Apache Tomcat 8.5 Security configuration with high concurrency optimization _ operational dimension

https://www.renwole.com/archives/357

Usually we are in the production environment, Tomcat's default configuration clearly does not meet our product requirements, so many times need to tune Tomcat configuration, following a combination of my own experience to configure Tomcat security and optimization situation, if you have a better solution, please leave a message, I will refer to and Ghana in.

For the installation configuration of the Java JDK JRE, read the Linux Java JDK JRE environment variable installation and configuration article.
For a Tomcat installation, read the "Linux Apache Tomcat 8.5 Installation and Configuration" article.

1. Edit Modify configuration file:

# Vim/usr/program/tomcat8/conf/server.xml

2. Disable Port 8005

telnet localhost 8005 then enter SHUTDOWN to turn off Tomcat, for security we want to disable this feature

Default value:

<server port= "8005" shutdown= "Shutdown" >

Modified to:

<server port= "-1" shutdown= "Shutdown" >

3. Application Security & turn off automatic deployment

Default value:

 
Modified to:

 
4.maxThreads Connection number Limit modify configuration

Default value:

<!--
 <executor name= "Tomcatthreadpool" nameprefix= "catalina-exec-" maxthreads= "" Minsparethreads
 = "4"/>
 -->
 
Modified to:

<executor
 name= "Tomcatthreadpool"
 nameprefix= "catalina-exec-"
 maxthreads=
 " minsparethreads= "Maxidletime=" "
 60000"
 prestartminsparethreads = "true"
 maxqueuesize = "M"
/ >
 
Parameter explanation:

MaxThreads: Maximum concurrent number, default setting 200, generally recommended in 500 ~ 800, according to hardware facilities and business to judge
Number of threads created when Minsparethreads:tomcat is initialized, default setting 25
MaxIdleTime: If the current thread is larger than the initialization thread, the time that the idle thread survives, in milliseconds, by default 60000=60 seconds = 1 minutes.
Prestartminsparethreads: Initializes the minsparethreads parameter value when Tomcat initializes, if it doesn't equal true,minsparethreads value, it doesn't work.
Maxqueuesize: Maximum number of waiting queues, exceeding the request denied

5.Connector parameter Optimization configuration

Default value:

<connector port= "8080" protocol= "http/1.1" connectiontimeout= "20000" 
 redirectport= "8443" 
 />
 
Modified to:


<connector
 executor= "Tomcatthreadpool"
 port= "8080"
 Org.apache.coyote.http11.Http11Nio2Protocol "
 connectiontimeout=" 60000 "
 maxconnections=" 10000
 " Redirectport= "8443"
 enablelookups= "false"
 acceptcount=
 "maxpostsize=" Maxhttpheadersize= "8192"
 compression= "on"
 disableuploadtimeout= "true"
 compressionminsize= "2048"
 acceptorthreadcount= "2"
 compressablemimetype= "Text/html,text/plain,text/css,application/javascript, Application/json,application/x-font-ttf,application/x-font-otf,image/svg+xml,image/jpeg,image/png,image/gif, Audio/mpeg,video/mp4 "
 uriencoding=" Utf-8 "
 processorcache=" 20000 "
 true"
 Connectionlinger= "5"
 server= "server Version 11.0"
 />
 
Parameter explanation:

Protocol:tomcat 8 Set Nio2 better: Org.apache.coyote.http11.Http11Nio2Protocol
Protocol:tomcat 6 Set NiO better: Org.apache.coyote.http11.Http11NioProtocol
Protocol:tomcat 8 Set APR performance fast: Org.apache.coyote.http11.Http11AprProtocol More details: Tomcat 8.5 is based on Apache portable Runtime (APR) Library performance optimization "
Connectiontimeout:connector accept a connection after the wait time (milliseconds), the default value is 60000.
MaxConnections: This value indicates how many sockets can be connected to Tomcat
Enablelookups: Disabling DNS queries
Acceptcount: When the number of Tomcat start threads reaches maximum, the number of queued requests is accepted, and the default value is 100.
Maxpostsize: Sets the maximum length of the URL parameter resolved by the container,-1 (less than 0) to disable this property, default to 2097152 (2M) Note that the Failedrequestfilter filter can be used to reject requests that reach the limit value.
The maximum amount of Maxhttpheadersize:http request header information is not processed in excess of this length. General 8K.
Compression: Enable gzip compression on to enable (text data compression) off to not enable, force compress all data
Disableuploadtimeout: This flag allows the servlet container to use a different, typically long timeout in the data upload connection. If not specified, this property is set to True, indicating that the time timeout is disabled.
Compressionminsize: Compress when the minimum data size is exceeded
Acceptorthreadcount: The number of threads used to accept connections. Add this value on a multiple-CPU machine, although you never really need more than 2. There are also many non sustaining connections that you may want to add to this value. The default value is 1.
Compressablemimetype: Configure the type of data you want to compress
Uriencoding: The website generally uses UTF-8 as the default code.
Processorcache: Processor objects cached by the Protocol processor to improve performance. This setting determines how many of these objects are cached. -1 means unlimited, the default is 200. If you do not use Servlet 3.0 for asynchronous processing, the default is to use the same maxthreads settings. If you use Servlet 3.0 for asynchronous processing, the default is to use the maximum number of large maxthreads and expected concurrent requests (synchronous and asynchronous).
Tcpnodelay: If set to True,tcp_no_delay option will be set on server sockets and in most cases improve performance. This is the default setting of True.
Connectionlinger: The number of seconds is closed when this connector will continue to use sockets. The default value is-1, which disables the socket delay time.
Server: Hide the Tomcat version information, first hide the version information in the HTTP header
6. Hide or modify the Tomcat version number

# cd/usr/local/tomcat/lib/#
 Unzip Catalina.jar #
 CD org/apache/catalina/util
 # Vim Serverinfo.properties
 
Server.info=apache tomcat/8.5.16
 server.number=8.5.16.0
 server.built=jun 2017 17:01:09 UTC
 
Remove or modify the version number above.

7. Remove the Disable default administration page and related configuration files

# rm-rf/usr/local/apache-tomcat-8.5.16/webapps/*
 # rm-rf/usr/local/apache-tomcat-8.5.16/conf/ Tomcat-users.xml
 
Reference content:
https://tomcat.apache.org/tomcat-8.5-doc/config/
Https://github.com/judasn/Linux-Tutorial/blob/master/Tomcat-Install-And-Settings.md
Http://wiki.jikexueyuan.com/project/linux-in-eye-of-java/Tomcat-Install-And-Settings.html
Http://netkiller.github.io/journal/tomcat.html
http://zjliu.me/2015/12/14/tomcat-config-connector/