </code> </code>
- +  * Stop Apache Tomcat: 
-===  Apache Tomcat configuration recommended for production usage === +<code> 
- +systemctl stop tomcat8 
-It is advised to follow these steps for production usage: +</code> 
- +  * Enable tomcat start after OS start:
-  * Remove unnecessary aplications that comes with Tomcat: +
 <code bash> <code bash>
-rm -rf /opt/tomcat/current/webapps/{examples,docs,ROOT,host-manager,manager}+systemctl enable tomcat8
 </code> </code>
 +====  Apache Tomcat configuration recommended for production usage ====
  
 +It is advised to follow these steps for production usage:
 + 
 +- In file ''/etc/tomcat/server.xml''( ''/etc/tomcat8/server.xml'' on debian)
   * Turn off the shutdown port:   * Turn off the shutdown port:
-    In the config file ''/opt/tomcat/current/conf/server.xml'' set value -1 from 8005 to the Server port tag, thus you deactivate it:+     Set value -1 from 8005 to the Server port tag, thus you deactivate it:
  
 <code xml> <code xml>
 <Server port="-1" shutdown="SHUTDOWN"> <Server port="-1" shutdown="SHUTDOWN">
 </code> </code>
 +
 +- In same file do this:
   * Make Tomcat listen only on localhost:   * Make Tomcat listen only on localhost:
-    In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8009'' and ''8080'' ports.+       Add the ''address="127.0.0.1"'' property to configuration of ''8009'' and ''8080'' ports. 
 +       * On tomcat 7 add ''URIEncoding="UTF-8""'' property to configuration of ''8009'' and ''8080'' ports. 
 +       * In Debian you need to uncoment AJP conector on port ''8009''
 +  * Change logging into ''localhost\_access\_log''
 +    * Find these lines and comment them. 
 + 
 +<code xml> 
 +<!-- 
 +<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" 
 +               prefix="localhost_access_log." suffix=".txt" 
 +               pattern="%h %l %u %t &quot;%r&quot; %s %b" /> 
 +--> 
 +</code> 
 +And add these lines: 
 +<code xml> 
 +<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" 
 +               prefix="localhost_access_log." suffix="log" 
 +               pattern="%h %l %u %t &quot;%r&quot; %s %b" 
 +               rotatable="false" /> 
 +</code>
  
 +-  In the file ''/etc/tomcat/web.xml''( ''/etc/tomcat8/web.xml'' on debian)
   * Do not show aplication server version:   * Do not show aplication server version:
-    * In the file ''/opt/tomcat/current/conf/web.xml'' set showServerInfo to false (default is true):+    * Set showServerInfo to false (default is true):
  
 <code xml> <code xml>
Line 433: Line 351:
         <load-on-startup>1</load-on-startup>         <load-on-startup>1</load-on-startup>
     </servlet>     </servlet>
 +</code>
 +We need to tell Tomcat where idm.war will be. Create context file ''/etc/tomcat/Catalina/localhost/idm.xml''( ''/etc/tomcat8/Catalina/localhost/idm.xml'' on debian) with these lines:
 +<code xml>
 +<Context
 + docBase="/opt/czechidm/app/idm.war"
 + path=""
 +/>
 +</code>
 +==== Tomcat loging configuration ====
 +- in file ''/etc/tomcat/logging.properties''( ''/etc/tomcat8/logging.properties'' on debian)
 +  * Change logging properties
 +    * Add/change lines( 1catalina, 2localhost, 3manager, 4host-manager) into this(leave the other lines as they are):
 +
 +<code>
 +1catalina.org.apache.juli.FileHandler.level = ALL
 +1catalina.org.apache.juli.FileHandler.prefix = tomcat.
 +1catalina.org.apache.juli.FileHandler.rotatable = false
 +1catalina.org.apache.juli.FileHandler.suffix = log
 +
 +2localhost.org.apache.juli.FileHandler.rotatable = false
 +2localhost.org.apache.juli.FileHandler.suffix = log
 +
 +3manager.org.apache.juli.FileHandler.rotatable = false
 +3manager.org.apache.juli.FileHandler.suffix = log
 +
 +4host-manager.org.apache.juli.FileHandler.rotatable = false
 +4host-manager.org.apache.juli.FileHandler.suffix = log
 +</code>
 +
 +On Debian make these extra changes:
 +<code>
 +handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.juli.AsyncFileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler
 +#, java.util.logging.ConsoleHandler
 +
 +.handlers = 1catalina.org.apache.juli.FileHandler
 +#, java.util.logging.ConsoleHandler
 +
 +############################################################
 +# Handler specific properties.
 +############################################################
 +
 +3manager.org.apache.juli.FileHandler.level = FINE
 +3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
 +3manager.org.apache.juli.FileHandler.prefix = manager.
 +
 +4host-manager.org.apache.juli.FileHandler.level = FINE
 +4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
 +4host-manager.org.apache.juli.FileHandler.prefix = host-manager.
 +
 +#java.util.logging.ConsoleHandler.level = FINE
 +#java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter
 +
 +############################################################
 +# Facility specific properties.
 +############################################################
 +
 +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
 +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler
 +
 +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
 +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler
 +
 +</code>
 +
 +
 +
 +On CentOS for redirect logging from /var/log/messages. Add this rule into ''/etc/rsyslog.d/tomcat.conf'' file.
 +<code>
 +### tomcat log
 +$template TomcatForm,"%msg%\n"
 +if ($syslogfacility-text == 'local3' and  $syslogtag contains "server") then{
 +        action(type="omfile" file="/var/log/tomcat/catalina.out" FileCreateMode="0644" fileOwner="tomcat" fileGroup="tomcat" template="TomcatForm" )
 +        & stop
 +}
 +</code>
 +Then restart rsyslog
 +<code>
 +systemctl restart rsyslog
 </code> </code>
  
-=== Rotating Tomcat logs === +==== Rotating Tomcat logs ==== 
-Default Tomcat logger appneds to the logfile, it is therefore safe to use simple ''logrotate'' configurationSave following as ''/etc/logrotate.d/tomcat''adjust log retention (the ''rotate COUNT'') as necessary.+Tomcat logger appneds to the logfile at ''/var/log/tomcat/''Tomcat also sets up logrotate at ''/etc/logrotate.d/tomcat''. Change logrotate file into following and adjust log retention (the ''COUNT'') as necessary - for production deployments we recommend at least 90 days.
 <file txt tomcat> <file txt tomcat>
-/opt/tomcat/current/logs/catalina.out +/var/log/tomcat/tomcat.log 
- rotate 7+/var/log/tomcat/manager.log 
 +/var/log/tomcat/localhost_access_log.log 
 +/var/log/tomcat/localhost.log 
 +/var/log/tomcat/host-manager.log
 + rotate COUNT
  daily  daily
  dateext  dateext
Line 446: Line 446:
  notifempty  notifempty
  compress  compress
 + create 0644 tomcat tomcat
 +}
 +/var/log/tomcat/catalina.out
 +{
 +        rotate COUNT
 +        daily
 +        dateext
 +        copytruncate
 +        missingok
 +        notifempty
 +        compress
 +        create 0644 tomcat tomcat
 +        sharedscripts
 +        postrotate
 +        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
 +         endscript
 +}
 +</file>
 +On **Debian** logs are in ''/var/log/tomcat8/'' and logrotate config is in ''/etc/logrotate.d/tomcat8''.
 +<file txt tomcat8>
 +/var/log/tomcat8/tomcat.log
 +/var/log/tomcat8/manager.log
 +/var/log/tomcat8/localhost_access_log.log
 +/var/log/tomcat8/localhost.log
 +/var/log/tomcat8/host-manager.log
 +/var/log/tomcat8/catalina.out {
 +        rotate COUNT
 +        daily
 +        dateext
 +        copytruncate
 +        missingok
 +        notifempty
 +        compress
 +        create 0644 tomcat8 tomcat8
 } }
 </file> </file>
Line 463: Line 497:
   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).
 </note> </note>
 +Please note that the log does not rotate during the first day, but after the second day.
 +==== Optional - Management Interface for Tomcat====
  
-Please note that on Debian, the log is not rotate during the first day, but after the second day.+If you installed two additional applications for tomcat management follow this part to complete tomcat configuration.
  
 +These applications are available at:
 +
 +  * http://localhost:8080/manager
 +  * http://localhost:8080/host-manager
 +
 +If you want to use them, it is necessary to do following steps.
 +
 +First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
 +
 +Create user like this:
 +
 +Create the a new user in the file  ''/etc/tomcat/tomcat-users.xml''( on Debian ''/etc/tomcat8/tomcat-users.xml'') and assign him roles "manager-gui" and "admin-gui".
 +The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access
 +
 +The file ''/etc/tomcat/tomcat-users.xml''( on Debian ''/etc/tomcat8/tomcat-users.xml'') looks like this:
 +<file xml tomcat-users.xml>
 +<?xml version="1.0" encoding="UTF-8"?>
 +<tomcat-users xmlns="http://tomcat.apache.org/xml"
 +              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 +              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
 +              version="1.0">
 +  <role rolename="manager-script"/>
 +  <role rolename="manager-gui"/>
 +  <role rolename="manager-jmx"/>
 +  <role rolename="manager-status"/>
 +  <role rolename="admin-gui"/>
 +  <user username="admin" password="*****store it somewhere safe*****" roles="manager-gui,manager-status,admin-gui"/>
 +</tomcat-users>
 +</file>
 +
 +If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see ''403 Access Denied'' it might be you did not do this setting.
 +
 +Add your IP address into application configuration files. In files ''/var/lib/tomcat/webapps/manager/META-INF/context.xml'' and ''/var/lib/tomcat/webapps/host-manager/META-INF/context.xml''( on Debian ''/var/lib/tomcat8/webapps/...'' add net mask for your IP (both files should have the same content):
 +
 +In my case, I want to access to Tomcat management from network 192.168.0.0/24:
 +
 +<file xml context.xml>
 +<?xml version="1.0" encoding="UTF-8"?>
 +<Context antiResourceLocking="false" privileged="true" >
 +  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
 +         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.\d+\.\d+" />
 +</Context>
 +</file>
 +
 +Again, restart the tomcat:
 +<code bash>
 +service tomcat8 restart
 +</code>
 ====== Apache httpd as a reverse proxy ====== ====== Apache httpd as a reverse proxy ======
  
Line 711: Line 795:
         AddOutputFilterByType DEFLATE text/plain         AddOutputFilterByType DEFLATE text/plain
         AddOutputFilterByType DEFLATE text/xml         AddOutputFilterByType DEFLATE text/xml
 +        AddOutputFilterByType DEFLATE application/json
 +        AddOutputFilterByType DEFLATE application/hal+json
  
         # Remove browser bugs (only needed for really old browsers)         # Remove browser bugs (only needed for really old browsers)
Line 787: Line 873:
 } }
 </code> </code>
 +
  • by koulaj