Security and optimization of JVM and Tomcat under Linux

in the previous section, we deployed Tomcat service, you can see that this service is really easy to deploy, but only if you want to learn the basics of the previous command. Today, I plan to give you a little bit more on the basis of the last section, to talk about the security and optimization of Tomcat service! Why don't we just set up the service so that we can do security and optimization? The theory is to deploy the service well, but for our servers to run more secure and more stable! It is necessary to do security optimization !

in the last section we know JDK is a Java Virtual Machines ( JVM ), since it is a virtual machine, then he has the concept of memory, in Java in the virtual machine they are memory, but the name is not the same, what is called? See below:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7D/49/wKiom1bky37zM6GbAAChHaXbeKA912.png "title=" QQ picture 20160313092602.png "alt=" Wkiom1bky37zm6gbaachhaxbeka912.png "/>

JVM Optimization parameter name interpretation 650) this.width=650; "src=" Http://img.baidu.com/hi/ldw/w_0005.gif "alt=" w_0005.gif "/>

1. Method Area

also known as " permanent Generation", "non-heap" it is used to store virtual machine loaded class information, constants, static variables, is the memory area shared by each thread. The default minimum value is 16MBand themaximum value is 64MBto pass -xx:permsize and -xx: The MaxPermSize parameter limits the size of the method area.

2.java Heap

also calledGCHeap isJavaThe largest chunk of memory in memory managed by a virtual machine is also an area of memory shared by each thread,JVMcreated at startup. This memory area holds object instances and arrays.(AllNewthe Object). Its size by-xms (Minimum Value)and the-xmx (Maximum Value)parameter settings,-xmsto beJVMminimum memory requested at startup, default toof the operating system physical memory1/64but less than1G,-xmxto beJVMmaximum memory that can be requested, default to physical memory Quarterbut less than1GNote that in practice do not exceed4G,Danger! Greater than4GThere is a problem when garbage collection occurs.

3. Program Counter

It functions as the line number indicator of the bytecode executed by the current thread

1. 4.java Stack

described is the Java method executes the memory model, the advantage is that the access speed is faster than the heap, only this registers, the stack data can be shared. Shortcomings lack flexibility. Default parameter, cannot move.

1. 5. Local method Stack

is basically similar to a virtual machine stack, except that the virtual machine stack is performed for a virtual machine Java method Service, and the local method stack is the Native method Service.

Optimization reasons

JDK The default set of environment default parameters for the installation is for the development environment, not for the production environment, its memory and thread configuration, the default is very low, easy to become a performance bottleneck.

Optimized parameter configuration criteria

Configuring the Parameters

-xms Initial Heap Size

-xmx Maximum Heap Size

The general settings are: -xms=-xmx

The advantage is to avoid every GC , the heap size is adjusted to reduce system memory allocation.

Young generation

studies have shown that most of the objects are ephemeral, and are born with them. Therefore, for the young generation in the GC to take the replication collection algorithm;

the configuration method is: -xmn256m represents the young generation size

the configuration criteria are: his size is Xms Half of

Inside of him is divided into 3 Area:

a Eden , all new objects will exist in the the area

two x Survivor to implement the replication algorithm.

Eden The area is usually originally assigned to the place of the object, Survivor differentiated into S0 and the S1 Two areas of equal size.

Durable generation

configuration parameters are -xx:permsize Set Persistent Generations (Perm gen) Initial value

-xx:maxpermsize Set Persistent generation maximum value

the standard for configuring durable generations is -xx:permsize The value is equal to -xx:maxpermsize because persistent generations of adjustments can also cause heap memory to be triggered GC (garbage collection)

his role is to store Class,method meta-Information, one-version settings 128M is sufficient, the principle of setting is to reserve 30% of space.

JVM Memory Garbage collection ( GC )

GC He's a memory management mechanism . , JVM is to collect the garbage by some algorithms first.

The garbage collection algorithms are:

Reference counting algorithm

Based on the search algorithm

JVM garbage collection algorithm:

1. 1. Copying Algorithms

2. 2. tag Cleanup algorithm

3. 3. Tag collation compression algorithm

The garbage collector is mainly used for the new generation and the old age.

The Common garbage collector has

Parallel

Parnew

Serial

Cms

Turn on the recycle device

-xx:+useparallelgc

Log format

-xx:parallelgcthreads=20-xloggc:/var/log/gc/gc_log "

This article is to understand the above diagram, and then everyone according to the graph in their own actual production environment to do the corresponding parameter configuration, the standard according to the above benchmark do it! is not also very simple Ah!

Here's a look at our Tomcat optimization 650) this.width=650; "src=" Http://img.baidu.com/hi/ldw/w_0032.gif "alt=" w_0032.gif "/>

Tomcat default parameters are developed for the development environment, not for production environments, especially memory and thread configurations, which are low by default and are prone to performance bottlenecks.

Optimization parameters in a detailed

1 . Change <serverport= "8005" shutdown= "shutdown" debug= "0" > label

<server port= "8050" shutdown= "AABB" debug= "0"; prevent hackers from scanning

2. change <connectorport= "8009" protocol= "ajp/1.3" redirectport= " 8443"/> label

<connector port= "8090" protocol= "ajp/1.3" redirectport= "8443"/> preventing hackers from invading

3. lowering the right to run Tomcat

Don't Root User Startup Tomcat

4. Change the site Directory

in the Server.xml under Add

<contextpath= "" docbase= "/home/webapps/sp2p_web" reloadable= "true" ></Context>

5. Delete The files under the default WebApp

This is to prevent the software from leaking

6. version information hiding

Modify Conf/web.xml, redirect 403 , 404 as well - and other error pages.

not in Tomcat In a Web project Web. XML in the configuration:

<!--403 No Access -

<error-page>

<error-code>403</error-code>

<location>/page/error/403.jsp</location>

</error-page>

<!--404 not found The resource accessed does not exist -

<error-page>

<error-code>404</error-code>

<location>/page/error/404.jsp</location>

</error-page>

<!-- Internal Server Error -

<error-page>

<error-code>500</error-code>

<location>/page/error/500.jsp</location>

</error-page>

7. disabling DNS queries

Modify Server.xml in the file Connector elements, modifying properties enablelookups parameter Values : enablelookups= "false"

8. Set the session Expiration Time

Conf\web.xml specified by parameters in:

<session-timeout>60</session-timeout>

9.APR plug-in improvement Tomcat Performance

Tomcat can use APR to provide superior scalability and performance for better integration of local server technologies .

Our actual production in accordance with the above standards for security optimization can be, note I here to remind you, when you on the real machine, consider the current local simulation environment to do a good test no problem in the configuration parameters moved to the real machine on the top! 650) this.width=650; "src=" Http://img.baidu.com/hi/ldw/w_0014.gif "alt=" W_0014.gif "/>

This article from "Lele Run" blog, please be sure to keep this source http://10851431.blog.51cto.com/10841431/1750468

Security and optimization of JVM and Tomcat under Linux