JAVA企业级应用TOMCAT实战(二)

使用普通用户运行

使用普通用户来部署服务是比较安全的做法

[root@tomcat application]# useradd -u 1001 tomcat
[root@tomcat application]# passwd tomcat
Changing password for user tomcat.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
切换到tomcat来执行
[root@tomcat application]# chown -R tomcat:tomcat /application/jdk
[root@tomcat application]# chown -R tomcat:tomcat /application/tomcat/
[root@tomcat application]# su - tomcat 
[tomcat@linux-node1 ~]$ cd /application/tomcat/bin/
[tomcat@linux-node1 bin]$ sh startup.sh   #启动脚本
Using CATALINA_BASE:   /application/tomcat
Using CATALINA_HOME:   /application/tomcat
Using CATALINA_TMPDIR: /application/tomcat/temp
Using JRE_HOME:        /application/jdk
Using CLASSPATH:       /application/tomcat/bin/bootstrap.jar:/application/tomcat/bin/tomcat-juli.jar
Tomcat started.
[tomcat@linux-node1 tomcat]$ pwd
/application/tomcat
[tomcat@linux-node1 tomcat]$ ls -l
total 100
drwxr-xr-x 5 tomcat tomcat  4096 Apr  9 18:53 bin
drwxr-xr-x 6 tomcat tomcat  4096 Apr  8 10:49 conf
drwxr-xr-x 2 tomcat tomcat  4096 Apr  8 05:49 lib
-rw-r--r-- 1 tomcat tomcat 57011 Sep 28  2015 LICENSE
drwxr-xr-x 2 tomcat tomcat  4096 Apr  9 18:39 logs
-rw-r--r-- 1 tomcat tomcat  1444 Sep 28  2015 NOTICE
-rw-r--r-- 1 tomcat tomcat  6741 Sep 28  2015 RELEASE-NOTES
-rw-r--r-- 1 tomcat tomcat 16204 Sep 28  2015 RUNNING.txt
drwxr-xr-x 2 tomcat tomcat    29 Apr  8 05:49 temp  
drwxr-xr-x 8 tomcat tomcat   108 Apr  8 09:14 webapps
drwxr-xr-x 3 tomcat tomcat    21 Apr  8 05:53 work

启动的时候会把临时文件和工作文件放在temp和work,在生产用的时候、建议每次启动将这两个目录清空

 tomcat使用自带的脚本有时候未必能关掉 、自己写一个脚本、

[tomcat@linux-node1 ~]$ cat  tomcat.sh 
#!/bin/sh
JAVA_HOME=/application/jdk
CATALINA_HOME=/application/tomcat


usage(){
    echo "$0 {start|stop|restart}"
    exit 1
}
[ $# -ne 1 ]&& usage

start_tomcat(){
     $CATALINA_HOME/bin/startup.sh
}
stop_tomcat(){
TPID=$(ps -aux|grep java|grep tomcat|grep -v 'grep'|awk '{print $2}')
kill -9 $TPID
sleep 5;
TSTAT=$(ps -aux|grep java|grep tomcat|grep -v 'grep'|awk '{print $2}')
if [ -z $TSTAT ];then
    echo "tomcat stop"
else
    kill -9 $TSTAT

fi

cd $CATALINA_HOME
rm temp/* -rf
rm work/* -rf
}

case $1 in
start)
    start_tomcat
    ;;
stop)
    stop_tomcat
    ;;
restart)
    stop_tomcat
      sleep 5
    start_tomcat
       ;;
*)
      usage
      ;;
esac
[tomcat@linux-node1 ~]$ sh tomcat.sh 
tomcat.sh {start|stop|restart}
[tomcat@linux-node1 ~]$ sh tomcat.sh start
Using CATALINA_BASE:   /application/tomcat
Using CATALINA_HOME:   /application/tomcat
Using CATALINA_TMPDIR: /application/tomcat/temp
Using JRE_HOME:        /application/jdk
Using CLASSPATH:       /application/tomcat/bin/bootstrap.jar:/application/tomcat/bin/tomcat-juli.jar
Tomcat started.


默认监听的是8080端口

[tomcat@linux-node1 ~]$ netstat -ntpl|grep java
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp6       0      0 :::8009                 :::*                    LISTEN      4220/java           
tcp6       0      0 :::8080                 :::*                    LISTEN      4220/java           
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      4220/java

 

状态Server Status查看JVM等详情、比较快的反应jvm的使用情况、可以保留,Manger App删除、在这个里面可以调用WAR包部署、所以入侵很容易


[tomcat@linux-node1 webapps]$ pwd
/application/tomcat/webapps
[tomcat@linux-node1 webapps]$ mv host-manager/ /tmp/
[tomcat@linux-node1 webapps]$ mv docs/ /tmp/
[tomcat@linux-node1 webapps]$ mv examples/ /tmp/
[tomcat@linux-node1 webapps]$ ls
 manager ROOT

Manger App也在manager里面、如果开启Server Status、前端Nginx可以做个访问控制、只允许内网访问这个后缀

 telnet管理端口

注,在说telnet管理Tomcat之前,我们得先看一下默认的配置文件,这里面定义了默认的管理端口,

[root@tomcat /]# vim /application/tomcat/conf/server.xml 
<Server port="8005" shutdown="SHUTDOWN">
说明,定义了一个管理端口为8005,我们可以用telnet直接登录进本机的8005端口,来执行SHUTDOWN命令,来关闭Tomcat实例。下面我们来具体演示一下
先安装telnet客户端:
[root@tomcat ~]# yum install -y telnet
下面我们一测试并查看,

[root@tomcat ~]# telnet localhost 8005
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SHUTDOWN #输入SHOWDOWN就可以直接关闭Tomcat服务。
Connection closed by foreign host.

 

[tomcat@linux-node1 conf]$ netstat -ntpl
(No info could be read for "-p": geteuid()=1001 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:25                  :::*                    LISTEN      -                   
[tomcat@linux-node1 conf]$   #大家可以看到tomcat被关了

telnet管理端口保护(强制)

有两种办法

1.修改默认的8005管理端口为不易猜测的端口(大于1024)

2. 将默认的SHUTDOWN改掉<Server port="8005" shutdown="dangerous">

AJP连接端口保护

1.修改默认的ajp8009端口为不易冲突的大于1024的端口

2.通过iptables规则限制ajp端口访问的权限仅为线上的机器

 版本信息隐藏

1.修改conf/web.xml,重定向403、404以及500等错误到指定的错误页面;

2.也可以通过修改应用程序目录下的WEB-INF/web.xml下的配置进行错误页面的重定向

主要是在配置中对一些常见错误进行重定向,避免当出现错误时tomcat默认显示的错误页面暴露服务器和版本信息;

必须确保程序根目录下的错误页面已经存在。

<error-page>
<error-code>403</error-code>
<location>/forbidden.jsp</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/notfound.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/systembusy.jsp</location>
</error-page>

文件列表访问控制

conf/web.xml文件中default部分listings的配置必须为false

false为不列出目录文件,true为允许列出,默认为false;

<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>

 

 Server header重写

在HTTP Connector 配置中加入server的配置

server="zsq"

[tomcat@linux-node1 tomcat]$ curl --head http://192.168.230.130:8080/
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 15 Apr 2017 12:34:47 GMT

[tomcat@linux-node1 tomcat]$ cd /application/tomcat/conf/
[tomcat@linux-node1 conf]$ vim server.xml

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" server="zsq"/>  #修改这一行

[tomcat@linux-node1 ~]$ sh tomcat.sh restart
tomcat stop
Using CATALINA_BASE: /application/tomcat
Using CATALINA_HOME: /application/tomcat
Using CATALINA_TMPDIR: /application/tomcat/temp
Using JRE_HOME: /application/jdk
Using CLASSPATH: /application/tomcat/bin/bootstrap.jar:/application/tomcat/bin/tomcat-juli.jar
Tomcat started.

 

[tomcat@linux-node1 ~]$ curl --head http://192.168.230.130:8080/
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 15 Apr 2017 13:25:23 GMT
Server: zsq

 

访问控制

通过配置,限定访问的ip来源、也可以使用Nginx来代替

通过配置信任ip的白名单,拒绝非白名单ip的访问,此配置主要是针对高保密级别的系统,一般产品线不需要

<Context path="" docBase="/home/work/tomcat" debug="0" reloadable="false" crossContext="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="61.128.18.38,61.13.65.*" deny="*.*.*.*"/>
</Context>

 屏蔽DNS查询

当web应用程序要记录客户端信息的时候、对客户端的IP地址进行查询、这样会产生不必要的消耗

enableLookups="false"

  <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000" enableLookups="false"
               redirectPort="8443"  server="zsq"/>

 

posted @ 2017-04-15 11:28  w787815  阅读(357)  评论(0编辑  收藏  举报