背景
springmvc的项目,之前是依靠tomcat容器独立运行的,前端没有nginx,httpd这样的web服务器扛着,万一哪天重启tomcat,
然后就是无法访问了,现在需要把服务器迁移到ubuntu18.04下,并且使用nginx做前端,并且在tomcat不工作的时候返回友好的错误页面。
之前使用的是pfx证书
PFX是带有私钥的证书(包含公钥和私钥)
由Public Key Cryptography Standards #12,PKCS#12标准定义,包含了公钥和私钥的二进制格式的证书形式,以pfx作为证书文件后缀名(文件的扩展名可以为pfx或p12)。
tomcat8.0.11核心配置文件server.xml如下:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> <!-- A "Connector" using the shared thread pool--> <!--<Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />--> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="conf/cert/www.aaa.pfx" keystoreType="PKCS12" keystorePass="xxx" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256" /> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
证书文件是 conf/cert/www.aaa.pfx,证书私钥密码是xxx
网站根目录配置文件
confCatalinalocalhostROOT.xml
<?xml version='1.0' encoding='utf-8'?> <Context docBase="E:www.aaa.com" debug="0" reloadbale="true"> </Context>
证书配置
安装nginx过程略。
1、首先根据证书分别生成私钥和公钥文件
sudo mkdir /usr/share/nginx/ssl #生成私钥证书 sudo openssl pkcs12 -in ~/www.aaa.com.pfx -clcerts -nokeys -passin pass:xxx -out /usr/share/nginx/ssl/www.aaa.com.crt #生成公钥证书 sudo openssl pkcs12 -in ~/www.aaa.com.pfx -nocerts -nodes -passin pass:xxx -out /usr/share/nginx/ssl/www.aaa.com.rsa
测试证书是否有效(不太了解,转载来的)
openssl s_server -www -accept 443 -cert /usr/share/nginx/ssl/www.aaa.com.crt -key /usr/share/nginx/ssl/www.aaa.com.rsa
配置nginx
user www-data; worker_processes auto; pid /run/nginx.pid; events { worker_connections 1024; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; ## # Virtual Host Configs ## server { listen 80; server_name www.aaa.com; rewrite ^(.*)$ https://${server_name}$1 permanent; } server { listen 443; server_name www.aaa.com; ssl on; ssl_certificate /usr/share/nginx/ssl/www.aaa.com.crt; ssl_certificate_key /usr/share/nginx/ssl/www.aaa.com.rsa; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; charset utf-8; location / { proxy_pass http://127.0.0.1:8080/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #try_files $uri /errorxxx; } error_page 404 500 501 502 503 504 505 /50x.html; location /50x.html { root html; index index.html; } } }
其中替换nginx默认的错误状态码页面
error_page 404 500 501 502 503 504 505 /50x.html; location /50x.html { root html; index index.html; }
自定义错误页面
#新建文件 vim /usr/share/nginx/html/50x.html #填入以下内容 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>系统维护中</title> <style type="text/css"> body{ margin:0px; padding:0px;} .main{552px; margin:150px auto;text-align:center;} .main p{padding-top:10px;} </style> </head> <body> <div class="main"><img src="data:image/jpg;base64,xxxxx" width="552" height="326" border="0" /> <p><strong>网站维护中....</strong> <p> <span></span> </p></p> </div> </body> </html>
其中data:image/jpg;base64,xxxxx是你自定义错误页面的图片内容经过编码后的数据。
转换方法,打开网址http://tool.chinaz.com/tools/imgtobase 上传你的图片,得到以下结果
把以上base字符串复制到上面的src属性中。
不替换效果
替换后效果
当tomcat(502网关无效)关闭,或者遇到tomcat50系列错误就会变成这个效果
ubuntu18.04上面的server.xml使用默认的配置,如下,大家可以参考一下
<?xml version='1.0' encoding='utf-8'?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!-- Note: A "Server" is not itself a "Container", so you may not define subcomponents such as "Valves" at this level. Documentation at /docs/config/server.html --> <Server port="8005" shutdown="SHUTDOWN"> <!-- Security listener. Documentation at /docs/config/listeners.html <Listener className="org.apache.catalina.security.SecurityListener" /> --> <!--APR library loader. Documentation at /docs/apr.html --> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> <!-- Prevent memory leaks due to use of particular java/javax APIs--> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> <!-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html --> <GlobalNamingResources> <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share a single "Container" Note: A "Service" is not itself a "Container", so you may not define subcomponents such as "Valves" at this level. Documentation at /docs/config/service.html --> <Service name="Catalina"> <!--The connectors can use a shared executor, you can define one or more named thread pools--> <!-- <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" maxThreads="150" minSpareThreads="4"/> --> <!-- A "Connector" represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <!-- A "Connector" using the shared thread pool--> <!-- <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> --> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html --> <!-- You should set jvmRoute to support load-balancing via AJP ie : <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> --> <Engine name="Catalina" defaultHost="localhost"> <!--For clustering, please take a look at documentation at: /docs/cluster-howto.html (simple how to) /docs/config/cluster.html (reference documentation) --> <!-- <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> --> <!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack --> <Realm className="org.apache.catalina.realm.LockOutRealm"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <!-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host> </Engine> </Service> </Server>
tomcat开机启动
编译tomcat-native
参考这个:Tomcat开启本地库(Apache Tomcat Native Library)支持
中途会出错:
src/ssl.c: In function ‘SSL_BIO_close’: src/ssl.c:822:11: error: dereferencing pointer to incomplete type ‘BIO {aka struct bio_st}’ if (bi->ptr != NULL && (bi->flags & SSL_BIO_FLAG_CALLBACK)) { ^~ src/ssl.c: At top level: src/ssl.c:967:1: error: variable ‘jbs_methods’ has initializer but incomplete type src/ssl.c:977:5: note: (near initialization for ‘jbs_methods’) src/ssl.c:967:19: error: storage size of ‘jbs_methods’ isn’t known static BIO_METHOD jbs_methods = { ^~~~~~~~~~~ /opt/apache-tomcat-8.0.11/bin/tomcat-native-1.1.31-src/jni/native/build/rules.mk:206: recipe for target 'src/ssl.lo' failed make[1]: *** [src/ssl.lo] Error 1 make[1]: Leaving directory '/opt/apache-tomcat-8.0.11/bin/tomcat-native-1.1.31-src/jni/native' /opt/apache-tomcat-8.0.11/bin/tomcat-native-1.1.31-src/jni/native/build/rules.mk:118: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1
下载最新版tomcat-native
@localhost:/opt/apache-tomcat-8.0.11/bin$ sudo wget https://mirrors.bfsu.edu.cn/apache/tomcat/tomcat-connectors/native/1.2.24/source/tomcat-native-1.2.24-src.tar.gz --2020-08-14 09:58:11-- https://mirrors.bfsu.edu.cn/apache/tomcat/tomcat-connectors/native/1.2.24/source/tomcat-native-1.2.24-src.tar.gz Resolving mirrors.bfsu.edu.cn (mirrors.bfsu.edu.cn)... 39.155.141.16, 2001:da8:20f:4435:4adf:37ff:fe55:2840 Connecting to mirrors.bfsu.edu.cn (mirrors.bfsu.edu.cn)|39.155.141.16|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 419572 (410K) [application/octet-stream] Saving to: ‘tomcat-native-1.2.24-src.tar.gz’ tomcat-native-1.2.24-src.tar.gz 100%[================================================================>] 409.74K --.-KB/s in 0.1s 2020-08-14 09:58:11 (3.13 MB/s) - ‘tomcat-native-1.2.24-src.tar.gz’ saved [419572/419572] @localhost:/opt/apache-tomcat-8.0.11/bin$ tar -zxvf tomcat-native-1.2.24-src.tar.gz
然后再次 编译安装
sudo make
sudo make install
编译安装daemon
erdpc@localhost:/opt/apache-tomcat-8.0.11/bin$ sudo tar -zxvf commons-daemon-native.tar.gz commons-daemon-1.0.15-native-src/README commons-daemon-1.0.15-native-src/LICENSE.txt commons-daemon-1.0.15-native-src/NOTICE.txt commons-daemon-1.0.15-native-src/RELEASE-NOTES.txt commons-daemon-1.0.15-native-src/unix/ commons-daemon-1.0.15-native-src/unix/support/ commons-daemon-1.0.15-native-src/unix/native/ commons-daemon-1.0.15-native-src/unix/man/ commons-daemon-1.0.15-native-src/unix/support/config.guess commons-daemon-1.0.15-native-src/unix/support/config.sub commons-daemon-1.0.15-native-src/unix/support/apfunctions.m4 commons-daemon-1.0.15-native-src/unix/support/apsupport.m4 erdpc@localhost:/opt/apache-tomcat-8.0.11/bin$ cd commons-daemon-1.0.15-native-src/ erdpc@localhost:/opt/apache-tomcat-8.0.11/bin/commons-daemon-1.0.15-native-src$ ls LICENSE.txt NOTICE.txt README RELEASE-NOTES.txt unix windows erdpc@localhost:/opt/apache-tomcat-8.0.11/bin/commons-daemon-1.0.15-native-src$ vim README erdpc@localhost:/opt/apache-tomcat-8.0.11/bin/commons-daemon-1.0.15-native-src$ cd unix/ erdpc@localhost:/opt/apache-tomcat-8.0.11/bin/commons-daemon-1.0.15-native-src/unix$ ls CHANGES.txt configure configure.in INSTALL.txt Makedefs.in Makefile.in man native support erdpc@localhost:/opt/apache-tomcat-8.0.11/bin/commons-daemon-1.0.15-native-src/unix$ vim INSTALL.txt erdpc@localhost:/opt/apache-tomcat-8.0.11/bin/commons-daemon-1.0.15-native-src/unix$ sudo ./configure --with-java=$JAVA_HOME/ erdpc@localhost:/opt/apache-tomcat-8.0.11/bin/commons-daemon-1.0.15-native-src/unix$ sudo make (cd native; make all) make[1]: Entering directory '/opt/apache-tomcat-8.0.11/bin/commons-daemon-1.0.15-native-src/unix/native' gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c jsvc-unix.c -o jsvc-unix.o jsvc-unix.c: In function ‘get_pidf’: jsvc-unix.c:624:5: warning: ignoring return value of ‘lockf’, declared with attribute warn_unused_result [-Wunused-result] lockf(fd, F_LOCK, 0); ^~~~~~~~~~~~~~~~~~~~ jsvc-unix.c:626:5: warning: ignoring return value of ‘lockf’, declared with attribute warn_unused_result [-Wunused-result] lockf(fd, F_ULOCK, 0); ^~~~~~~~~~~~~~~~~~~~~ jsvc-unix.c: In function ‘wait_child’: jsvc-unix.c:720:9: warning: ignoring return value of ‘lockf’, declared with attribute warn_unused_result [-Wunused-result] lockf(fd, F_LOCK, 0); ^~~~~~~~~~~~~~~~~~~~ jsvc-unix.c:722:9: warning: ignoring return value of ‘lockf’, declared with attribute warn_unused_result [-Wunused-result] lockf(fd, F_ULOCK, 0); ^~~~~~~~~~~~~~~~~~~~~ jsvc-unix.c: In function ‘set_output’: jsvc-unix.c:1018:9: warning: ignoring return value of ‘freopen’, declared with attribute warn_unused_result [-Wunused-result] freopen("/dev/null", "r", stdin); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ jsvc-unix.c:1029:9: warning: ignoring return value of ‘freopen’, declared with attribute warn_unused_result [-Wunused-result] freopen("/dev/null", "a", stdout); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ jsvc-unix.c:1048:9: warning: ignoring return value of ‘freopen’, declared with attribute warn_unused_result [-Wunused-result] freopen("/dev/null", "a", stderr); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ jsvc-unix.c: In function ‘check_pid’: jsvc-unix.c:576:9: warning: ignoring return value of ‘lockf’, declared with attribute warn_unused_result [-Wunused-result] lockf(fd, F_LOCK, 0); ^~~~~~~~~~~~~~~~~~~~ jsvc-unix.c:584:17: warning: ignoring return value of ‘lockf’, declared with attribute warn_unused_result [-Wunused-result] lockf(fd, F_ULOCK, 0); ^~~~~~~~~~~~~~~~~~~~~ jsvc-unix.c:596:13: warning: ignoring return value of ‘lockf’, declared with attribute warn_unused_result [-Wunused-result] lockf(fd, F_ULOCK, 0); ^~~~~~~~~~~~~~~~~~~~~ jsvc-unix.c:601:13: warning: ignoring return value of ‘lockf’, declared with attribute warn_unused_result [-Wunused-result] lockf(fd, F_ULOCK, 0); ^~~~~~~~~~~~~~~~~~~~~ gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c arguments.c -o arguments.o gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c debug.c -o debug.o gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c dso-dlfcn.c -o dso-dlfcn.o gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c dso-dyld.c -o dso-dyld.o gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c help.c -o help.o gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c home.c -o home.o gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c java.c -o java.o gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c location.c -o location.o gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c replace.c -o replace.o gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c locks.c -o locks.o gcc -g -O2 -DOS_LINUX -DDSO_DLFCN -DCPU="amd64" -Wall -Wstrict-prototypes -I/opt/jdk1.8.0_202//include -I/opt/jdk1.8.0_202//include/linux -c signals.c -o signals.o ar cr libservice.a arguments.o debug.o dso-dlfcn.o dso-dyld.o help.o home.o java.o location.o replace.o locks.o signals.o ranlib libservice.a gcc jsvc-unix.o libservice.a -ldl -lpthread -o ../jsvc make[1]: Leaving directory '/opt/apache-tomcat-8.0.11/bin/commons-daemon-1.0.15-native-src/unix/native' erdpc@localhost:/opt/apache-tomcat-8.0.11/bin/commons-daemon-1.0.15-native-src/unix$ sudo cp jsvc ../../
设置系统服务
1、添加tomcat非登录用户
useradd tomcat -M -d / -s /usr/sbin/nologin
2、编辑daemon.sh
sudo vim /opt/apache-tomcat-8.0.11/bin/daemon.sh
3、设置开机启动
chown -R tomcat:tomcat /opt/apache-tomcat-8.0.11/
sudo ln -s /opt/apache-tomcat-8.0.11/bin/daemon.sh /etc/init.d/tomcat8
sudo update-rc.d tomcat8 defaults
sudo service tomcat start
4、权限设置
本地tomcat安装目录
/opt/apache-tomcat-8.0.11,网站存放目录/home/erdpc/www,需要分别设置权限
sudo chown tomcat:tomcat -R /opt/apache-tomcat-8.0.11 sudo chmod 777 -R /opt/apache-tomcat-8.0.11 sudo chown tomcat:tomcat -R /home/erdpc/www sudo chmod 777 -R /home/erdpc/www
参考:https://www.cnblogs.com/Tielong/p/5422599.html
mysql配置
请参考:Ubuntu18.04安装Mysql5.7及密码设置
参考:
https://www.lexiangbao.com/checkRemind.do
https://blog.csdn.net/qq_25821067/article/details/54969480
https://www.cnblogs.com/xiaocen/p/3718006.html