tomcat部署(基本)

一、安装tomcat
jre：java程序运行的环境。
jdk：java编译环境+jre
安装前先查看官方文档，看看tomcat运行在哪个版本的jdk上。
下载java：https://www.java.com/zh_CN/download/chrome.jsp
下载tomcat：http://tomcat.apache.org/
并提供jdk环境
# java -version
openjdk version “1.8.0_131″
OpenJDK Runtime Environment (build 1.8.0_131-b12)
OpenJDK 64-Bit Server VM (build 25.131-b12, mixed mode)

# wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.16/bin/apache-tomcat-8.5.16.tar.gz
# mkdir -pv /usr/local/tomcat
# tar xvf apache-tomcat-8.0.44 -C /usr/local/
# ln -sv /usr/local/apache-tomcat-8.0.44 /usr/local/tomcat
# cat /etc/profile.d/tomcat.sh
TOMCAT_HOME=/usr/local/tomcat
PATH=${TOMCAT_HOME}/bin:$PATH
# catalina.sh configtest
# catalina.sh start
# ss -tnl

二、配置tomcat

tomcat：server.xml
server, service, connector, engine, host, context

server：对应一个tomcat实例
service：把connector与engine关联
engine：即Catalina Servlet引擎，包含多个host（vritual host），每个host可以有多个context
host：主机
context：文档
每个service内部只能有一个engine，每个engine可以有多个connector，每个engine可以有多个host，每个host可以有多个context。
1、手动添加一个测试应用程序：
# mkdir -pv /usr/local/tomcat/webapps/myapp/{class,lib,WEB-INF,META-INF}
2、创建测试页面
# cat myapp1/index.jsp
cat > /usr/local/tomcat/webapps/myapp/index.jsp << EOF
<%@ page language=”java” %>
<%@ page import=”java.util.*” %>
<html>
<head>
<title>JSP Test Page</title>
</head>
<body>
<% out.println(“Hello, world.”); %>
</body>
</html>
EOF
echo “It’s OK!!”

3、提供配置文件
# cp -av /usr/local/tomcat/conf/context.xml /usr/local/tomcat/webapps/myapp/WEB-INF/ ;\
cp -av /usr/local/tomcat/conf/web.xml /usr/local/tomcat/webapps/myapp/WEB-INF/

Servlet编译完成的helloworld.java
# less ../work/Catalina/localhost/myapp1/org/apache/jsp/index_jsp.java

4、打开manager、status、host-manager

# cat /usr/local/tomcat/conf/tomcat-users.xml | sed ‘/<!–/,/–>/d’
<?xml version=’1.0′ encoding=’utf-8′?>
<tomcat-users xmlns=”http://tomcat.apache.org/xml”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”http://tomcat.apache.org/xml tomcat-users.xsd”
version=”1.0″>
<role rolename=”manager-gui”/>
<role rolename=”manager-gui”/>
<role rolename=”admin-gui”/>
<user username=”tomcat” password=”ma” roles=”admin-gui,manager-gui”/>
</tomcat-users>

status用主要是查看堆内存状态：
Memory Pool Type Initial Total Maximum Used
Eden Space（新生代） Heap memory 4.31 MB 7.50 MB 66.12 MB 3.05 MB (4%)
Survivor Space（存活代） Heap memory 0.50 MB 0.93 MB 8.25 MB 0.93 MB (11%)
Tenured Gen Heap(老年代) memory 10.68 MB 18.67 MB 165.37 MB 17.98 MB (10%)

5、server.conf 配置文件

# cat server.xml.bak | sed ‘/<!–/,/–>/d’ | sed ‘/^$/d’
<?xml version=’1.0′ encoding=’utf-8′?>
<Server port=”8005″ shutdown=”SHUTDOWN”>
<Listener className=”org.apache.catalina.startup.VersionLoggerListener” />
<Listener className=”org.apache.catalina.core.JreMemoryLeakPreventionListener” />
<Listener className=”org.apache.catalina.mbeans.GlobalResourcesLifecycleListener” />
<Listener className=”org.apache.catalina.core.ThreadLocalLeakPreventionListener” />
<GlobalNamingResources>
<Resource name=”UserDatabase” auth=”Container”
type=”org.apache.catalina.UserDatabase”
description=”User database that can be updated and saved”
factory=”org.apache.catalina.users.MemoryUserDatabaseFactory”
pathname=”conf/tomcat-users.xml” />
</GlobalNamingResources>
<Service name=”Catalina”>
<Connector port=”8080″ protocol=”HTTP/1.1″
connectionTimeout=”20000″
redirectPort=”8443″ />
<Engine name=”Catalina” defaultHost=”localhost”>
<Realm className=”org.apache.catalina.realm.LockOutRealm”>
<Realm className=”org.apache.catalina.realm.UserDatabaseRealm”
resourceName=”UserDatabase”/>
</Realm>
<Host name=”localhost” appBase=”webapps”
unpackWARs=”true” autoDeploy=”true”>
<Valve className=”org.apache.catalina.valves.AccessLogValve” directory=”logs”
prefix=”localhost_access_log” suffix=”.txt”
pattern=”%h %l %u %t &quot;%r&quot; %s %b” />
</Host>
</Engine>
</Service>
</Server>

（1、此文件很危险建议关闭
<Server port=”8005″ shutdown=”SHUTDOWN”>
# telnet 127.0.0.1 8005
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
SHUTDOWN
改为：
<Server port=”8005″ shutdown=””>

（2、监听器
<Listener className=”org.apache.catalina.startup.VersionLoggerListener” />
<Listener className=”org.apache.catalina.core.JreMemoryLeakPreventionListener” />
<Listener className=”org.apache.catalina.mbeans.GlobalResourcesLifecycleListener” />
<Listener className=”org.apache.catalina.core.ThreadLocalLeakPreventionListener” />
<!–java内部监控资源的组件–>

（3、全局命名资源或者全局名称资源
<GlobalNamingResources>
<Resource name=”UserDatabase” auth=”Container”
type=”org.apache.catalina.UserDatabase”
description=”User database that can be updated and saved”
factory=”org.apache.catalina.users.MemoryUserDatabaseFactory”
pathname=”conf/tomcat-users.xml” />
</GlobalNamingResources>

factory=”org.apache.catalina.users.MemoryUserDatabaseFactory”
pathname=”conf/tomcat-users.xml”
<!–基于用户数据库工厂来实现某种用户功能的–>

（4、Connector组件

<Connector port=”8080″ protocol=”HTTP/1.1″
connectionTimeout=”20000″
redirectPort=”8443″ />
<!–默认监听的端口，http协议版本,如果不使用最大连接池，就要使用连接池–>

<Connector executor=”tomcatThreadPool”
port=”8080″ protocol=”HTTP/1.1″
connectionTimeout=”20000″
redirectPort=”8443″ />
<!–java的线程池如果不定义这个就要定义最大–>

<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11NioProtocol”
maxThreads=”150″ SSLEnabled=”true” scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” />
<!–开启ssl服务，一般不直接面向用户–>

<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />
<!– apache j server protocol，二进制格式前端apache 反向代理连接tomcat专用连接器。–>

（5、Engine组件，定义虚拟以及资源
Engine容器中可以包含Realm、Host、Listener和Valve子容器。
defaultHost：默认的虚拟主机
name：Engine组件的名称，用于日志和错误信息记录时区别不同的引擎；
jvmRoute：

<Engine name=”Catalina” defaultHost=”localhost”>
<Realm className=”org.apache.catalina.realm.LockOutRealm”>
<Realm className=”org.apache.catalina.realm.UserDatabaseRealm”
resourceName=”UserDatabase”/>
</Realm>
<Host name=”localhost” appBase=”webapps”
unpackWARs=”true” autoDeploy=”true”>
<Valve className=”org.apache.catalina.valves.AccessLogValve” directory=”logs”
prefix=”localhost_access_log” suffix=”.txt”
pattern=”%h %l %u %t &quot;%r&quot; %s %b” />
</Host>
</Engine>
<!–defaultHost=”localhost”默认虚拟主机，调用localhost–>
<!–appBase=”webapps”webapps的应用路径，相对路径–>
<!–unpackWARs=”true” autoDeploy=”true”自动解压缩，自动部署–>
<!–valve阀门，这里访问日志记录器–>

（6、service组件 关联connector与engine，一个engine可以对应connector，一个connector只能对应一个引擎
<Service name=”Catalina”></Service>

三、tomcat的连接器配置

基于event模型开发，支持较大的并发连接数，tomcat一般直接面对服务，接受的请求来至于前端的nginx或者apache。静态已经大部分发到其它的服务器了。

1、定义连接器时可以配置的属性非常多，但通常定义HTTP连接器时必须定义的属性只有“port”，定义AJP连接器时必须定义的属性只有”protocol”，因为默认的协议为HTTP。以下为常用属性的说明：
1) address：指定连接器监听的地址，默认为所有地址，即0.0.0.0；
2) maxThreads：支持的最大并发连接数，默认为200；
3) port：监听的端口，默认为0；
4) protocol：连接器使用的协议，默认为HTTP/1.1，定义AJP协议时通常为AJP/1.3；
5) redirectPort：如果某连接器支持的协议是HTTP，当接收客户端发来的HTTPS请求时，则转发至此属性定义的端口；
6) connectionTimeout：等待客户端发送请求的超时时间，单位为毫秒，默认为60000，即1分钟；
7) enableLookups：是否通过request.getRemoteHost()进行DNS查询以获取客户端的主机名；默认为true；一般建议关闭
8) acceptCount：设置等待队列的最大长度；通常在tomcat所有处理线程均处于繁忙状态时，新发来的请求将被放置于等待队列中；

2、连接器配置实例
1) HTTP连接器
2) SSL连接器
三种证书：1、java标准格式JKS。2、PKCS11(区分大小写不常用，而pkcs12不区分)3、PKCS12标准互联网格式（linux、windows）
(1、创建CA根
# cd /etc/pki/CA/
# touch index.txt
# echo 01 > serial
# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SICHUAN
Locality Name (eg, city) [Default City]:CHENGDU
Organization Name (eg, company) [Default Company Ltd]:CPE
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server’s hostname) []:admin.cpe.com
Email Address []:admin@cpe.com

（2、创建web服务器证书
# mkdir -pv /usr/local/tomcat/ssl
# keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/ssl/store
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: www.cpe.com
What is the name of your organizational unit?
[Unknown]: OPS
What is the name of your organization?
[Unknown]: CPE
What is the name of your City or Locality?
[Unknown]: CHENGDU
What is the name of your State or Province?
[Unknown]: SICHUAN
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=www.cpe.com, OU=OPS, O=CPE, L=CHENGDU, ST=SICHUAN, C=CN correct?
[no]: yes

Enter key password for <tomcat>
(RETURN if same as keystore password):
###查看证书是否正确
# keytool -list -keystore /usr/local/tomcat/ssl/store

（3、创建web证书请求
# keytool -certreq -keyalg RSA -alias tomcat -file /usr/local/tomcat/ssl/cpe.com.csr \
-keystore /usr/local/tomcat/ssl/store

（4、给服务器证书签名（可能签名时候有可能会报错，修改/etc/pki/tls/openssl.cnf）
# openssl ca -in /usr/local/tomcat/ssl/cpe.com.csr -out /etc/pki/CA/certs/www.cpe.com.crt
# cp -a /etc/pki/CA/certs/www.cpe.com.crt /usr/local/tomcat/ssl/

（5、导入根证书、ca签名证书:
# keytool -import -trustcacerts -alias root -file /etc/pki/CA/cacert.pem -keystore /usr/local/tomcat/ssl/store
# keytool -import -trustcacerts -alias tomcat -file /usr/local/tomcat/ssl/www.cpe.com.crt -keystore /usr/local/tomcat/ssl/store

(6、配置#server.xml
<Connector
protocol=”org.apache.coyote.http11.Http11NioProtocol”
port=”8443″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”/usr/local/tomcat/ssl/store” keystorePass=”cisco520″
clientAuth=”false” sslProtocol=”TLS”
connectionTimeout=”20000″ enableLookups=”flase” acceptCount=”200″/>

3) AJP 1.3连接器，前端使用apache
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />

4) proxy（jk）连接器，一般并未使用。

三、tomcat的host配置

1、常用属性说明：
1) appBase：此Host的webapps目录，即存放非归档的web应用程序的目录或归档后的WAR文件的目录路径；可以使用基于$CATALINA_HOME的相对路径；
2) autoDeploy：在Tomcat处于运行状态时放置于appBase目录中的应用程序文件是否自动进行deploy；默认为true；
3) unpackWars：在启用此webapps时是否对WAR格式的归档文件先进行展开；默认为true；
注意：path给定的路径不能以“/”结尾；

2、虚拟主机定义示例：
# mkdir -pv /web/data/ROOT
<Host name=”localhost” appBase=”webapps”
unpackWARs=”true” autoDeploy=”true”>
<Valve className=”org.apache.catalina.valves.AccessLogValve” directory=”logs”
prefix=”localhost_access_log” suffix=”.txt”
pattern=”%h %l %u %t &quot;%r&quot; %s %b” />
</Host>
<Host name=”www.cpe.com” appBase=”/web/data”>
<Context path=”/” docBase=”ROOT”/>
<Valve className=”org.apache.catalina.valves.AccessLogValve” directory=”logs”
prefix=”cpe_access_log” suffix=”.txt”
pattern=”%h %l %u %t &quot;%r&quot; %s %b” />
</Host>

# cat > /usr/local/tomcat/webapps/myapp/index.jsp << EOF
<%@ page language=”java” %>
<%@ page import=”java.util.*” %>
<html>
<head>
<title>JSP Test Page</title>
</head>
<body>
<% out.println(“Hello, world.”); %>
</body>
</html>
EOF
echo “It’s OK!!”

3、主机别名定义：
如果一个主机有两个或两个以上的主机名，额外的名称均可以以别名的形式进行定义，如下：

<Host name=”localhost” appBase=”webapps”
unpackWARs=”true” autoDeploy=”true”>
<Alias>ftp.cpe.com</Alias>
<Valve className=”org.apache.catalina.valves.AccessLogValve” directory=”logs”
prefix=”localhost_access_log” suffix=”.txt”
pattern=”%h %l %u %t &quot;%r&quot; %s %b” />
</Host>
<Host name=”www.cpe.com” appBase=”/web/data” autoDeploy=”true” unpackWARs=”true” >
<Context path=”/” docBase=”ROOT”/>
<Context path=”shop/” docBase=”/web/data/test/shop”/>
<Valve className=”org.apache.catalina.valves.AccessLogValve” directory=”logs”
prefix=”localhost_access_log” suffix=”.txt”
pattern=”%h %l %u %t &quot;%r&quot; %s %b” />
</Host>
4、RemoteHostValve和RemoteAddrValve可以分别用来实现基于主机名称和基于IP地址的访问控制，控制本身可以通过allow或deny来进行定义，这有点类似于Apache的访问控制功能；如下面的Valve则实现了仅允许本机访问/probe：
<Context path=”/probe” docBase=”probe”>
<Valve className=”org.apache.catalina.valves.RemoteAddrValve”
allow=”127\.0\.0\.1″/>
</Context>
<Host name=”www.cpe.com” appBase=”/web/data” autoDeploy=”true” unpackWARs=”true” >
<Context path=”” docBase=”ROOT”>
<Valve className=”org.apache.catalina.valves.RemoteAddrValve”
allow=”192\.168\.31\.\d+|127\.0\.0\.1|localhost”/>

</Context>
<Context path=”/shop” docBase=”/web/data/test/shop”/>
<Valve className=”org.apache.catalina.valves.AccessLogValve” directory=”logs”
prefix=”localhost_access_log” suffix=”.txt”
pattern=”%h %l %u %t &quot;%r&quot; %s %b” />
</Host>
其中相关属性定义有:
1) className：相关的java实现的类名，相应于分别应该为org.apache.catalina.valves.RemoteHostValve或org.apache.catalina.valves.RemoteAddrValve；
2) allow：以逗号分开的允许访问的IP地址列表，支持正则表达式，因此，点号“.”用于IP地址时需要转义；仅定义allow项时，非明确allow的地址均被deny；
3) deny: 以逗号分开的禁止访问的IP地址列表，支持正则表达式；使用方式同allow；

四、tomcat的典型配置
1、LNMT:
client –>http –> nginx –> reverse_proxy –> http –> tomcat (http connector)
1、安装nginx在192.168.31.128
# yum -y install epel-release；yum -y install nginx
2、配置动静分离把jsp请求发向tomcat
# vim /etc/nginx/conf.d/default.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /web/static/;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

location / {
}
location ~* \.(jsp|do)$ {
proxy_pass http://192.168.31.130:8080;
}
error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}

}
# mkdir -pv /web/static/

3、虚拟主机：
（1、dns指向：nginx
# vim /var/named/cpe.com.zone
$TTL 86400
$ORIGIN cpe.com.
@ IN SOA ns1.cpe.com. admin.cpe.com (
2015042201
1H
5M
7D
1D )
IN NS ns1
IN MX 10 mx1
ns1 IN A 192.168.31.130
mx1 IN A 192.168.31.130
www IN A 192.168.31.128
ftp IN CNAME www

（2、niginx指向：tomcat
# vim /etc/hosts
192.168.31.130 www.cpe.com

（3、修改nginx反代配置，支持虚拟主机
# vim /etc/nginx/conf.d/default.conf
location ~* \.(jsp|do)$ {
proxy_pass http://www.cpe.com:8080;
}

2、LAMT：
client –> http –> httpd –> reverse_proxy –> {http|ajp} –> tomcat {http connector|ajp connector}
（1、dns指向：apache
# vim /var/named/cpe.com.zone
$TTL 86400
$ORIGIN cpe.com.
@ IN SOA ns1.cpe.com. admin.cpe.com (
2015042201
1H
5M
7D
1D )
IN NS ns1
IN MX 10 mx1
ns1 IN A 192.168.31.130
mx1 IN A 192.168.31.130
www IN A 192.168.31.128
ftp IN CNAME www

（2、apache指向：tomcat
# vim /etc/hosts
192.168.31.130 www.cpe.com
（1）、httpd2.2：
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www.cpe.com
ProxyVia On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.31.130:8080/
ProxyPassReverse / http://192.168.31.130:8080/
</VirtualHost>
（2）、httpd2.4
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www.cpe.com
ProxyVia On
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://www.cpe.com:8080/
ProxyPassReverse / http://www.cpe.com:8080/
<Location />
Require all granted
</Location>
</VirtualHost>

2、LANMT：
（1、dns指向：nginx
# vim /var/named/cpe.com.zone
$TTL 86400
$ORIGIN cpe.com.
@ IN SOA ns1.cpe.com. admin.cpe.com (
2015042201
1H
5M
7D
1D )
IN NS ns1
IN MX 10 mx1
ns1 IN A 192.168.31.130
mx1 IN A 192.168.31.130
www IN A 192.168.31.128
ftp IN CNAME www

（2、niginx指向：apache
# vim /etc/hosts
192.168.31.130 www.cpe.com

(3、配置apache ajx
# vim /etc/httpd/conf.d/vir.conf
<VirtualHost *:80>
ServerName www.cpe.com
ProxyVia On
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Require all granted
</Proxy>
ProxyPass / ajp://192.168.31.130:8009/
ProxyPassReverse / ajp://192.168.31.130:8009/
<Location />
Require all granted
</Location>
</VirtualHost>

（4、配置nginx反代
# vim /etc/nginx/conf.d/default.conf

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /web/static/;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

location / {

}

location ~* \.(jsp|do)$ {
proxy_pass http://192.168.31.130; ##数字格式
}
error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}

}