tomcat配置

1.安装
nginx，tomcat, jdk

1.1. nginx 

下载：官网下载nginx-1.4.3.tar.gz

安装：

root@ns2:/app/lan/nginx/sbin# ./nginx -V
nginx version: nginx/1.4.3
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
configure arguments: --prefix=/app/act/nginx/nginx-1.4.3 --with-debug --with-http_addition_module --with-http_dav_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module

make && make install

1.2jdk 

wget --no-cookies --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F" "http://download.oracle.com/otn-pub/java/jdk/7u4-b20/jdk-7u4-linux-x64.tar.gz"

直接解压到一个地方，然后配置环境变量

/etc/profile.d/jdk.sh 

root@ns2:~# cat /etc/profile.d/jdk.sh
export JAVA_HOME=/app/lan/jdk
export JRE_HOME=/app/lan/jdk/jre
export CLASSPATH=.:$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export PATH=$JAVA_HOME/bin:$JRE_HOME/bin:$PATH

1.3 tomcat

解压到/app/srv/tomcat7/目录。

2.配置

2.1 nginx配/////省略

    upstream servers {
          server 192.168.1.1:8080 max_fails=2 fail_timeout=30s weight=1;
    }
    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }
        location ~ ^/back/(.*)$ {
            rewrite        ^/back/(.*)$ /backyard/$1 break;
            proxy_pass     http://servers;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ .php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ .php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /.ht {
        #    deny  all;
        #}
    }

}

tomcat配置

conf/server.xml修改监听端口配置，默认0.0.0.0

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
address="10.1.1.4"
redirectPort="8443" />

<Connector port="8009" protocol="AJP/1.3" address="10.1.1.4" redirectPort="8443" />

限制特定ip访问

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.*" deny=""/>

限定192.168.1.0网段访问

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.[1-2].*" deny=""/>

限定192.168.1.0和192.168.2.0访问

 <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.1，192.168.1.2" deny=""/>

 限定192.168.1.1和192.168.1.2访问

配置tomcat-user.xml

<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user username="adminuser" password="complexpasswd" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-script,admin-gui"/>

安全：tomcat使用非root用户启动，且manager页面管理员和密码不使用简单字串，且需要禁用

具体对策：

开放80端口，使用nginx代理到tomcat的8080端口，不允许访问manager页面

       location / {


              proxy_pass http://192.168.1.1:8080;  

        }

        location ~* manager {
              return 403;
        }

如何限定特定用户访问80端口

#        allow 172.16.0.0/24;
#            allow 172.16.1.0/24;
#        deny all;