Tomcat Learning Summary (one)--linux Tomcat security optimization

1. Web. XML Configuration and modification:

Site default Home page:

<welcome-file-list>

<welcome-file>index.html</welcome-file>

<welcome-file>index.htm</welcome-file>

<welcome-file>index.jsp</welcome-file>

</welcome-file-list>

404 and 500 settings

<error-page>

<error-code>404</error-code>

<location>/404.html</location>

</error-page>

<error-page>

<error-code>500</error-code>

<location>/500.html</location>

</error-page>

Default session time-out:

<session-config>

<session-timeout>60</session-timeout>

</session-config>

Block List directory structure:

<init-param>

<param-name>listings</param-name>

<param-value>false</param-value>

</init-param>

2, server.xml configuration security Changes

<server port= "8005" shutdown= "Shutdown" >

Change the shutdown to Forevernotdown, and the port can be modified by itself.

3. Modify or hide the version information for the default Tomcat

Similar to Nginx Server_tokens off, Tomcat can also hide the version number, in the following steps:

CD Apache-tomcat-7.0.59/lib

mkdir test

CD test

Jar XF. /catalina.jar

Cat org/apache/catalina/util/serverinfo.properties |grep-v ' ^$|# '

Server.info=apache tomcat/7.0.59

server.number=7.0.59.0

VI org/apache/catalina/util/serverinfo.properties

Server.info=tomcat

Server.number=6

Server.built=jan 14:51:10 UTC

Jar CF: /catalina.jar./*

RM-RF Test

Curl-i http://127.0.0.1:8080

4. Delete unnecessary directories under $catalina_home/webapps

Remove all code below WebApps immediately after Tomcat finishes the installation for the first time

rm-rf/srv/apache-tomcat/webapps/*

5. Tomcat-users.xml The file contains a manifest file for the user name, role, and password, and if no Web deployment is required, the production environment needs to be commented out:

# Cat Conf/tomcat-users.xml

<!--

<role rolename= "Tomcat"/>

<role rolename= "Role1"/>

<user username= "Tomcat" password= "<must-be-changed>" roles= "Tomcat"/>

<user username= "Both" password= "<must-be-changed>" roles= "Tomcat,role1"/>

<user username= "Role1" password= "<must-be-changed>" roles= "Role1"/>

-

6, Server.xml thread number modification/hot deployment modification/

1) MaxThreads is the maximum number of threads for Tomcat, minsparethreads the number of socket threads created when initializing. Build a tomcat cluster load balancing process if too many connections

2) The default Tomcat is the hot deployment of the war package is turned on. To prevent malicious programs such as Trojan horses, we want to turn off automatic deployment.

Unpackwars= "false" autodeploy= "false" >

7, multi-virtual host

It is strongly recommended that you do not use Tomcat's virtual hosts, one instance per site. That is, launching multiple tomcat, while expensive, guarantees application isolation and security.

8, Tomacat Although can enable compression through the compression= "on" to configure, but it is best to put it forward through Apache and Nginx Unified processing

9, application security, Tomcat directory and application deployment separation

It is not recommended to start with root, it is recommended to set up standalone users individually, to set the owner of the Tomcat directory to the specified user, such as Tomcat.

10. Deployment of production environment

Apache+tomcat/nginx+tomcat, the site's default home page and custom error pages, can be done in the front-end Apache or Nginx.

Optimization

Tomcat has 3 modes of operation

1. Bio

The default mode with very low efficiency performance.

2. NiO

Using NIO on the server side will have better performance and enhance server-side performance for concurrency processing. Tomcat8 by default in NiO mode, want to run in this mode, directly modify the connector node in the Server.xml, modify the protocol to

<connector port= "8080″

Protocol= "Org.apache.coyote.http11.Http11NioProtocol"

connectiontimeout= "20000"

Uriencoding= "UTF-8"

Usebodyencodingforuri= "true"

Enablelookups= "false"

redirectport= "8443" >

Restart Tomcat to take effect.

3. Apr Installation and optimization

From the operating system level to solve the asynchronous IO problem, greatly improve performance. Apr and native must be installed, direct launch Support Apr modified protocol to Org.apache.coyote.http11.Http11AprProtocol

Install Apr

Yum-y Install Apr apr-util apr-devel openssl-devel

Install native into the Tomcat/bin directory, such as:

cd/usr/local/tomcat/bin/

Tar xzfv tomcat-native.tar.gz

CD tomcat-native-1.1.20-src/jni/native/

./configure--with-apr=/usr/bin/apr-1-config

Make && make install

The following message appears after the installation is complete

Libraries has been installed in:/usr/local/apr/lib

After successful installation, you will also need to set environment variables for tomcat by adding 1 rows to the setenv.sh file:

Catalina_opts= "-djava.library.path=/usr/local/apr/lib"

Or:

Export Ld_library_path= $LD _library_path:/usr/local/apr/lib

Source/etc/profile

Modify the Conf/server.xml on the 8080 end

Protocol= "Org.apache.coyote.http11.Http11AprProtocol"

After Tomcat is started, viewing the log will have this line of information stating that the APR mode is already started. INFO:APR Capabilities:ipv6 [True], sendfile [true], accept filters [FALSE], random [true].

4. Memory parameter optimization

Concurrency Optimization 1.JVM tuning new file tomcat_home/bin/setenv.sh The following statement, depending on the case.

Java_opts= "-xms1024m-xmx1024m-xss1024k-xx:permsize=64m-xx:maxpermsize=128m"

Detailed parameters

-xms JVM initializes heap memory size-xmx JVM heap maximum memory-XSS thread stack size-xx:permsize JVM non-heap initial memory allocation size-xx:maxpermsize JVM non-heap maximum memory recommendations and considerations: The-XMS and-XMX options are set to The same heap memory allocation to avoid resizing the heap after each GC, heap memory is recommended for memory 60%~80%, non-heap memory is not recyclable, size is dependent on the item, thread stack size recommended 256k.

The 32G memory configuration is as follows:

Java_opts= "-xms20480m-xmx20480m-xss1024k-xx:permsize=512m-xx:maxpermsize=2048m"

5. Turn off DNS reverse lookup in <connector port= "8080″ Add the following parameters

<connector port= "8081" protocol= "http/1.1"

connectiontimeout= "6000" enablelookups= "false" acceptcount= "800"

redirectport= "8443"/>

6. Optimize Tomcat parameters (using APR) for reference:

<listener classname= "Org.apache.catalina.core.AprLifecycleListener"/>

...

<connector port= "8080"

Protocol= "Org.apache.coyote.http11.Http11AprProtocol"

connectiontimeout= "20000"//Link Timeout length

Redirectport= "8443"

Maxthreads= "500"

Minsparethreads= "20"

acceptcount= "1000"

Enablelookups= "false"

Compression= "on"//compression transfer, value On|off|force, default value off.

Nocompressionuseragents= "Gozilla, Traviata"

Compressablemimetype= "Text/html,text/xml,text/javascript,text/css,text/plain,,application/octet-stream" = "2048"

Uriencoding= "UTF-8"

server= "Office"/>

The upgrade version typically backs up the current old version of Tomcat's Server.xml, catalina.sh, Web. XML, and Tomcat-users.xml files, and then, after deploying the new version of Tomcat, overwrites the configuration files in the past. Then stop the old version and start the new version to complete the upgrade operation

Tomcat Learning Summary (one)--linux Tomcat security optimization