http://www.eu.apache.org/dist/jakarta/tomcat-5/
http://www.apache.org/dist/jakarta/tomcat-5/v5.5.x/bin/jakarta-tomcat-5.5.x-admin.zip
http://www.apache.org/dist/jakarta/tomcat-5/v5.5.x/bin/jakarta-tomcat-5.5.x-compat.zip
http://www.apache.org/dist/jakarta/tomcat-5/v5.5.x/bin/jakarta-tomcat-5.5.x.zip
http://www.apache.org/dist/jakarta/tomcat-5/v5.5.x/bin/jakarta-tomcat-5.5.x-deployer.zip
把jakarta-tomcat-5.5.x.zip
和jakarta-tomcat-5.5.x-compat.zip
和jakarta-tomcat-5.5.x-admin.zip
(Tomcat 默認是沒有內置admin模塊了
Tomcat's administration web application is no longer installed by default. Download and install the "admin" package to use it. )
都解壓到同一個目錄下面。比如:D:/jakarta-tomcat-5.5.x/
(如果使用jdk1.4,才需要compat.zip用jdk1.5就可以免了這個。)
2.修改jakarta-tomcat-5.5.x/conf/tomcat-users.xml.
添加管理員賬號lizongbo,密碼爲lizongbopass.
新xml如下:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="manager"/>
<role rolename="admin"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="role1" password="tomcat" roles="role1"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="lizongbo" password="lizongbopass" roles="admin,manager"/>
</tomcat-users>
3.修改jakarta-tomcat-5.5.x/conf/server.xml來解決編碼問題。
(給Connector 添加URIEncoding參數,參考http://blog.csdn.net/darkxie/archive/2004/10/25/TOMCATAPP.aspx)
(可以設置成GB18030)
<Connector port="8080"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="200"
connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="GBK"
compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml"/>
<Connector port="8009"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" URIEncoding="GBK"/>
4.啓用支持gzip壓縮.
(http://www.linuxaid.com.cn/forum/showdoc.jsp?l=1&i=81169)
添加下列屬性
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml"
5.設置虛擬主機。
在jakarta-tomcat-5.5.x/下建立文件夾vhost/www.mydomain.com。
然後修改jakarta-tomcat-5.5.x/conf/server.xml
<Engine defaultHost="localhost" name="Catalina">
<Host appBase="vhost/www.mydomain.com" name="www.mydomain.com">
</Host>
<Host appBase="webapps" name="localhost">
</Host>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"/>
</Engine>
6.添加數據庫驅動,更新mail.jar和actiovation.jar
複製mysql-connector-java-3.0.16-ga-bin.jar,pg74.215.jdbc3.jar到 jakarta-tomcat-5.5.x/common/lib/
還有javamail 1.3.2的mail.jar,jaf-1_0_2的 activation.jar
msSQl 2000 JDBC sp3,msbase.jar,msutil,jar,mssqlserver.jar
7.配置SSL
參考 http://jakarta.apache.org/tomcat/tomcat-5.5-doc/ssl-howto.html
D:/j2sdk1.4.2_06/bin>%JAVA_HOME%/bin/keytool -genkey -alias tomcat -keyalg RSA
輸入keystore密碼: lizongbossl
您的名字與姓氏是什麼?
[tomcat5.5.x]: tomcat5.5.x
您的組織單位名稱是什麼?
[jakarta]: jakarta
您的組織名稱是什麼?
[apache]: apache
您所在的城市或區域名稱是什麼?
[hzcity]: hzcity
您所在的州或省份名稱是什麼?
[gdp]: gdp
該單位的兩字母國家代碼是什麼
[CN]: CN
CN=tomcat5.5.x, OU=jakarta, O=apache, L=hzcity, ST=gdp, C=CN 正確嗎?
[否]: y
輸入<tomcat>的主密碼
(如果和 keystore 密碼相同,按回車):
(必須密碼一致,因此直接回車)
然後再把userhome(例如:C:/Documents and Settings/lizongbo/)下的.keystore複製到
tomcat的conf/目錄下。
(例如:D:/jakarta-tomcat-5.5.x/conf/.keystore )
配置jakarta-tomcat-5.5.x/conf/server.xml
加上
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/.keystore"
keystorePass="lizongbossl"> <!--與先前設置的密碼一致-->
</Connector>
8.禁止文件目錄列表,
修改jakarta-tomcat-5.5.x/conf/web.xml,把listing設置爲false
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
9.指定了自己的javaEncoding
(參考 http://gceclub.sun.com.cn/staticcontent/html/sunone/app7/app7-dg-webapp/ch6/ch6-4.html )
<servlet>
<servlet-name>jsp</servlet-name>
<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
<init-param>
<param-name>fork</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>javaEncoding</param-name>
<param-value>GB18030</param-value>
</init-param>
<init-param>
<param-name>xpoweredBy</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
10.添加rar,iso等的mime-type映射
避免在瀏覽器裏直接打開。
<mime-mapping>
<extension>mht</extension>
<mime-type>text/x-mht</mime-type>
</mime-mapping>
<mime-mapping>
<extension>rar</extension>
<mime-type>application/octet-stream</mime-type>
</mime-mapping>
<mime-mapping>
<extension>iso</extension>
<mime-type>application/octet-stream</mime-type>
</mime-mapping>
<mime-mapping>
<extension>ape</extension>
<mime-type>application/octet-stream</mime-type>
</mime-mapping>
<mime-mapping>
<extension>rmvb</extension>
<mime-type>application/octet-stream</mime-type>
</mime-mapping>
<mime-mapping>
<extension>ico</extension>
<mime-type>image/x-icon</mime-type>
</mime-mapping>
10.1對html靜態頁面設置編碼
<!-- 修改下面兩行以支持靜態超文本的自動編碼
-->
<mime-mapping>
<extension>htm</extension>
<mime-type>text/html;charset=gb2312</mime-type>
</mime-mapping>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html;charset=gb2312</mime-type>
</mime-mapping>
</web-app>
11.添加welcome-file-list,並調整順序。
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
12.如果你的webapp需要只能夠進行https方式訪問,那麼在webapp的web.xml里加上:
<security-constraint>
<web-resource-collection>
<web-resource-name>must https</web-resource-name>
<url-pattern>/lizongbo/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
參考:http://jakarta.apache.org/tomcat/faq/security.html#https
http://marc.theaimsgroup.com/?l=tomcat-user&m=104951559722619&w=2
13.修改遠程關閉服務器的命令。
server.xml默認有下面一行:
<Server port="8005" shutdown="SHUTDOWN">
這樣允許任何人只要telnet到服務器的8005端口,輸入"SHUTDOWN",然後回車,服務器立即就被關掉了。
從安全的角度上考慮,我們需要把這個shutdown指令改成一個別人不容易猜測的字符串。
例如修改如下:
<Server port="8006" shutdown="lizongbo">,這樣就只有在telnet到8006,並且輸入"lizongbo"才能夠關閉Tomcat.
注意:這個修改不影響shutdown.bat的執行。運行shutdown.bat一樣可以關閉服務器。
參考:http://jakarta.apache.org/tomcat/faq/security.html#8005
以下皆可以參考:http://www.cnjsp.org/document/user/tuman/valve.html
14.配置http訪問日誌。Tomcat自帶的能夠記錄的http訪問日誌已經很詳細了
取消下面這段的註釋:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log." suffix=".txt"
pattern="common" resolveHosts="false"/>
然後修改爲:
<Valve className="org.apache.catalina.valves.FastCommonAccessLogValve"
directory="logs" prefix="localhost_access_log." suffix=".txt"
pattern="combined" resolveHosts="false" fileDateFormat="yyyy-MM-dd.HH"/>
pattern="combined" 記錄的日誌內容更詳細,fileDateFormat="yyyy-MM-dd.HH",會讓日誌文件按小時進行滾卷,
比默認的按天滾卷要好些,尤其是訪問量大的網站,可以考慮寫成fileDateFormat="yyyy-MM-dd.HH.mm",就會是每分鐘一個日誌文件了。
而且可以分別按Engine, Host, or Context,來記錄自己的日誌
詳情參考:
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/valve.html
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/logger.html
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/host.html#Access%20Logs
而且還可以配合awstats來進行日誌統計分析: http://www.chedong.com/tech/awstats.html
15.限制ip,限制主機訪問等。
如果想禁止指定的ip或者主機名來拒絕某些機器訪問,或者指定某些機器來訪問。
也支持分別按Engine, Host, or Context,進行以下配置:
<Context path="/examples" ...> ...
<Valve className="org.apache.catalina.valves.RemoteHostValve"
allow="*.mycompany.com,www.yourcompany.com"/>
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
deny="192.168.1.*"/>
</Context>
參考:
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/context.html
16.發佈webapp到網站根目錄
1。直接複製到ROOT目錄下。
2.因爲無法創建無名字的xml文件,並且在xml文件裏指定path也是無效的(tomcat靠文件名字來判斷的),
因此必須在server.xml裏寫下面一段:
<Context docBase="${catalina.home}/vhost/www.lizongbo.com" path="/"
privileged="true" antiResourceLocking="false" antiJARLocking="false">
<Manager className="org.apache.catalina.session.StandardManager" algorithm="SHA-512"
entropy="suijisifuchuansuijisifuchuansuijisifuchuansuijisifuchuan"
maxActiveSessions="800" />
<Valve className="org.apache.catalina.valves.FastCommonAccessLogValve"
directory="logs" prefix="localhost_mytest_access_log." suffix=".txt"
pattern="combined" resolveHosts="true" fileDateFormat="yyyy-MM-dd.HH"/>
</Context>
而且必須把ROOT目錄刪除掉,否則Tomcat還是優先部署ROOT目錄爲"/"。
17.在重新啓動Tomcat的webapp的時候,禁止把session寫入文件。
修改conf/web.xml
取消註釋:
<!---->
<Manager pathname="" />
18.增強SessiionID的生成算法和長度。
<Manager className="org.apache.catalina.session.StandardManager" algorithm="SHA-512" sessionIdLength="40">
</Manager>
(默認的是MD5,長度是16位。)
19.配置日誌:(http://jakarta.apache.org/tomcat/tomcat-5.5-doc/logging.html)
在D:/jakarta-tomcat-5.5.8/common/classes/新建log4j.properties
內容:
log4j.rootLogger=debug, R
log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=${catalina.home}/logs/tomcat5.5.log
log4j.appender.R.MaxFileSize=10MB
log4j.appender.R.MaxBackupIndex=10
log4j.appender.R.layout=org.apache.log4j.PatternLayout
log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
log4j.logger.org.apache.catalina=DEBUG, R
log4j.logger.org.apache.catalina.core.ContainerBase.Catalina.localhost=DEBUG, R
log4j.logger.org.apache.catalina.core=DEBUG, R
log4j.logger.org.apache.catalina.session=DEBUG, R
複製log4j-1.2.9.jar和commons-logging.jar到
D:/jakarta-tomcat-5.5.8/common/lib
20.使用windows域用戶驗證