Tomcat is a popular implementation of Java Servlet and JavaServer Pages technology. It is released by the Apache Software Foundation under the popular Apache open source license. Its powerful features, favorable license and excellent community make it one of the best and most popular Java servlets.
After Tomcat is installed, additional fine-tuning is almost always required. Read this article to learn how to optimize your Tomcat installation for safe and effective operation.
This guide has been tested on Ubuntu 14.04. The described installation and configuration are similar on other OS or OS versions, but the command and location of the configuration file may be different.
In this tutorial, you will need:
sudo command has been set up, and the firewall has been turned on. Students who don’t have a server can buy it from here, but I personally recommend you to use the free Tencent Cloud Developer Lab for experimentation, and then buy server.All commands in this tutorial should be run as a non-root user. If the command requires root access, it will have sudo in front.
You may have noticed that Tomcat listens on TCP port 8080 by default. This default port is mainly because Tomcat runs tomcat7 under an unprivileged user. In Linux, unless otherwise configured, only privileged users such as root are allowed to monitor ports below 1024. Therefore, you cannot simply change Tomcat's listener port to 80 (HTTP).
Therefore, the first task of optimizing the Tomcat installation is to solve the above problems and make sure that your Tomcat web application is available on the standard HTTP port.
The easiest way to solve this problem (but not necessarily the best way) is to create a firewall (iptables)-forwarding from TCP port 80 to TCP port 8080. This can be done with the following iptables command:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80-j REDIRECT --to-ports 8080
To delete this iptables rule, you just need to replace the -A flag to add a rule, and -D to delete the rule in the above command, as shown below:
sudo iptables -t nat -D PREROUTING -p tcp --dport 80-j REDIRECT --to-ports 8080
From a security or performance point of view, this simple traffic forwarding is not optimal. Instead, a good practice is to add a web server before Tomcat, such as Nginx. The reason is that Tomcat is just a Java servlet with the basic functions of a web server, while Nginx is a typical, powerful and full-featured web server. Here are some important benefits of using Nginx as a front-end server:
If you are convinced of the above benefits, first make sure that the previous iptables rules have been deleted, and then install Nginx using the following command:
sudo apt-get install nginx
After that, use your favorite editor to edit Nginx's default server block configuration (/etc/nginx/sites-enabled/default) as follows:
sudo nano /etc/nginx/sites-enabled/default
Look for the location/ section, which specifies how all requests should be served, and make sure it looks like this:
location /{
proxy_pass http://127.0.0.1:8080/;}
The above proxy_pass directive means that all requests should be forwarded to the local IP 127.0.0.1 on TCP port 8080 that Tomcat listens to. Close the file and restart Nginx with the following command:
sudo service nginx restart
After that, try to access Tomcat by connecting to the IP of the Droplet through the standard HTTP port in the browser. The URL should be http://your_droplet's_ip. If everything is ok, the default page of Tomcat should be opened. If not, please make sure that the iptables rules have been removed and Tomcat has been installed correctly according to the prerequisites of this article.
Protecting Tomcat is probably the most important task that is often overlooked. Fortunately, it takes only a few steps to get a fairly secure Tomcat setup. To follow this part of the article, you should install and configure Nginx in front of Tomcat, as described earlier.
The usual trade-offs between functionality and security are also valid for Tomcat. To improve security, you can delete the default web manager and host manager applications. This will be inconvenient because you have to perform all management from the command line, including web application deployment.
Removing Tomcat's web management tools is good for improving security, because you don't have to worry that someone might abuse them. Such good safety measures are usually applied to the production site.
The administrative web application is included in the tomcat7-admin package of Ubuntu. Therefore, to delete them, run the following command:
sudo apt-get remove tomcat7-admin
If you did not delete the management web applications as suggested in the previous section, then we can at least restrict access to them. Their URL should be http://your_servlet_ip/manager/ and http://your_servlet_ip/host-manager/. If you see 404 Not Found errors on these URLs, it means that they have been deleted and you do not need to take any action. You can still read the instructions below to learn how to continue using other sensitive resources that you may wish to protect.
At this point, Nginx is accepting connections on port 80 so that you can access all the web applications http://your_servlet_ip from anywhere. Similarly, Tomcat listens on port 8080 globally, and the same application can be found at http://your_servlet_ip:8080. To improve security, we will limit the available resources on port 80 through Nginx. We will also make Tomcat and its exposed port 8080 only locally available to the server and Nginx.
Open the default server block configuration file /etc/nginx/sites-enabled/default:
sudo nano /etc/nginx/sites-enabled/default
Add the following content after the server_name instruction but above the default root location (location /) and replace your_local_ip with the IP address of the local computer:
...
location /manager/{
allow your_local_ip;
deny all;
proxy_pass http://127.0.0.1:8080/manager/;}...
You should apply the same restriction to the host manager application by adding another configuration block where manager is replaced with host-manager like this (again, replace your_local_ip with your local IP address):
...
location /host-manager/{
allow your_local_ip;
deny all;
proxy_pass http://127.0.0.1:8080/host-manager/;}...
Once you restart Nginx, access to the manager and host-manager network environment will be limited to local IP addresses:
sudo service nginx restart
You can test http://your_servlet_ip/manager/ and http://your_servlet_ip/host-manager/ in your browser. The application should be available, but if you try to access the same URL using a public proxy or another computer, you should see a 403 Forbidden error.
In addition, as an additional measure, you can also delete Tomcat's documentation and examples using the following command:
sudo apt-get remove tomcat7-docs tomcat7-examples
Note that Tomcat is still listening for external connections on TCP port 8080. Therefore, Nginx and its security measures can be easily bypassed. To solve this problem, configure Tomcat to only listen on the local interface 127.0.0.1. To do this, open the /etc/tomcat7/server.xml file with your favorite editor:
sudo nano /etc/tomcat7/server.xml
Add address="127.0.0.1" in the Connector configuration section like this:
...< Connector address="127.0.0.1" port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443"/>...
Then restart Tomcat to make the new settings take effect:
sudo service tomcat7 restart
Performing the above steps ensures that you have a good basic security level.
Of course, the general Java Virtual Machine (JVM) fine-tuning principle also applies to Tomcat. Although JVM tuning is a science in itself, there are some basic, good practices that anyone can easily apply:
Xmx is the maximum memory that Tomcat can use. It should be set to a value that leaves enough free memory for the Droplet itself to run and any other services that may be on the Droplet. For example, if your Droplet has 2 GB of RAM, it may be safe to allocate 1 GB of RAM for xmx. However, please remember that the actual memory used by Tomcat will be slightly larger than Xmx.Xms is the amount of memory allocated at startup. In most cases, it should be equal to the xmx value. Therefore, you will avoid running expensive memory allocation procedures because the size of the allocated memory will always remain the same.MaxPermSize should allow Tomcat to load application classes and leave spare memory from the values of these classes instantiated by Xmx. If you are not sure how much memory your application class requires, you can set it to half the size of the beginning MaxPermSize Xmx-512 MB in our example.On Ubuntu 14.04, you can customize Tomcat's JVM options by editing the /etc/default/tomcat7 file. Therefore, to apply the above tips, open this file with your favorite editor:
sudo nano /etc/default/tomcat7
If you have followed the Tomcat installation instructions in the prerequisites, you should find the following line:
...
JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m -XX:+UseConcMarkSweepGC"...
If your Droplet has 2 GB of RAM and you want to allocate approximately 1 GB for Tomcat, this line should be changed to:
...
JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xms1024m -Xmx1024m -XX:MaxPermSize=512m -XX:+UseConcMarkSweepGC"...
For this setting to take effect, you must restart Tomcat:
sudo service tomcat7 restart
The above JVM configuration is a good start, but you should monitor Tomcat's log (/var/log/tomcat7/catalina.out) for problems, especially after restarting Tomcat or deploying. To monitor the log, use the following tail command:
sudo tail -f /var/log/tomcat7/catalina.out
If you are a new user to tail, you must press the key combination of Ctrl-C on the keyboard to stop tailing logs.
Search for errors such as OutOfMemoryError. Such errors indicate that you must adjust the JVM settings, more specifically, increase the size of Xmx.
That's it! Now you can protect and optimize Tomcat in just a few easy-to-follow steps. These basic optimizations are recommended not only for production, but even for testing and development environments exposed to the Internet.
For more Ubuntu tutorials, please go to [Tencent Cloud + Community] (https://cloud.tencent.com/developer?from=10680) to learn more.
Reference: "How To Optimize Your Tomcat Installation on Ubuntu 14.04"
Recommended Posts