0x01 JDK和Tomcat安裝
到oracle官網下載jdk,當前下載的版本是Linux x64 jdk-8u101-linux-x64.tar.gz
到apache官網下載tomcat,當前最新版本 Tomcat 8.5.4 Released
jdk和apache的安裝都十分簡單(這里不是采用源碼編譯,就像在windows上使用綠色軟件那么方便),將下載的文件解壓即可使用,然后引入幾個環境變量就算是完成了。tomcat是使用java開發的,所以依賴於jdk。使用下面兩個命令可以檢測安裝后是否正常使用。
[root@localhost tomcat]# java -version java version "1.8.0_101" Java(TM) SE Runtime Environment (build 1.8.0_101-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode) [root@localhost tomcat]# catalina -h Using CATALINA_BASE: /usr/local/tomcat Using CATALINA_HOME: /usr/local/tomcat Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JRE_HOME: /usr/local/jdk Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar Usage: catalina.sh ( commands ... ) commands: debug Start Catalina in a debugger debug -security Debug Catalina with a security manager jpda start Start Catalina under JPDA debugger run Start Catalina in the current window run -security Start in the current window with security manager start Start Catalina in a separate window start -security Start in a separate window with security manager stop Stop Catalina, waiting up to 5 seconds for the process to end stop n Stop Catalina, waiting up to n seconds for the process to end stop -force Stop Catalina, wait up to 5 seconds and then use kill -KILL if still running stop n -force Stop Catalina, wait up to n seconds and then use kill -KILL if still running configtest Run a basic syntax check on server.xml - check exit code for result version What version of tomcat are you running? Note: Waiting for the process to end and use of the -force option require that $CATALINA_PID is defined
0x02 tomcat-users.xml
啟用host manager功能:
編輯tomcat-user.xml,添加如下行:
<role rolename="manager-gui"/> #定義角色
<user username="tomcat" password="secret" roles="admin-gui"/> #將用戶加入上面所定義的角色中
而后重啟tomcat。
啟用Manager App和server status功能:
<role rolename="admin-gui"/>
<user username="tomcat" password="s3cret" roles="admin-gui"/>
注意:tomcat首頁的三個管理功能需要在本機登錄。
0x03 配置APR
使用catalina.sh configtest 發現如下報錯,查詢得知這是沒有配置apr
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
apr是什么?官方文檔有簡介,按照官方http://tomcat.apache.org/tomcat-8.5-doc/apr.html文檔,需要APR, OpenSSL,tomcat-native(在tomcat的bin目錄下)
1、安裝apr
apr-devel 使用源碼安裝,第一次使用yum install apr-devel安裝的在編譯的native無法報錯,后來使用源碼。
2、安裝openssl
出現錯誤:configure: error: Your version of OpenSSL is not compatible with this version of tcnative
在openssl官網下載新版本的openssl 2016-May-03 13:57:13 openssl-1.0.2h.tar.gz 編譯安裝后再進行tomcat-native的安裝
[root@localhost local]# tar zxf openssl-1.0.2h.tar.gz [root@localhost openssl-1.0.2h-src]# ./config –prefix=/usr/local/openssl –fPIC #加上-fPIC參數,否則編譯native的時候會報錯,如附一 [root@localhost openssl-1.0.2h-src]# make [root@localhost openssl-1.0.2h-src]#make install
附一:編譯native報錯
/usr/local/openssl/lib/libssl.a(s3_meth.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with –fPIC
/usr/local/openssl/lib/libssl.a: could not read symbols: Bad value
collect2: error: ld returned 1 exit status
make[1]: *** [libtcnative-1.la] Error 1
make[1]: Leaving directory `/usr/local/tomcat-native-1.2.8-src/native'
make: *** [all-recursive] Error 1
在重新config之后,會提示使用make depend可以忽略,如下
*** Because of configuration changes, you MUST do the following before
*** building:
make depend
3、安裝native
[root@localhost openssl-1.0.2h-src]#cd /usr/local/tomcat-native-1.2.8-src/ [root@localhost tomcat-native-1.2.8-src]# cd native/ [root@localhost native]#./configure --prefix=/usr/local/tomcat-native --with-apr=/usr/bin/ --with-java-home=/usr/local/jdk --with-ssl=/usr/local/openssl [root@localhost native]#make [root@localhost native]#make install
最后,將安裝成功后的tomcat-native的lib目錄下的文件復制一份到上述報錯所包含的任一目錄(/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib),這里我試過把整個lib做個軟鏈接到這些目錄下面,可是居然還是無法找到,所以最后還是直接復制了。
此時使用catalina configtest 完整的提示如下
[root@localhost local]# catalina configtest Using CATALINA_BASE: /usr/local/tomcat Using CATALINA_HOME: /usr/local/tomcat Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JRE_HOME: /usr/local/jdk Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar ……
Aug 24, 2016 9:15:00 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Aug 24, 2016 9:15:00 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 Aug 24, 2016 9:15:00 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dcatalina.base=/usr/local/tomcat Aug 24, 2016 9:15:00 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dcatalina.home=/usr/local/tomcat Aug 24, 2016 9:15:00 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp Aug 24, 2016 9:15:00 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: Loaded APR based Apache Tomcat Native library 1.2.8 using APR version 1.5.2. #可以看到這里的native和apr已經被識別了 Aug 24, 2016 9:15:00 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Aug 24, 2016 9:15:00 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] Aug 24, 2016 9:15:00 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.2h 3 May 2016) Aug 24, 2016 9:15:00 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-nio-8080"] Aug 24, 2016 9:15:00 PM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector INFO: Using a shared selector for servlet write/read Aug 24, 2016 9:15:00 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["ajp-nio-8009"] Aug 24, 2016 9:15:00 PM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector INFO: Using a shared selector for servlet write/read Aug 24, 2016 9:15:00 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1878 ms
0x04 tomcat目錄結構
├── bin 執行文件bat為在windows下運行的,sh是linux下執行的
│ ├── bootstrap.jar
│ ├── catalina.bat
│ ├── catalina.sh 主要的執行程序,具有的若干個參數功能是通過調用此目錄下的其他腳本實現
│ ├── shutdown.bat
│ ├── shutdown.sh
│ ├── startup.bat
│ ├── startup.sh
│ ├── version.bat
│ └── version.sh
├── conf 配置文件目錄
│ ├── catalina.policy
│ ├── catalina.properties
│ ├── context.xml
│ ├── logging.properties
│ ├── server.xml
│ ├── tomcat-users.xml
│ └── web.xml
├── lib 包含Tomcat使用的jar文件,unix平台此目錄下的任何文件都被加到Tomcat的classpath中
│ ├── annotations-api.jar
│ ├── catalina-ant.jar
│ ├── ……
├── logs Tomcat擺放日志文件的地方。
│ ├── catalina.log
│ ├── catalina.out
│ ├── host-manager.log
│ ├── localhost.log
│ ├── localhost_access_log.txt
│ └── manager.log
├── temp JSP轉化成Servlet存放的位置
│ └── safeToDelete.tmp
├── webapps
│ ├── docs
│ ├── examples
│ ├── host-manager
│ ├── manager
│ └── ROOT
└── work 存放JSP編譯后產生的class文件
└── Catalina
0x05 Apache+Tomcat(一)
Apache與Tomcat的整合方式有兩種,主要依靠apache的兩個模塊(mod_jk,mod_proxy)。兩種模塊都可以通過ajp,http/https協議與tomcat進行通信,但是一般mod_jk都使用ajp協議,並且mod_jk需要自行下載安裝,而mod_proxy模塊apache2.2之后,默認就帶上。
從mod_proxy相關模塊名稱(mod_proxy_http,mod_proxy_ajp)可以發現http和ajp等是建立在proxy之上的,是單獨的模塊。
本次使用光盤自帶的Apache/2.4.6 yum安裝,默認情況下已經載入了相關模塊。
ProxyVia on ProxyRequests off #關閉正向代理 ProxyPreserveHost on #保留Http請求的Host頭部 ProxyPass / http://172.16.4.22:8080/ ProxyPassReverse / http://172.16.4.22:8080/
上述使用的是mod_proxy模塊以http方式代理,同理也可以使用ajp方式
ProxyPass / ajp://172.16.4.22:8080/
ProxyPassReverse / ajp://172.16.4.22:8080/
注意:
1、關閉firewall防火牆,保證apache能夠訪問正常。
2、沒有關閉selinux,時出現了如下錯誤。
[mpm_prefork:notice] [pid 7654] AH00170: caught SIGWINCH, shutting down gracefully [core:notice] [pid 7825] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [suexec:notice] [pid 7825] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [auth_digest:notice] [pid 7825] AH01757: generating secret for digest authentication ... [lbmethod_heartbeat:notice] [pid 7825] AH02282: No slotmem from mod_heartmonitor [mpm_prefork:notice] [pid 7825] AH00163: Apache/2.4.6 (CentOS) PHP/5.4.16 configured -- resuming normal operations [core:notice] [pid 7825] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [proxy:error] [pid 7829] (13)Permission denied: AH00957: HTTP: attempt to connect to 172.16.4.22:8080 (172.16.4.22) failed [proxy:error] [pid 7829] AH00959: ap_proxy_connect_backend disabling worker for (172.16.4.22) for 60s [proxy_http:error] [pid 7829] [client 172.16.4.81:15757] AH01114: HTTP: failed to make connection to backend: 172.16.4.22
3、出現如下錯誤是因為ProxyPass 和 ProxyPassReverse 后面的ip:port需要加“/”。
[proxy:error] [pid 7831] [client 172.16.4.81:15767] AH00898: DNS lookup failure for: 172.16.4.22:8080tomcat.png returned by /tomcat.png, referer: http://172.16.4.22/ [proxy:error] [pid 7830] [client 172.16.4.81:15766] AH00898: DNS lookup failure for: 172.16.4.22:8080tomcat.css returned by /tomcat.css, referer: http://172.16.4.22/
0x06 Apache+Tomcat(二)
使用mod_jk模塊,先在官網下載Connectors,JK 1.2.41 Source Release tar.gz 。
AJP(Apache JServ Protocol):AJP是面向數據包的基於TCP/IP的協議,它在Apache和Tomcat的實例之間提供了一個專用的通信信道。mod_proxy只有在apache 2.2.x系列的版本才直接提供,而對於apache 1.3.x和2.0.x來說mod_jk才更適用。
1、編譯安裝apache的mod_jk模塊
[root@localhost ~]# tar -zxf tomcat-connectors-1.2.41-src.tar.gz -C /usr/local/ [root@localhost ~]# cd /usr/local/tomcat-connectors-1.2.41-src/native [root@localhost native]# ./configure --with-apxs=/usr/bin/apxs #編譯第三方httpd模塊需要用到apxs(在httpd-devel包中)
[root@localhost native]#make && make install
2、配置httpd
安裝完mod_jk之后,需要配置httpd代理至tomcat的功能。為了便於維護在httpd/conf.d/新增單獨配置文件。
LoadModule jk_module modules/mod_jk.so JKWorkersFile /etc/httpd/conf.d/workers.properties JKLogFile /var/logs/httpd/mod_jk.log JKLogLevel info JKMount /* Tomcat #Tomcat和stat是一個在workers.properties定義的名稱,與mod_proxy不同的是這里的根需要“/*” JKMount /status stat #后面的自定名稱,稱為jvmRoute
新增workers.properties文件,對於apache代理來說,每一個后端的Tomcat實例中的engine都可以視作一個worker,而每一個worker的地址、連接器的端口等信息都需要在apache端指定以便apache可以識別並使用這些worker。可以理解一個worker相當於一個在httpd后端的tomcat的實例或者是。
worker.list=Tomcat,stat #名稱列表 worker.TomcatA.port=8009 #每個名稱的具體屬性 worker.TomcatA.host=172.16.4.1 worker.TomcatA.type=ajp13 #類型有三種,表明后端服務是如何工作。 worker.TomcatA.lbfactor=1 worker.stat.type = status
worker類型:
ajp:當前worker為一個運行着的Tomcat實例
lb:即load balancing,專用於負載均衡場景中的woker;此worker並不真正負責處理用戶請求,而是將用戶請求調度給其它類型為ajp13的worker,有專用的屬性配置
status:用戶顯示分布式環境中各實際worker工作狀態的特殊worker,它不處理任何請求,也不關聯到任何實際工作的worker實例
各類型worker通用屬性:
host:Tomcat 的worker實例所在的主機;
port:Tomcat 實例上AJP1.3連接器的端口;
connection_pool_minsize:最少要保存在連接池中的連接的個數;默認為pool_size/2;
connection_pool_timeout:連接池中連接的超時時長;
mount:由當前worker提供的context路徑,如果有多個則使用空格格開;此屬性可以由JkMount指令替代;
retries:錯誤發生時的重試次數;
socket_timeout:mod_jk等待worker響應的時長,默認為0,即無限等待;
socket_keepalive:是否啟用keep alive的功能,1表示啟用,0表示禁用;
lbfactor:worker的權重,可以在負載均衡的應用場景中為worker定義此屬性;