Tomcat configuration on common servers

1. JVM

1.1. Use Server JRE instead of JDK.

Do not install JDK on the server. Use the Server JRE. server without a compiler. The Code should be compiled and packaged on the release server.

Reason: Once the server is controlled, it can prevent compilation of other malicious code on its server and implant it into your program.

1.2. java_opts

export JAVA_OPTS="-server -Xms512m -Xmx4096m  -XX:PermSize=64M -XX:MaxPermSize=512m"

-XMS specifies the stack memory for initialization.

-Xmx: specifies the maximum stack memory.

2. Tomcat Optimization

2.1. maxthreads connection limit

Maxthreads is the maximum number of connections that Tomcat can accept. Generally, the setting should not exceed 8000. If your website has a high traffic volume, you may use the method of Running multiple Tomcat instances.

That is, Start Multiple Tomcat servers on one server and perform load balancing.

<Connector port="8080" address="localhost"maxThreads="2048" maxHttpHeaderSize="8192"emptySessionPath="true" protocol="HTTP/1.1"enableLookups="false" redirectPort="8181" acceptCount="100"connectionTimeout="20000" disableUploadTimeout="true" />

Prompt

Many php o & M personnel make a big mistake here. How do I configure the number of connections when installing the CPU and memory on the PHP optimization server? It is normal that the number of connections is too large, however, you must be very careful with different JVM configurations in Java, and a slight error will cause the crash.

The maxthreads configuration should be adjusted according to the JVM-xmx parameter, that is, the memory overhead should be considered.

2.2. VM

Do not use a tomcat VM. Each site has one instance. That is, Start Multiple tomcat.

This is also a common mistake in php o & M. The PHP practice is to place multiple virtual hosts under a web, rather than starting a web server on each host. Tomcat is a multi-thread, shared memory. The application crashes on any virtual host, which affects all applications. Although the overhead of multiple instances is large, Application Isolation and security are ensured.

2.3. error transfer

For gzip compression, Tomcat configures the compression option in server. xml.

<Connector port="8080" protocol="HTTP/1.1"               connectionTimeout="20000"               redirectPort="8443"               compression="on"               compressionMinSize1="2048"               noCompressionUserAgents="gozilla, traviata"               compressableMimeType="text/html,text/xml,text/javascript,text/css,text/plain,,application/octet-stream"/>

Prompt

Compression will increase the Tomcat burden. It is best to use nginx + Tomcat or Apache + Tomcat, and Compression should be done by nginx/Apache.

3. tomcat security configuration

3.1. initialize the configuration after installation

After Tomcat is installed, you must do the following:

Delete all the codes in webapps immediately after the first installation.

rm -rf /srv/apache-tomcat/webapps/*

Comment or delete all user permissions for the tomcat-users.xml, which looks like:

# cat conf/tomcat-users.xml<?xml version=‘1.0‘ encoding=‘utf-8‘?><tomcat-users></tomcat-users>

Hide tomcat version information

vim $CATALINA_HOME/conf/server.xml    <Connector port="80" protocol="HTTP/1.1"               connectionTimeout="20000"               redirectPort="8443"maxThreads="8192"minSpareThreads="64"maxSpareThreads="128"acceptCount="128"enableLookups="false"                server="Neo App Srv 1.0"/># curl -I http://localhost:8080/HTTP/1.1 400 Bad RequestTransfer-Encoding: chunkedDate: Thu, 20 Oct 2011 09:51:55 GMTConnection: closeServer: Neo App Srv 1.0

The server information has been changed to server: Neo app SRV 1.0.

3.2. Start the user and Port

Do not use the root user to start Tomcat. the Java program is different from the C program. Nginx and httpd use the root user to start port 80 of the daemon. The sub-process/thread switches to the common user through the setuid () and setgid () functions. That is, the parent process owner is the root user, and the sub-process and multi-thread owner are non-root users. This user does not have a shell and cannot log on to the system through SSH or the console, java's JVM is system-independent and is built on the OS. If you use a user to start Tomcat, Tomcat will inherit the permissions of the owner.

This causes a problem. In Linux, only the root user can use ports smaller than 1024, which is why the default Tomcat port is 8080. If you want to use port 80, you can only use root to start Tomcat. This poses many security problems.

The solution is to create a different user, such:

groupadd -g 80 daemonadduser -o --home /daemon --shell /sbin/nologin --uid 80 --gid 80 -c "Web Server" daemon

Note:/sbin/nologin means that this user cannot log on and I didn't specify a password for it. This user can only start Tomcat

chown daemon:daemon -R /srv/*su - daemon -c "/srv/apache-tomcat/bin/startup.sh"

Next, we can solve the port 80 problem by calling port 8080 or ing the port 80.

The following is an image shooting solution, which redirects from 80 to 8080.

Iptables-T Nat-A prerouting-p tcp -- dport 80-J redirect -- to-port 8080 cancel jump iptables-T nat-D prerouting-p tcp -- dport 80-J redirect -- to-port 8080 view rules iptables-T nat-l

Another solution is to call 8080 from 80 requests.

This scheme can be used to add reverse proxies in the front of Tomcat, such as nginx, Apache, squid, varnish, F5, array, and so on.

3.3. Application Security

Disable Automatic war deployment unpackwars = "false" autodeploy = "false ". Prevent Trojans and other malicious programs

Application Deployment and tomcat startup cannot use the same user.

My tomcat is installed in the/srv directory, and the Tomcat startup user is daemon; the WWW owner is the WWW user under the/WWW directory for the application. The purpose is that once Tomcat is implanted with a Web shell program, it cannot create or edit any content in the/WWW directory.

adduser --home /www -c "Web Application" www

3.4. JSESSIONID

Modify the cookie variable JSESSIONID, which is used to maintain the session relationship. We recommend that you change it to PHPSESSID.

Tomcat configuration on common servers