The last two days have been for customers to deal with a vulnerability (Green League and Technology "Remote Security Assessment System") and the host site for related vulnerabilities, the most common is to upgrade the software version.
Generally you can upgrade to the latest version, this upgrade will nginx from 1.13.6 to 1.17.9, tomcat upgrade from 8.5.16 to 8.5.51.
First deployment configuration diagram briefly described as follows:
1, tomcat configuration
After completion of the most common software upgrade is configured, tomcat configuration is relatively simple, need to be modified where there are two:
\conf\server.xml
<Connector port="9005" protocol="org.apache.coyote.http11.Http11Nio2Protocol" redirectPort="8443" connectionTimeout="20000" URIEncoding="UTF-8" minSpareThreads="25" enableLookups="false" maxThreads="500" acceptCount="500" />
\ Conf \ web.xml next label web-app root structure modified as follows:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
2, nginx configuration
\ Conf \ nginx.conf configuration is as follows:
#user nobody;
worker_processes 16;
error_log logs/error.log;
error_log logs/error.log notice;
error_log logs/error.log info;
events {
worker_connections 10240;
}
http {
include mime.types;
default_type application/octet-stream;
server_token off;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
## Start: Timeouts ##
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 30;
send_timeout 10;
keepalive_requests 10;
## End: Timeouts ##
#gzip on;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream xuehua {
ip_hash;
server 127.0.0.1:9005;
server 127.0.0.1:9006;
server 127.0.0.1:9007;
server 127.0.0.1:9008;
server 127.0.0.1:9009;
}
upstream xuehua2 {
ip_hash;
server 127.0.0.1:9019;
}
upstream myserver {
ip_hash;
server 127.0.0.1:35001;
server 127.0.0.1:35002;
}
server {
listen 8081;
server_name localhost;
location ^~ /api/Message {
proxy_pass http://myserver/Message;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
}
location ^~ /api/ {
proxy_pass http://myserver/;
proxy_set_header X-Real-IP $remote_addr;
}
#配置防盗链
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ {
valid_referers none blocked server_names *.ahcrb.net.cn
http://localhost baidu.com;
if ($invalid_referer) {
rewrite ^/ [img]http://ahcrb.net.cn/images/default/logo.gif[/img];
# return 403;
}
}
#location / {
# allow 127.0.0.1;
# deny all;
#}
location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 10;
proxy_read_timeout 200;
proxy_send_timeout 90;
proxy_pass http://xuehua2/;
}
error_page 403 404 /404.html;
location =/404.html {
internal;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 8082;
server_name 172.16.90.29;
location ^~ /api/Message {
proxy_pass http://myserver/Message;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
}
location ^~ /api/ {
proxy_pass http://myserver/;
proxy_set_header X-Real-IP $remote_addr;
}
#location / {
# allow 127.0.0.1;
# deny all;
#}
location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 10;
proxy_read_timeout 200;
proxy_send_timeout 90;
proxy_pass http://xuehua2/;
}
error_page 403 404 /404.html;
location =/404.html {
internal;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
3, after tomcat with nginx start, there are two ways locally on the server to access the service:
- Direct access to the port tomcat, such as 127.0.0.1:9005
- Access nginx listen port, as if 127.0.0.1:8081 access in this manner is equivalent to more than one agent, and then forwards the request to 9005 8081
4, and the server is accessible on the same local area network computer
Note that the server needs which ports are open, accessible only allowed ports, or need to create a new inbound rule, if you want to open port 9005, the control panel - firewall - the New Inbound Rule, will add the port into 9005 .
5, if you configure two addresses in a test nginx, then it would have to configure the server nginx two years, two monitor ports. Each server mapping a tomcat, were put under the old code and new code two tomcat, then you can do to configure the two environments.
Also note that the listening port to open. Depending on the different service access port, in this case the configuration is as follows:
