最近两天一直在为客户解决主机和站点的漏洞问题(绿盟科技“远程安全评估系统”),针对相关漏洞,最常见的就是升级相关软件版本。
一般升级到最新版本即可,本次就将nginx从1.13.6升级到1.17.9,tomcat从8.5.16升级到了8.5.51。
先将部署结构图简单描述如下:
1、tomcat配置
软件升级完之后最常见的就是配置了,tomcat的配置相对简单,需要修改的地方有两处:
\conf\server.xml
<Connector port="9005" protocol="org.apache.coyote.http11.Http11Nio2Protocol" redirectPort="8443" connectionTimeout="20000" URIEncoding="UTF-8" minSpareThreads="25" enableLookups="false" maxThreads="500" acceptCount="500" />
\conf\web.xml 紧挨着web-app根标签修改为如下结构:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
2、nginx的配置
\conf\nginx.conf 配置如下:
#user nobody;
worker_processes 16;
error_log logs/error.log;
error_log logs/error.log notice;
error_log logs/error.log info;
events {
worker_connections 10240;
}
http {
include mime.types;
default_type application/octet-stream;
server_token off;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
## Start: Timeouts ##
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 30;
send_timeout 10;
keepalive_requests 10;
## End: Timeouts ##
#gzip on;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream xuehua {
ip_hash;
server 127.0.0.1:9005;
server 127.0.0.1:9006;
server 127.0.0.1:9007;
server 127.0.0.1:9008;
server 127.0.0.1:9009;
}
upstream xuehua2 {
ip_hash;
server 127.0.0.1:9019;
}
upstream myserver {
ip_hash;
server 127.0.0.1:35001;
server 127.0.0.1:35002;
}
server {
listen 8081;
server_name localhost;
location ^~ /api/Message {
proxy_pass http://myserver/Message;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
}
location ^~ /api/ {
proxy_pass http://myserver/;
proxy_set_header X-Real-IP $remote_addr;
}
#配置防盗链
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ {
valid_referers none blocked server_names *.ahcrb.net.cn
http://localhost baidu.com;
if ($invalid_referer) {
rewrite ^/ [img]http://ahcrb.net.cn/images/default/logo.gif[/img];
# return 403;
}
}
#location / {
# allow 127.0.0.1;
# deny all;
#}
location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 10;
proxy_read_timeout 200;
proxy_send_timeout 90;
proxy_pass http://xuehua2/;
}
error_page 403 404 /404.html;
location =/404.html {
internal;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 8082;
server_name 172.16.90.29;
location ^~ /api/Message {
proxy_pass http://myserver/Message;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
}
location ^~ /api/ {
proxy_pass http://myserver/;
proxy_set_header X-Real-IP $remote_addr;
}
#location / {
# allow 127.0.0.1;
# deny all;
#}
location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 10;
proxy_read_timeout 200;
proxy_send_timeout 90;
proxy_pass http://xuehua2/;
}
error_page 403 404 /404.html;
location =/404.html {
internal;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
3、tomcat与nginx启动之后,在服务器本地上有两种方式对服务进行访问:
- 直接访问tomcat的端口,如127.0.0.1:9005
- 访问nginx的监听端口,如127.0.0.1:8081 如果按照这种方式进行访问就相当于多了一个代理,8081再将请求转发给9005
4、与服务器处于同一个局域网的电脑上访问
需要注意服务器上都是开放了哪些端口,只能访问允许的端口,否则需要创建新的入站规则,如果想要开放9005端口,在控制面板-防火墙-新建入站规则,将9005端口添加进去。
5、如果在一个nginx下配置两个测试地址,那么就要在nginx里配置两个server,监听两个端口。每个server映射一个tomcat,两个tomcat下分别放新代码和旧代码,那么就可以做到配置两个环境。
同样需要注意的是监听的端口要对外开放。根据端口的不同访问不同的服务,此时的配置图如下:
