前置文章:

CentOS+Nginx+Tomcat+Mysql+PHP 环境篇

CentOS+Nginx+Tomcat+Mysql+PHP 配置篇(1)

CentOS+Nginx+Tomcat+Mysql+PHP 配置篇(2)

6.10、配置Tomcat 管理界面

sudo vi /opt/tomcat/tomcat/conf/tomcat-users.xml

<tomcat-users></tomcat-users>内输入以下内容

 <role rolename="admin-gui"/>
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="manager-status"/>
  <user username="tomcat" password="s3cret" roles="admin-gui,manager-gui,manager-script,manager-jmx,manager-status"/>
重启生效
sudo systemctl restart tomcat.service
修改service.xml配置(若需端口配置)
cd /opt/tomcat/conf/
vi server.xml 

<Server port="9005" shutdown="SHUTDOWN">   //修改端口
    <Connector port="9080" protocol="HTTP/1.1"     //修改端口
               connectionTimeout="20000"
               redirectPort="8443"
               maxPostSize="-1"
               URIEncoding="UTF-8" />       //上传大小不限,tomcat7以后,值必须为“-1”,不可为"0",
                                                         为“0”会造成参数传输的时候,全部变成"null"
catalina.out 日志分割
yum install -y cronolog

修改bin/catalina.sh文件 下面第2、15、16、23、24需修改的内容,

shift
touch "$CATALINA_OUT"
if [ “$1” = “-security” ] ; then
if [ $have_tty -eq 1 ]; then
echo “Using Security Manager”
fi
shift
eval “\”$_RUNJAVA\”” “\”$LOGGING_CONFIG\”” $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \
-Djava.endorsed.dirs=”\”$JAVA_ENDORSED_DIRS\”” -classpath “\”$CLASSPATH\”” \
-Djava.security.manager \
-Djava.security.policy==”\”$CATALINA_BASE/conf/catalina.policy\”” \
-Dcatalina.base=”\”$CATALINA_BASE\”” \
-Dcatalina.home=”\”$CATALINA_HOME\”” \
-Djava.io.tmpdir=”\”$CATALINA_TMPDIR\”” \
org.apache.catalina.startup.Bootstrap “$@” start \
>> “$CATALINA_OUT” 2>&1 “&”
else
eval “\”$_RUNJAVA\”” “\”$LOGGING_CONFIG\”” $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \
-Djava.endorsed.dirs=”\”$JAVA_ENDORSED_DIRS\”” -classpath “\”$CLASSPATH\”” \
-Dcatalina.base=”\”$CATALINA_BASE\”” \
-Dcatalina.home=”\”$CATALINA_HOME\”” \
-Djava.io.tmpdir=”\”$CATALINA_TMPDIR\”” \
org.apache.catalina.startup.Bootstrap “$@” start \
>> “$CATALINA_OUT” 2>&1 “&”
fi
改为(第2行注释掉,原第15、16行改为下面第15行,原23、24行改为下面第22行):
shift
# touch "$CATALINA_OUT" 注释掉
if [ “$1” = “-security” ] ; then
if [ $have_tty -eq 1 ]; then
echo “Using Security Manager”
fi
shift
eval “\”$_RUNJAVA\”” “\”$LOGGING_CONFIG\”” $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \
-Djava.endorsed.dirs=”\”$JAVA_ENDORSED_DIRS\”” -classpath “\”$CLASSPATH\”” \
-Djava.security.manager \
-Djava.security.policy==”\”$CATALINA_BASE/conf/catalina.policy\”” \
-Dcatalina.base=”\”$CATALINA_BASE\”” \
-Dcatalina.home=”\”$CATALINA_HOME\”” \
-Djava.io.tmpdir=”\”$CATALINA_TMPDIR\”” \
org.apache.catalina.startup.Bootstrap "$@" start 2>&1 | /usr/sbin/cronolog /data/deploy/logs_manage/tomcat_sys/socket/catalina.%Y-%m-%d.out >> /dev/null &
else
eval “\”$_RUNJAVA\”” “\”$LOGGING_CONFIG\”” $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \
-Djava.endorsed.dirs=”\”$JAVA_ENDORSED_DIRS\”” -classpath “\”$CLASSPATH\”” \
-Dcatalina.base=”\”$CATALINA_BASE\”” \
-Dcatalina.home=”\”$CATALINA_HOME\”” \
-Djava.io.tmpdir=”\”$CATALINA_TMPDIR\”” \
org.apache.catalina.startup.Bootstrap “$@” start 2>&1 | /usr/sbin/cronolog /data/deploy/logs_manage/tomcat_sys/socket/catalina.%Y-%m-%d.out >> /dev/null &
fi
tomcat日志分割定期删除catalina.out

每天晚上11点50切割日志文件,同时删除超过30天的日志

创建脚本 /shell/log.sh
log_path=/opt/tomcat/logs
d=`date +%Y-%m-%d`
d90=`date -d'30 day ago' +%Y-%m-%d`
cd ${log_path} && cp catalina.out $log_path/cron/catalina.out.$d.log
echo > catalina.out
rm -rf $log_path/cron/catalina.out.${d90}.log
添加权限
chmod 777 /shell/log.sh
编辑 crontab
crontab -e
50 23 * * * sh /shell/log.sh
另一种方法
crontab -e
* 5 * * * find /opt/tomcat/logs/* -name "*.20*" -ctime +7 -exec rm -rf {} \;
重启Tomcat服务
systemctl start tomcat.service
配置访问同一个项目下不同的文件夹

先将原本的<host>配置注释掉,然后新增如下内容:

<Host name="域名" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
<Context path="" docBase="/opt/tomcat/webapps/ROOT" debug="0" reloadable="true" />
</Host>
<Host name="域名" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
<Context path="" docBase="/opt/tomcat/webapps/文件夹" debug="0" reloadable="true" />
</Host>
SSL环境搭建

在nginx的conf中,进行做对应的修改

server {
         listen     80;
        server_name  lottery001.itrxm.com;
        rewrite ^(.*)$  https://$host$1 permanent; 
        }

  server {
        listen       443;
        server_name  x;
        ssl                  on;
        ssl_certificate      /etc/nginx/vhost/ssl/certificate.crt;
        ssl_certificate_key   /etc/nginx/vhost/ssl/private.key;
        ssl_session_timeout  5m;
        ssl_protocols TLSv1;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;

         location / {
              client_max_body_size    16m;
              client_body_buffer_size 128k;
              proxy_pass                          http://10.17.162.113:8080;
              proxy_set_header        Host $host;
              proxy_set_header        X-Real-IP $remote_addr;
              proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header           X-Forwarded-Proto https;
              proxy_next_upstream   off;

              proxy_connect_timeout   30;
              proxy_read_timeout      300;
              proxy_send_timeout      300;
        }
    }

在tomcat 中的server.xml中修改:

<!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
-->
修改为:
    <Connector port="8443"
    protocol="org.apache.coyote.http11.Http11Protocol"
    maxThreads="150" 
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keystoreFile="/opt/tomcat/huizhong/conf/cert/201802031124.pfx"    //绝对路径,否则容易出错
    keystoreType="PKCS12"
    keystorePass="201802031124"
    clientAuth="false"
    SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
并新加节点:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
            remoteIpHeader="x-forwarded-for"
            remoteIpProxiesHeader="x-forwarded-by"
             protocolHeader="x-forwarded-proto"/>
重启tomcat服务
systemctl restart tomcat.service

注:没有若只有key及crt文件的证书,可以进入 https://www.myssl.cn/tools/merge-pfx-cert.html 中进行生成一个pfx文件的证书,并设置一个密码。

通过VisualVM对Tomcat性能监控

JMX下载地址:http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-7/v7.0.81/bin/extras/catalina-jmx-remote.jar catalina-jmx-remote.jar包下载完成后放到Tomcat的lib目录下

vim catalina.sh

在注释下面添加如下内容

CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote
  -Dcom.sun.management.jmxremote.port=7090
  -Dcom.sun.management.jmxremote.ssl=false  
  -Djava.rmi.server.hostname=被监控的服务器IP地址
  -Dcom.sun.management.jmxremote.authenticate=true
  -Dcom.sun.management.jmxremote.password.file=/var/tomcat/tomcat7/conf/jmxremote.password 
  -Dcom.sun.management.jmxremote.access.file=/var/tomcat/tomcat7/conf/jmxremote.access"
cd /var/tomcat/tomcat7/conf
vim jmxremote.access
monitorRole readonly
controlRole readwrite
vim jmxremote.password         //要与运行tomcat的权限一致
monitorRole 25DWdl2&D^W
controlRole 25DWdl2&D^W
赋权及重启Tomcat
chmod 0400 jmxremote.password      //密码文件应该是只读的,只能由Tomcat运行用户
systemctl restart tomcat.service

至此,一个完整的环境就配置完成了。