TOMCAT 主要的配置文件和ssl的实现总结

时间:2022-06-24 08:44:28

以下是常见的tomcat配置和问题

以下总结来自实践(OS: Ubuntu 10.10 64bit)

目录

  1. Tomcat conf配置
    1. tomcat-users.xml配置
    2. web.xml静态资源编码设置
    3. URI编码设置
  2. APR
  3. 配置SSL
    1. 非APR的SSL配置步骤
    2. APR环境的SSL配置(ssl使用apr)
  4. gzip压缩
  5. jdbc
  6. HttpOnly

 

Tomcat conf配置

 

tomcat-users.xml配置

  • 默认是没有任何用户的,这样开发不方便,如果是生产环境,建议删除所有用户,开发配置(tomcat7)如下:
  • Xml代码   TOMCAT 主要的配置文件和ssl的实现总结
    1. <?xml version='1.0' encoding='utf-8'?>  
    2. <tomcat-users>  
    3.   <role rolename="manager-gui"/>  
    4.   <role rolename="manager-script"/>  
    5.   <role rolename="manager-jmx"/>  
    6.   <role rolename="manager-status"/>  
    7.   <user username="admin" password="" roles="manager-gui,manager-script,manager-jmx,manager-status"/>  
    8. </tomcat-users>  
     

web.xml静态资源编码设置

  • 问题:在查看页面js或者css的源代码的时候,源代码出现乱码,但是页面上一切正常运行,因为tomcat需要配置静态资源的编码格式 解决:打开tomcat_home/conf/web.xml文件,在mime-type中增加编码chartset=utf-8信息即可,如:

    Xml代码   TOMCAT 主要的配置文件和ssl的实现总结
    1. <mime-mapping>  
    2.         <extension>css</extension>  
    3.         <mime-type>text/css;charset=utf-8</mime-type>  
    4.     </mime-mapping>  
    5.     <mime-mapping>  
    6.         <extension>js</extension>  
    7.         <mime-type>text/javascript;charset=utf-8</mime-type>  
    8.     </mime-mapping>  
     

URI编码设置

  • 问题:乱码问题,非通过表单的提交,比如直接在浏览器地址栏直接输入中文数据的乱码问题

    http://yoururl//your.action?name=我的中文名&check=可能在服务器端乱码
    

    解决:打开tomcat_home/conf/server.xml文件,设置Connector属性URIEncoding="UTF-8"就可以解决了,注意每一个Connector都要设置此属性

    Xml代码   TOMCAT 主要的配置文件和ssl的实现总结
    1. <Connector URIEncoding="UTF-8" port="8159" protocol="AJP/1.3" redirectPort="8593"/>  
     

APR

  • tomcat启动时提示信息——The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found

    Sep 3, 2010 8:59:51 PM org.apache.catalina.core.AprLifecycleListener init
    INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /prog/java/jdk1.6.0_20/bin:/prog/apache/app-apache-tomcat-7.0.0/bin
    Sep 3, 2010 8:59:51 PM org.apache.catalina.startup.Catalina load
    INFO: Initialization processed in 848 ms

    步骤:APR详情

    1. 准备依赖包
      1. 下载APR依赖: APR 1.2+ development headers (libapr1-dev package)

      2. 下载OpenSSL依赖:OpenSSL 0.9.7+ development headers (libssl-dev package)

    2. 解压缩tomcat_home/bin/tomcat-native.tar.gz
    3. 进入目录:tomcat-native-1.1.20-src/jni/native 详细安装见此目录下的BUILDING文件

    4. 执行 export JAVA_HOME=/prog/java/jdk 设置JDK
    5. 执行:./configure --with-apr=/usr/bin --with-ssl=/usr/bin
    6. 执行:make
    7. 执行:sudo make install -->安装到/usr/local/apr/lib

    8. 执行:ln -s /usr/local/apr/lib/libtcnative-1.so $JAVA_HOME/jre/lib/amd64/
    9. 重新启动tomcat看到:

      Sep 3, 2010 9:56:17 PM org.apache.catalina.core.AprLifecycleListener init
      INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
      Sep 3, 2010 9:56:18 PM org.apache.catalina.core.AprLifecycleListener init
      INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
      Sep 3, 2010 9:56:18 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
      INFO: Failed to initialize the SSLEngine.
      Sep 3, 2010 9:56:18 PM org.apache.coyote.http11.Http11AprProtocol init
      INFO: Initializing Coyote HTTP/1.1 on http-8782
      Sep 3, 2010 9:56:18 PM org.apache.coyote.ajp.AjpAprProtocol init
      INFO: Initializing Coyote AJP/1.3 on ajp-8711
      Sep 3, 2010 9:56:18 PM org.apache.catalina.startup.Catalina load
      INFO: Initialization processed in 840 ms

 

配置SSL

 

非APR的SSL配置步骤

  1. 创建keystore:

    jdk/bin/keytool -genkey -keystore tomcat.keystore -alias tomcat -keyalg RSA
  2. 把tomcat.keystore放入${user.home}目录中,就是你的用户目录,当然你可以放入其他目录中
  3. 修改tomcat的server.xml,增加Connector:

    Xml代码   TOMCAT 主要的配置文件和ssl的实现总结
    1. <Connector port="9145" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"  
    2.                 URIEncoding="UTF-8"  
    3.                 keystoreFile="${user.home}/tomcat.keystore" keystorePass="cms4g-proxy-PaSsWoRd"  
    4.                 maxThreads="20"  
    5.                 />  
      APR环境的SSL配置(ssl不使用apr):
  4. 如果还是按照上面的#非APR的SSL配置步骤进行ssl配置,那么需要这么做:

    1. 在Connector中配置protocol=org.apache.coyote.http11.Http11NioProtocol

              <Connector port="9145" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
                      protocol="org.apache.coyote.http11.Http11NioProtocol"
                      URIEncoding="UTF-8"
                      keystoreFile="${user.home}/tomcat.keystore" keystorePass="cms4g-proxy-PaSsWoRd"
                      maxThreads="20"
                      />

      但启动时会提示错误:Failed to initialize the SSLEngine.

      Sep 3, 2010 10:49:42 PM org.apache.catalina.core.AprLifecycleListener init
      INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
      Sep 3, 2010 10:49:43 PM org.apache.catalina.core.AprLifecycleListener init
      INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
      Sep 3, 2010 10:49:43 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
      INFO: Failed to initialize the SSLEngine.
      Sep 3, 2010 10:49:43 PM org.apache.coyote.http11.Http11AprProtocol init
      INFO: Initializing Coyote HTTP/1.1 on http-8782
      Sep 3, 2010 10:49:43 PM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector
      INFO: Using a shared selector for servlet write/read
      Sep 3, 2010 10:49:43 PM org.apache.coyote.http11.Http11NioProtocol init
      INFO: Initializing Coyote HTTP/1.1 on http-9145
      Sep 3, 2010 10:49:43 PM org.apache.coyote.ajp.AjpAprProtocol init
      INFO: Initializing Coyote AJP/1.3 on ajp-8711
      Sep 3, 2010 10:49:43 PM org.apache.catalina.startup.Catalina load
      INFO: Initialization processed in 1162 ms
    2. 虽然提示信息:Failed to initialize the SSLEngine.但ssl依然可以正常运行,要抑制此信息只要修改server.xml配置apr的sslengine=off即可,如

        <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />

      启动信息

      Sep 3, 2010 10:51:53 PM org.apache.catalina.core.AprLifecycleListener init
      INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
      Sep 3, 2010 10:51:53 PM org.apache.catalina.core.AprLifecycleListener init
      INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
      Sep 3, 2010 10:51:54 PM org.apache.coyote.http11.Http11AprProtocol init
      INFO: Initializing Coyote HTTP/1.1 on http-8782
      Sep 3, 2010 10:51:54 PM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector
      INFO: Using a shared selector for servlet write/read
      Sep 3, 2010 10:51:54 PM org.apache.coyote.http11.Http11NioProtocol init
      INFO: Initializing Coyote HTTP/1.1 on http-9145
      Sep 3, 2010 10:51:54 PM org.apache.coyote.ajp.AjpAprProtocol init
      INFO: Initializing Coyote AJP/1.3 on ajp-8711
      Sep 3, 2010 10:51:54 PM org.apache.catalina.startup.Catalina load
      INFO: Initialization processed in 1081 ms

 

APR环境的SSL配置(ssl使用apr)

  1. 创建相关密钥:OpenSSL官方createKey

    1. 创建private key:

      Private keys are generated with 'openssl genrsa' if you want a RSA
      private key, or 'openssl gendsa' if you want a DSA private key.
        openssl genrsa -out privkey.pem
    2. Creating a certificate request

      3. Creating a certificate request
      The certificate request is created like this:
        openssl req -new -key privkey.pem -out cert.csr
    3. 自签名

      4. Creating a self-signed test certificate
        openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
    4. 我的实际运行:

        openssl genrsa -out tomcatkey.pem
          产生文件 tomcatkey.pem
        openssl req -new -x509 -key tomcatkey.pem -out tomcatca.pem -days 1095
          产生文件 tomcatca.pem
  2. 配置APR的SSL Connector和listener,文件server.xml:

      <!--APR library loader. Documentation at /docs/apr.html -->
      <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
    
      <!-- Connector配置 -->
            <Connector port="9145" SSLEnabled="true" scheme="https" secure="true" 
                    URIEncoding="UTF-8"
                    SSLCertificateKeyFile="${user.home}/tomcatkey.pem"
                    SSLCertificateFile="${user.home}/tomcatca.pem"
                    maxThreads="20"
                    />
    

 

gzip压缩

  • 直接在server.xml中配置Connector即可:

            <Connector port="9145" SSLEnabled="true" scheme="https" secure="true" 
                    URIEncoding="UTF-8"
                    SSLCertificateKeyFile="${user.home}/tomcatkey.pem"
                    SSLCertificateFile="${user.home}/tomcatca.pem"
                    maxThreads="20"
                    compression="on"
                    compressionMinSize="1024"
                    compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-json,application/json"
                    />
    

 

jdbc

  • 配置Context.xml

           <Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false">
              <Resource name="jdbc/JiraDS" auth="Container" type="javax.sql.DataSource"
                username="[enter db username]"
                password="[enter db password]"
                driverClassName="com.mysql.jdbc.Driver"
                url="jdbc:mysql://localhost/jiradb?useUnicode=true&amp;characterEncoding=UTF8"
                [ delete the minEvictableIdleTimeMillis and timeBetweenEvictionRunsMillis params here ]
                maxActive="20"
                validationQuery="select 1"/>
    
              
            </Context>
    

 

HttpOnly

  • 配置Context中配置useHttpOnly="true",tomcat7默认是true,对于6是false
    • <?xml version="1.0" encoding="UTF-8" ?>  
      <Context path="/${tomcat.deployName}" docBase="${basedir}/WebRoot" useHttpOnly="true"/>