Apachetomcat 8 9 Security configuration with high concurrency optimization

Edit Modify configuration file

Disable Port 8005

telnet localhost 8005 then enter SHUTDOWN to turn Tomcat off, for security we want to disable this feature

<server port="8005" shutdown="shutdown"># Revision changed to <server port="-1" shutdown="shutdown">

Application Security & Turn off automatic deployment

"localhost"Appbase="WebApps"Unpackwars="true"autodeploy="true"># modified to"localhost"Appbase="WebApps"Unpackwars="false"autodeploy="false"reloadable="false">

MaxThreads number of Connections limit modify configuration

<!--<executor Name="Tomcatthreadpool"nameprefix="catalina-exec-"MaxThreads=" Max"minsparethreads="4"/>--# modified to<Executor name="Tomcatthreadpool"Nameprefix="catalina-exec-"MaxThreads=" -"minsparethreads=" -"MaxIdleTime="60000"prestartminsparethreads="true"maxqueuesize=" -"/>

Parameter explanation:

maxthreads: Maximum concurrency, default setting of 200, generally recommended at 500 ~ 800, according to hardware facilities and business to judge
minsparethreads: Number of threads created when Tomcat was initialized, default setting 25
maxidletime: If the current thread is greater than the initialization thread, the idle thread survives the time, in milliseconds, by default 60000=60 seconds = 1 minutes.
prestartminsparethreads: Initializes the minsparethreads parameter values when Tomcat is initialized, and if not equal to the value of true,minsparethreads, nothing works.
maxqueuesize: Maximum number of waiting queues, exceeding deny request

Connector parameter Optimization configuration

<Connector Port="8080"Protocol="http/1.1"ConnectionTimeout="20000"Redirectport="8443"/># modified to<Connector Executor="Tomcatthreadpool"Port="8080"Protocol="Org.apache.coyote.http11.Http11Nio2Protocol"ConnectionTimeout="60000"MaxConnections="10000"Redirectport="8443"enablelookups="false"Acceptcount=" -"maxpostsize="10485760"maxhttpheadersize="8192"Compression=" on"Disableuploadtimeout="true"compressionminsize="2048"Acceptorthreadcount="2"Compressablemimetype="text/html,text/plain,text/css,application/javascript,application/json,application/x-font-ttf,application/ X-font-otf,image/svg+xml,image/jpeg,image/png,image/gif,audio/mpeg,video/mp4"uriencoding="Utf-8"Processorcache="20000"Tcpnodelay="true"Connectionlinger="5"Server="Server Version 11.0"/>

Parameter explanation:

protocol: Tomcat 8 settings Nio2 better: Org.apache.coyote.http11.Http11Nio2Protocol
protocol: Tomcat 6 set NiO better: Org.apache.coyote.http11.Http11NioProtocol
protocol: Tomcat 8 set APR performance fast: Org.apache.coyote.http11.Http11AprProtocol specific configuration: <CentOS 7 TOMCAT 8.5 based on AP R Library Performance Optimization >

ConnectionTimeout: Connector the time to wait after a connection is accepted (milliseconds), the default value is 60000.
MaxConnections: This value indicates the maximum number of sockets that can be connected to Tomcat
enablelookups: Disable DNS queries
Acceptcount: When the number of threads started by Tomcat reaches maximum, the number of requests queued is accepted, and the default value is 100.
maxpostsize: Sets the maximum length of the URL parameter resolved by the container, 1 (less than 0) to disable this property, which defaults to 2097152 (2M) Note that the Failedrequestfilter filter can be used to reject requests that have reached the limit value.
maxhttpheadersize: The maximum amount of HTTP request header information that exceeds this length is not processed. General 8K.
Compression: Whether gzip compression on is enabled (text data compression) off is not enabled, force compresses all data
Disableuploadtimeout: This flag allows the servlet container to use a different, usually long data upload connection timeout. If not specified, this property is set to True, which indicates that the time-out is disabled.
compressionminsize: Compressed only when the minimum data size is exceeded
Acceptorthreadcount: The number of threads used to accept connections. Increase this value on multi-CPU machines, although you will never really need more than 2. There are also many non-maintenance connections, and you may want to increase this value. The default value is 1.
Compressablemimetype: Configure the type of data you want to compress
uriencoding: Web sites generally use UTF-8 as the default encoding.
Processorcache: The protocol processor caches the processor objects to improve performance. This setting determines how many of these objects are cached. -1 means infinity, default is 200. If you do not use Servlet 3.0 for asynchronous processing, the default is to use the same maxthreads setting. If you use Servlet 3.0 for asynchronous processing, the default is the maximum number of concurrent requests (synchronous and asynchronous) that use large maxthreads and expected.
Tcpnodelay: If the set to True,tcp_no_delay option will be set on the server socket, and in most cases improve performance. This is the default setting of True.
Connectionlinger: The number of seconds to close when this connector will continue to use the socket. The default value is-1, which disables the socket delay time.
Server: Hide Tomcat version information, first hide version information in HTTP header

Hide or modify the Tomcat version number

 [[email protected] conf]# cd/usr/local/tomcat/lib/[[email protected] lib]#  unzip   Catalina.jar [[email  Protected] lib]# CD org /apache/catalina/util/[[email protected] util]# vim Serverinfo.properties server.  info  =apache tomcat/9.0 . 10  server.number  =9.0 . 10.0  server.built  =jun 20  2018  17 : 32 : 21   utc# Modify or delete the version number for the above  

Remove the Disable default administration page and related configuration files

rm -rf/usr/local/tomcat/conf/tomcat-rm -rf/usr/local/tomcat/webapps/*

Apachetomcat 8 9 Security configuration with high concurrency optimization