1. Web. XML Configuration and modification:
Site default Home page:
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
404 and 500 settings
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/500.html</location>
</error-page>
Default session time-out:
<session-config>
<session-timeout>60</session-timeout>
</session-config>
Block List directory structure:
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
2, server.xml configuration security Changes
<server port= "8005" shutdown= "Shutdown" >
Change the shutdown to Forevernotdown, and the port can be modified by itself.
3. Modify or hide the version information for the default Tomcat
Similar to Nginx Server_tokens off, Tomcat can also hide the version number, in the following steps:
CD Apache-tomcat-7.0.59/lib
mkdir test
CD test
Jar XF. /catalina.jar
Cat org/apache/catalina/util/serverinfo.properties |grep-v ' ^$|# '
Server.info=apache tomcat/7.0.59
server.number=7.0.59.0
VI org/apache/catalina/util/serverinfo.properties
Server.info=tomcat
Server.number=6
Server.built=jan 14:51:10 UTC
Jar CF: /catalina.jar./*
RM-RF Test
Curl-i http://127.0.0.1:8080
4. Delete unnecessary directories under $catalina_home/webapps
Remove all code below WebApps immediately after Tomcat finishes the installation for the first time
rm-rf/srv/apache-tomcat/webapps/*
5. Tomcat-users.xml The file contains a manifest file for the user name, role, and password, and if no Web deployment is required, the production environment needs to be commented out:
# Cat Conf/tomcat-users.xml
<!--
<role rolename= "Tomcat"/>
<role rolename= "Role1"/>
<user username= "Tomcat" password= "<must-be-changed>" roles= "Tomcat"/>
<user username= "Both" password= "<must-be-changed>" roles= "Tomcat,role1"/>
<user username= "Role1" password= "<must-be-changed>" roles= "Role1"/>
-
6, Server.xml thread number modification/hot deployment modification/
1) MaxThreads is the maximum number of threads for Tomcat, minsparethreads the number of socket threads created when initializing. Build a tomcat cluster load balancing process if too many connections
2) The default Tomcat is the hot deployment of the war package is turned on. To prevent malicious programs such as Trojan horses, we want to turn off automatic deployment.
Unpackwars= "false" autodeploy= "false" >
7, multi-virtual host
It is strongly recommended that you do not use Tomcat's virtual hosts, one instance per site. That is, launching multiple tomcat, while expensive, guarantees application isolation and security.
8, Tomacat Although can enable compression through the compression= "on" to configure, but it is best to put it forward through Apache and Nginx Unified processing
9, application security, Tomcat directory and application deployment separation
It is not recommended to start with root, it is recommended to set up standalone users individually, to set the owner of the Tomcat directory to the specified user, such as Tomcat.
10. Deployment of production environment
Apache+tomcat/nginx+tomcat, the site's default home page and custom error pages, can be done in the front-end Apache or Nginx.
Optimization
Tomcat has 3 modes of operation
1. Bio
The default mode with very low efficiency performance.
2. NiO
Using NIO on the server side will have better performance and enhance server-side performance for concurrency processing. Tomcat8 by default in NiO mode, want to run in this mode, directly modify the connector node in the Server.xml, modify the protocol to
<connector port= "8080″
Protocol= "Org.apache.coyote.http11.Http11NioProtocol"
connectiontimeout= "20000"
Uriencoding= "UTF-8"
Usebodyencodingforuri= "true"
Enablelookups= "false"
redirectport= "8443" >
Restart Tomcat to take effect.
3. Apr Installation and optimization
From the operating system level to solve the asynchronous IO problem, greatly improve performance. Apr and native must be installed, direct launch Support Apr modified protocol to Org.apache.coyote.http11.Http11AprProtocol
Install Apr
Yum-y Install Apr apr-util apr-devel openssl-devel
Install native into the Tomcat/bin directory, such as:
cd/usr/local/tomcat/bin/
Tar xzfv tomcat-native.tar.gz
CD tomcat-native-1.1.20-src/jni/native/
./configure--with-apr=/usr/bin/apr-1-config
Make && make install
The following message appears after the installation is complete
Libraries has been installed in:/usr/local/apr/lib
After successful installation, you will also need to set environment variables for tomcat by adding 1 rows to the setenv.sh file:
Catalina_opts= "-djava.library.path=/usr/local/apr/lib"
Or:
Export Ld_library_path= $LD _library_path:/usr/local/apr/lib
Source/etc/profile
Modify the Conf/server.xml on the 8080 end
Protocol= "Org.apache.coyote.http11.Http11AprProtocol"
After Tomcat is started, viewing the log will have this line of information stating that the APR mode is already started. INFO:APR Capabilities:ipv6 [True], sendfile [true], accept filters [FALSE], random [true].
4. Memory parameter optimization
Concurrency Optimization 1.JVM tuning new file tomcat_home/bin/setenv.sh The following statement, depending on the case.
Java_opts= "-xms1024m-xmx1024m-xss1024k-xx:permsize=64m-xx:maxpermsize=128m"
Detailed parameters
-xms JVM initializes heap memory size-xmx JVM heap maximum memory-XSS thread stack size-xx:permsize JVM non-heap initial memory allocation size-xx:maxpermsize JVM non-heap maximum memory recommendations and considerations: The-XMS and-XMX options are set to The same heap memory allocation to avoid resizing the heap after each GC, heap memory is recommended for memory 60%~80%, non-heap memory is not recyclable, size is dependent on the item, thread stack size recommended 256k.
The 32G memory configuration is as follows:
Java_opts= "-xms20480m-xmx20480m-xss1024k-xx:permsize=512m-xx:maxpermsize=2048m"
5. Turn off DNS reverse lookup in <connector port= "8080″ Add the following parameters
<connector port= "8081" protocol= "http/1.1"
connectiontimeout= "6000" enablelookups= "false" acceptcount= "800"
redirectport= "8443"/>
6. Optimize Tomcat parameters (using APR) for reference:
<listener classname= "Org.apache.catalina.core.AprLifecycleListener"/>
...
<connector port= "8080"
Protocol= "Org.apache.coyote.http11.Http11AprProtocol"
connectiontimeout= "20000"//Link Timeout length
Redirectport= "8443"
Maxthreads= "500"
Minsparethreads= "20"
acceptcount= "1000"
Enablelookups= "false"
Compression= "on"//compression transfer, value On|off|force, default value off.
Nocompressionuseragents= "Gozilla, Traviata"
Compressablemimetype= "Text/html,text/xml,text/javascript,text/css,text/plain,,application/octet-stream" = "2048"
Uriencoding= "UTF-8"
server= "Office"/>
The upgrade version typically backs up the current old version of Tomcat's Server.xml, catalina.sh, Web. XML, and Tomcat-users.xml files, and then, after deploying the new version of Tomcat, overwrites the configuration files in the past. Then stop the old version and start the new version to complete the upgrade operation
Tomcat Learning Summary (one)--linux Tomcat security optimization