Two startup methods and web page management of Tomcat 9.0 7

Project environment

系统平台：
CentOS Linux release 7.4.1708 (Core)       内核  3.10.0-693.el7.x86_64   最小化安装

Configure the jdk environment

Go to oracle official website to download the component Java SE Development Kit 8u162 that meets the project requirements

http://download.oracle.com/otn-pub/java/jdk/8u162-b12/0da788060d494f5095bf8624735fa2f1/jdk-8u162-linux-x64.tar.gz

# cd /usr/local/
# tar xvf jdk-8u162-linux-x64.tar.gz -C /usr/local/
# ln -sv jdk1.8.0_162/ javajdk
# vim /etc/profile.d/java.sh
export JAVA_HOME=/usr/local/javajdk
export PATH=$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$PATH
export CLASSPATH=$JAVA_HOME/lib:$JAVA_HOME/jre/lib
# source /etc/profile.d/java.sh
# java -version
java version "1.8.0_162"

configure tomcat

Go to the official website to download the appropriate version

https://tomcat.apache.org/

http://apache.mirrors.pair.com/tomcat/tomcat-9/v9.0.7/bin/apache-tomcat-9.0.7.tar.gz

# tar xvf apache-tomcat-9.0.7.tar.gz -C /usr/local/
# cd /usr/local/
# mv apache-tomcat-9.0.7/ tomcat-9.0.7
# ln -sv tomcat-9.0.7/ tomcat

Configure tomcat environment variables

# vim /etc/profile.d/tomcat.sh
export CATALINA_BASE=/usr/local/tomcat
export PATH=$CATALINA_BASE/bin:$PATH

Configure tomcat to start at startup

Method 1: Via catalina.sh

Directly call $CATALINA_HOME/bin/startup.sh to start tomcat, call $CATALINA_HOME/bin/shutdown.sh to shut down tomcat

The tomcat process is opened and maintained by the root user, which is flawed from a security point of view.

# vim /usr/local/tomcat/bin/catalina.sh
在第二行写入
JAVA_HOME=/usr/local/javajdk
CATALINA_BASE=/usr/local/tomcat

# echo "/usr/local/tomcat/bin/catalina.sh start" >> /etc/rc.local
# chmod +x /etc/rc.local  > 这一步很重要

Method 2: Run as a daemon

Running tomcat in daemon mode can make tomcat unaffected by the terminal and will not stop running due to exiting the terminal. You can let tomcat run as a normal user, and you can let tomcat run automatically when the system starts.

Jsvc is a toolkit developed for Java applications, and its goal is to convert the normal running of Java applications to run as a Unix daemon. This way, applications can be started/stopped easily.

Commons-daemon-native.tar.gz or http://commons.apache.org/proper/commons-daemon/download_daemon.cgi in the bin/ directory where tomcat is installed

# cd /usr/local/tomcat-9.0.7/bin/
# tar xvf commons-daemon-native.tar.gz
# cd commons-daemon-1.1.0-native-src/unix/
# ./configure
# make
# cp jsvc /usr/local/tomcat/bin/

Create a Tomcat user

# useradd -r -s /sbin/nologin tomcat
# chown -R tomcat /usr/local/tomcat/

Script to configure startup with systemd

# vim /usr/lib/systemd/system/tomcat.service

[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target

[Service]
Type=forking
EnvironmentFile=/usr/local/tomcat/conf/tomcat.conf
ExecStart=/usr/local/tomcat/bin/daemon.sh start
ExecStop=/usr/local/tomcat/bin/daemon.sh stop
SuccessExitStatus=143
User=tomcat
Group=tomcat

[Install]
WantedBy=multi-user.target

参数配置文件
# vim /usr/local/tomcat/conf/tomcat.conf
JAVA_HOME="/usr/local/javajdk"
CATALINA_BASE="/usr/local/tomcat"
CATALINA_HOME="/usr/local/tomcat"
TOMCAT_USER="tomcat"
#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"  > 调优使用

之后可以使用以下方式管理了
# systemctl status tomcat       状态
# systemctl start tomcat        启动
# systemctl stop tomcat         停止

可以看到是以jsvc进行运行
# ss -nltp|grep 8080
LISTEN     0      100         :::8080                    :::*                   users:(("jsvc",pid=2953,fd=49))

Configure tomcat web management

# cd /usr/local/tomcat/conf/
# cp tomcat-users.xml{,.bak}
# vim tomcat-users.xml

role definition

1、Server Status

View read-only server status

2、Manager App

Manage apps, including start, stop, reload, undeploy of war package services, and configure session expiration time

The following role functions need to be enabled

manager-gui     允许访问html接口(即URL路径为/manager/html/*)
manager-script  允许访问纯文本接口(即URL路径为/manager/text/*)
manager-jmx     允许访问JMX代理接口(即URL路径为/manager/jmxproxy/*)
manager-status  允许访问Tomcat只读状态页面(即URL路径为/manager/status/*)

3、Host Manager

Manage and configure the Tomcat server

The following role functions need to be enabled

manager-gui     允许访问html接口(即URL路径为/manager/html/*)
admin-gui       允许访问html接口
admin-script    允许访问纯文本接口

###

The definition format of 4 roles and 5 functions is as follows

<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>

Add the username and password format, and authorize the access role as follows

<user username="用户名" password="密码" roles="这里是角色如：admin-gui,manager-gui"/>
<user username="tomcat" password="123abc" roles="admin-gui,manager-gui"/>

In addition to password restrictions, it is also possible to restrict access to the Manager web application by remote IP addresses or hosts, especially hosts on the public network, by adding or . Reference URL https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Filter

以下2行看需要设置
# vim /usr/local/tomcat/webapps/manager/META-INF/context.xml
# vim /usr/local/tomcat/webapps/host-manager/META-INF/context.xml

添加允许访问的IP范围，否则只能本机访问
<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.10\.\d+" />
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.f
ilters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>

Modify the file size allowed to be uploaded by tomcat

Units are bytes

    <multipart-config>
      <!-- 50MB max -->
      <max-file-size>52428800</max-file-size>
      <max-request-size>52428800</max-request-size>
      <file-size-threshold>0</file-size-threshold>
    </multipart-config>

The above configuration needs to restart the tomcat service to take effect