Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation [2019/06/10 13:13] urbanl old revision restored (2019/04/12 10:38) |
tutorial:adm:server_preparation [2020/01/13 13:32] urbanl Uprava návodu instalace tomcat zpět na ruční instalaci tomcatu 8 |
||
---|---|---|---|
Line 23: | Line 23: | ||
yum update -y | yum update -y | ||
# other recommended packages installation | # other recommended packages installation | ||
- | yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc telnet | + | yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc telnet |
# enable haveged after OS start | # enable haveged after OS start | ||
systemctl start haveged.service | systemctl start haveged.service | ||
Line 197: | Line 197: | ||
< | < | ||
+ | |||
+ | ===== Java - CentOS7 ===== | ||
+ | |||
+ | Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository. | ||
+ | |||
+ | Installation: | ||
+ | <code bash> | ||
+ | yum install -y java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel | ||
+ | </ | ||
+ | |||
+ | Then create the file ''/ | ||
+ | <file bash java.sh> | ||
+ | [ -d / | ||
+ | </ | ||
+ | |||
+ | ===== Java - Debian ===== | ||
+ | |||
+ | Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository. | ||
+ | |||
+ | Installation: | ||
+ | <code bash> | ||
+ | apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless | ||
+ | </ | ||
+ | |||
+ | Then create the file ''/ | ||
+ | <file bash java.sh> | ||
+ | [ -d / | ||
+ | </ | ||
===== Tomcat ===== | ===== Tomcat ===== | ||
- | Installation | + | * Create a new group and add user for the tomcat to run under (for Debian, use / |
+ | |||
+ | < | ||
+ | groupadd | ||
+ | useradd -r -s / | ||
+ | getent passwd tomcat | ||
+ | tomcat: | ||
+ | </ | ||
+ | |||
+ | * change working directory into / | ||
<code bash> | <code bash> | ||
- | yum install -y tomcat | + | mkdir / |
+ | cd /opt/tomcat | ||
</ | </ | ||
- | Installation | + | * Download Apache Tomcat 8.5.x from the website [[https:// |
+ | * In our exapmle the version is 8.5.8. | ||
+ | |||
+ | * extract files from archive: | ||
<code bash> | <code bash> | ||
- | apt install | + | tar xzf apache-tomcat-8.5.8.tar.gz |
</ | </ | ||
+ | * create a new symbolic link to current user version (we presume there may be more versions at the server in future due to upgrades/ | ||
- | ==== Start Tomcat automatically after system startup | + | <code bash> |
- | + | cd / | |
+ | ln -s apache-tomcat-8.5.8 current | ||
+ | </ | ||
- | * Make some adjustments to systemd unit. | + | * Set rights on files for tomcat user (still working under root): |
<code bash> | <code bash> | ||
- | systemctl edit tomcat.service | + | chown -R root:root /opt/tomcat |
+ | chown root:tomcat / | ||
+ | chmod 750 / | ||
+ | cd / | ||
+ | chmod o+rX -R ./ | ||
+ | chgrp -R tomcat conf/ bin/ lib/ | ||
+ | chmod g+rwx conf | ||
+ | chmod g+r conf/* | ||
+ | chown -R tomcat webapps/ work/ temp/ logs/ | ||
</ | </ | ||
- | Or if you want use diferent editor than nano( vim) use this comands: | + | |
+ | |||
+ | ==== Start Tomcat automatically after system startup ==== | ||
+ | |||
+ | * Create startup script | ||
<code bash> | <code bash> | ||
- | export SYSTEMD_EDITOR=" | + | vim /etc/ |
- | sudo -E systemctl edit tomcat.service | + | |
</ | </ | ||
- | * Add these lines and save the file: | ||
- | <code> | + | * File content of ''/ |
+ | |||
+ | <file ini tomcat.service> | ||
+ | # Systemd unit file for tomcat | ||
+ | [Unit] | ||
+ | Description=Apache Tomcat Web Application Container | ||
+ | After=syslog.target network.target | ||
[Service] | [Service] | ||
- | SyslogFacility=local3 | + | Type=forking |
+ | |||
+ | PIDFile=/ | ||
+ | |||
+ | Environment=JAVA_HOME=/ | ||
+ | Environment=CATALINA_PID=/ | ||
+ | Environment=CATALINA_HOME=/ | ||
+ | Environment=CATALINA_BASE=/ | ||
Environment=' | Environment=' | ||
Environment=' | Environment=' | ||
- | </code> | + | |
+ | ExecStart=/ | ||
+ | ExecStop=/ | ||
+ | |||
+ | User=tomcat | ||
+ | Group=tomcat | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </file> | ||
* Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more. | * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more. | ||
- | | + | |
+ | | ||
+ | * For Debian, change the JAVA\_HOME to '' | ||
* After every systemd configuration change it is necessary to reload: | * After every systemd configuration change it is necessary to reload: | ||
Line 248: | Line 330: | ||
[root@tomcat1 logs]# ps -u tomcat -fwww | [root@tomcat1 logs]# ps -u tomcat -fwww | ||
UID PID PPID C STIME TTY TIME CMD | UID PID PPID C STIME TTY TIME CMD | ||
- | tomcat | + | tomcat |
</ | </ | ||
* Stop Apache Tomcat: | * Stop Apache Tomcat: | ||
Line 258: | Line 340: | ||
systemctl enable tomcat | systemctl enable tomcat | ||
</ | </ | ||
- | ==== Start Tomcat automatically after system startup - Debian ==== | ||
- | * In file ''/ | + | ==== Apache Tomcat configuration ==== |
- | <file ini tomcat8> | + | === Interface Management === |
- | CATALINA_OPTS=" | + | Apache Tomcat offers two applications for tomcat management available at: |
- | JAVA_OPTS=" | + | |
+ | * http://localhost: | ||
+ | * http:// | ||
+ | |||
+ | If you want to use them, it is necessary to do following steps. | ||
+ | First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. | ||
+ | |||
+ | Create user like this: | ||
+ | |||
+ | Create the a new user in the file ''/ | ||
+ | The documentation of available roles as well as overall configuration of the application is a part of application installation available at http:// | ||
+ | |||
+ | The file ''/ | ||
+ | <file xml tomcat-users.xml> | ||
+ | <?xml version=" | ||
+ | < | ||
+ | xmlns: | ||
+ | xsi: | ||
+ | version=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <user username=" | ||
+ | </ | ||
</ | </ | ||
- | * Values of Xms a Xmx se are closely dependent on server sizing. | + | If you plan to connect to the applications remotely (not only from localhost) |
- | * Tomcat will be started under user '' | + | |
- | * Test start: | + | |
- | < | + | Add your IP address into application configuration files. In files ''/ |
- | systemctl start tomcat8 | + | In my case, I want to access to Tomcat management from network 192.168.0.0/ |
- | </code> | + | <file xml context.xml> |
- | | + | <?xml version=" |
+ | <Context antiResourceLocking=" | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Again, restart the tomcat: | ||
<code bash> | <code bash> | ||
- | [root@tomcat1 logs]# ps -u tomcat8 -fwww | + | systemctl restart |
- | UID PID PPID C STIME TTY TIME CMD | + | |
- | tomcat8 | + | |
</ | </ | ||
- | * Stop Apache Tomcat: | + | |
- | < | + | === |
- | systemctl stop tomcat8 | + | |
- | </ | + | It is advised to follow these steps for production usage: |
- | * Enable tomcat start after OS start: | + | |
+ | * Remove unnecessary aplications that comes with Tomcat: | ||
<code bash> | <code bash> | ||
- | systemctl enable tomcat8 | + | rm -rf / |
</ | </ | ||
- | ==== Apache Tomcat configuration recommended for production usage ==== | ||
- | It is advised to follow these steps for production usage: | ||
- | |||
- | - In file ''/ | ||
* Turn off the shutdown port: | * Turn off the shutdown port: | ||
- | * Set value -1 from 8005 to the Server port tag, thus you deactivate it: | + | |
<code xml> | <code xml> | ||
<Server port=" | <Server port=" | ||
</ | </ | ||
- | |||
- | - In same file do this: | ||
* Make Tomcat listen only on localhost: | * Make Tomcat listen only on localhost: | ||
- | * Add the '' | + | |
- | * In Debian you need to uncoment AJP conector on port '' | + | |
- | * Change logging into '' | + | |
- | * Find these lines and comment them. | + | |
- | + | ||
- | <code xml> | + | |
- | <!-- | + | |
- | <Valve className=" | + | |
- | | + | |
- | | + | |
- | --> | + | |
- | </ | + | |
- | And add these lines: | + | |
- | <code xml> | + | |
- | <Valve className=" | + | |
- | | + | |
- | | + | |
- | | + | |
- | </ | + | |
- | - In the file ''/ | ||
* Do not show aplication server version: | * Do not show aplication server version: | ||
- | * Set showServerInfo to false (default is true): | + | * In the file ''/ |
<code xml> | <code xml> | ||
Line 348: | Line 434: | ||
< | < | ||
</ | </ | ||
- | </ | ||
- | We need to tell Tomcat where idm.war will be. Create context file ''/ | ||
- | <code xml> | ||
- | <Context | ||
- | docBase="/ | ||
- | path="" | ||
- | /> | ||
- | </ | ||
- | ==== Tomcat loging configuration ==== | ||
- | - in file ''/ | ||
- | * Change logging properties | ||
- | * Add/change lines( 1catalina, 2localhost, 3manager, 4host-manager) into this(leave the other lines as they are): | ||
- | |||
- | < | ||
- | 1catalina.org.apache.juli.FileHandler.level = ALL | ||
- | 1catalina.org.apache.juli.FileHandler.prefix = tomcat. | ||
- | 1catalina.org.apache.juli.FileHandler.rotatable = false | ||
- | 1catalina.org.apache.juli.FileHandler.suffix = log | ||
- | |||
- | 2localhost.org.apache.juli.FileHandler.rotatable = false | ||
- | 2localhost.org.apache.juli.FileHandler.suffix = log | ||
- | |||
- | 3manager.org.apache.juli.FileHandler.rotatable = false | ||
- | 3manager.org.apache.juli.FileHandler.suffix = log | ||
- | |||
- | 4host-manager.org.apache.juli.FileHandler.rotatable = false | ||
- | 4host-manager.org.apache.juli.FileHandler.suffix = log | ||
- | </ | ||
- | |||
- | On Debian make these extra changes: | ||
- | < | ||
- | handlers = 1catalina.org.apache.juli.AsyncFileHandler, | ||
- | #, java.util.logging.ConsoleHandler | ||
- | |||
- | .handlers = 1catalina.org.apache.juli.FileHandler | ||
- | #, java.util.logging.ConsoleHandler | ||
- | |||
- | ############################################################ | ||
- | # Handler specific properties. | ||
- | ############################################################ | ||
- | |||
- | 3manager.org.apache.juli.FileHandler.level = FINE | ||
- | 3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/ | ||
- | 3manager.org.apache.juli.FileHandler.prefix = manager. | ||
- | |||
- | 4host-manager.org.apache.juli.FileHandler.level = FINE | ||
- | 4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/ | ||
- | 4host-manager.org.apache.juli.FileHandler.prefix = host-manager. | ||
- | |||
- | # | ||
- | # | ||
- | |||
- | ############################################################ | ||
- | # Facility specific properties. | ||
- | ############################################################ | ||
- | |||
- | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
- | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
- | |||
- | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
- | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
- | |||
- | </ | ||
- | |||
- | |||
- | |||
- | On CentOS for redirect logging from / | ||
- | < | ||
- | ### tomcat log | ||
- | $template TomcatForm," | ||
- | if ($syslogfacility-text == ' | ||
- | action(type=" | ||
- | & stop | ||
- | } | ||
- | </ | ||
- | Then restart rsyslog | ||
- | < | ||
- | systemctl restart rsyslog | ||
</ | </ | ||
- | ==== Rotating Tomcat logs ==== | + | === Rotating Tomcat logs === |
- | Tomcat logger appneds to the logfile | + | Default |
<file txt tomcat> | <file txt tomcat> | ||
- | /var/log/tomcat/tomcat.log | + | /opt/tomcat/current/logs/catalina.out { |
- | /var/ | + | |
- | / | + | |
- | / | + | |
- | / | + | |
rotate COUNT | rotate COUNT | ||
daily | daily | ||
Line 443: | Line 447: | ||
notifempty | notifempty | ||
compress | compress | ||
- | create 0644 tomcat tomcat | ||
- | } | ||
- | / | ||
- | { | ||
- | rotate COUNT | ||
- | daily | ||
- | dateext | ||
- | copytruncate | ||
- | missingok | ||
- | notifempty | ||
- | compress | ||
- | create 0644 tomcat tomcat | ||
- | sharedscripts | ||
- | postrotate | ||
- | /bin/kill -HUP `cat / | ||
- | | ||
- | } | ||
- | </ | ||
- | On **Debian** logs are in ''/ | ||
- | <file txt tomcat8> | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | rotate COUNT | ||
- | daily | ||
- | dateext | ||
- | copytruncate | ||
- | missingok | ||
- | notifempty | ||
- | compress | ||
- | create 0644 tomcat8 tomcat8 | ||
} | } | ||
</ | </ | ||
Line 494: | Line 464: | ||
* Adjust particular SELinux labels. Example ([[https:// | * Adjust particular SELinux labels. Example ([[https:// | ||
</ | </ | ||
- | Please note that the log does not rotate during the first day, but after the second day. | ||
- | ==== Optional - Management Interface for Tomcat==== | ||
- | If you installed two additional applications for tomcat management follow this part to complete tomcat configuration. | + | Please note that on Debian, the log is not rotate during the first day, but after the second day. |
- | These applications are available at: | ||
- | * http:// | ||
- | * http:// | ||
- | |||
- | If you want to use them, it is necessary to do following steps. | ||
- | |||
- | First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. | ||
- | |||
- | Create user like this: | ||
- | |||
- | Create the a new user in the file ''/ | ||
- | The documentation of available roles as well as overall configuration of the application is a part of application installation available at http:// | ||
- | |||
- | The file ''/ | ||
- | <file xml tomcat-users.xml> | ||
- | <?xml version=" | ||
- | < | ||
- | xmlns: | ||
- | xsi: | ||
- | version=" | ||
- | <role rolename=" | ||
- | <role rolename=" | ||
- | <role rolename=" | ||
- | <role rolename=" | ||
- | <role rolename=" | ||
- | <user username=" | ||
- | </ | ||
- | </ | ||
- | |||
- | If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see '' | ||
- | |||
- | Add your IP address into application configuration files. In files ''/ | ||
- | |||
- | In my case, I want to access to Tomcat management from network 192.168.0.0/ | ||
- | |||
- | <file xml context.xml> | ||
- | <?xml version=" | ||
- | <Context antiResourceLocking=" | ||
- | <Valve className=" | ||
- | | ||
- | </ | ||
- | </ | ||
- | |||
- | Again, restart the tomcat: | ||
- | <code bash> | ||
- | systemctl restart tomcat | ||
- | </ | ||
====== Apache httpd as a reverse proxy ====== | ====== Apache httpd as a reverse proxy ====== | ||
Line 636: | Line 557: | ||
To do so, add following lines to the virtualhost config file (ssl.conf): | To do so, add following lines to the virtualhost config file (ssl.conf): | ||
< | < | ||
- | | + | RewriteEngine On |
- | RewriteRule " | + | RewriteRule " |
</ | </ | ||
- | In the file ssl.conf we also have to disable SSLv3. Edit the line with SSLProtocol directive: | + | We also have to secure the communication. **Edit** corresponding lines in '' |
< | < | ||
- | SSLProtocol all -SSLv2 -SSLv3 | + | SSLProtocol all -SSLv2 -SSLv3 |
+ | SSLCipherSuite ALL: | ||
+ | SSLHonorCipherOrder on | ||
</ | </ | ||
+ | < | ||
On Debian, create symlinks to sites-enabled: | On Debian, create symlinks to sites-enabled: | ||
Line 710: | Line 634: | ||
# These break Certificate Authority module | # These break Certificate Authority module | ||
< | < | ||
+ | SecRuleRemoveById 960915 | ||
+ | SecRuleRemoveById 200003 | ||
+ | </ | ||
+ | |||
+ | # Modsec can throw false positives on some files due to multipart boundary check | ||
+ | < | ||
SecRuleRemoveById 960915 | SecRuleRemoveById 960915 | ||
SecRuleRemoveById 200003 | SecRuleRemoveById 200003 |