CentOS+Nginx+Tomcat+Mysql+PHP

行是知之始,知是行之成。这篇文章主要讲述CentOS+Nginx+Tomcat+Mysql+PHP相关的知识，希望能为你提供帮助。
一、安装centos 7.0
二、关闭不需要的安全设置，使用其他的安全管理

sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config setenforce 0

systemctl stop firewalld//停止系统默认的防火墙 systemctl mask firewalld//屏蔽服务(让它不能启动)

三、CentOS7彻底关闭IPV6
编辑/etc/default/grub，在GRUB_CMDLINE_LINUX加上的后面句首加上ipv6.disable=1
修改前:

[root@localhost Desktop]# cat /etc/default/grub GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed \'s, release .*$,,g\' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" GRUB_DISABLE_RECOVERY="true"

修改后:

[root@localhost Desktop]# cat /etc/default/grub GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed \'s, release .*$,,g\' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="ipv6.disable=1 rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" GRUB_DISABLE_RECOVERY="true"

修改完毕后保存，运行grub2-mkconfig -o /boot/grub2/grub.cfg重新生成grub.cfg文件

[root@localhost Desktop]# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-514.2.2.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-514.2.2.el7.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-327.36.3.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-327.36.3.el7.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-d885883cdb4944609bc5e3493dd2b680 Found initrd image: /boot/initramfs-0-rescue-d885883cdb4944609bc5e3493dd2b680.img done

重启系统，运行lsmod|grep ipv6，可以看到ipv6已经关闭。

reboot//重启让selinux、IPv6等配置生效

四、管理工具安装
安装ifconfig、ntsysv、updatedb、lrzsz(上传下载)、wget(远程http下载)功能

yum install -y chkconfignet-tools telnet ntsysv mlocate lrzsz wget lsof setuptool tcpdump yum install -y system-config-securitylevel-tui system-config-network-gui system-config-network-tui system-config-date yum install -y vim nano//安装编辑器

五、更新Centos 7.0 repo源

yum install -y epel-release rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm rpm-Uvhhttp://mirror.webtatic.com/yum/el7/epel-release.rpm rpm-Uvhhttp://mirror.webtatic.com/yum/el7/webtatic-release.rpm

5.1、CentOS 7阿里云源

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo yum clean all yum makecache yum install -y python-pip pip install --upgrade pip pip install requests

5.2、安装nginx yum安装的第三方repo源文件(使用编译安装则不需要)

mkdir /root/software cd /root/software wget https://mirrors.ustc.edu.cn/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm rpm -ivh epel-release-7-12.noarch.rpm rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

5.3、安装mysql yum安装的第三方repo源文件(使用编译安装则不需要)

cd /root/software//进入源文件集中文件夹 wget https://repo.mysql.com/mysql57-community-release-el7-11.noarch.rpm//下载 yum localinstall -y mysql57-community-release-el7-11.noarch.rpm//通过rpm安装得到repo源 yum repolist enabled | grep "mysql.*-community.*"//检查mysql源是否安装成功

六、环境安装
现在开始正式配置各种应用环境。
6.1 环境的预装

yum install -y make cmake gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-serversgd gd-devel perl expat expat-devel nss_ldap unixODBC-devel libxslt-devel libevent-devel libtool-ltdl bison libtool zip unzip gmp-devel pcre pcre-devel python-develperl-devel perl-ExtUtils-Embed//安装各种环境所需要的插件 yum update -y//升级补丁

6.2 安装iptables(可不安装)

yum install -y iptables-services//安装iptables systemctl enable iptables//开机自启动 service iptables start//启动服务 iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT //允许远程访问mysql iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT //允许远程访问http iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT //允许远程访问https service iptables save//保存相关操作配置 systemctl stop iptables.service//关闭iptables服务

设置iptables规则 6.2.1 清除所有规则，所有设置从头开始

iptables -F//清除预设表filter中的所有规则链的规则 iptables -X//清除预设表filter中使用者自定链中的规则 service iptables save//保存结果，否则重启后又恢复原来的状态

查询结果：

iptables -L -n Chain INPUT (policy ACCEPT) targetprot opt sourcedestination Chain FORWARD (policy ACCEPT) targetprot opt sourcedestination Chain OUTPUT (policy ACCEPT) targetprot opt sourcedestination`

6.2.2 设定预设规则

iptables -A INPUT -p tcp --dport 22 -j ACCEPT//允许所有IP，访问22端口(流入) iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT//允许所有IP，访问22端口(流出) iptables -I INPUT -s 10.17.162.137 -p tcp --dport 22 -j ACCEPT//指定IP访问指定端口 iptables -I OUTPUT -s 10.17.162.137 -p tcp --sport 22 -j ACCEPT//若流出被禁止，则需要追加该条规则

[client]
default-character-set=utf8
socket=/var/lib/mysql/mysql.sock
[mysqld_safe]
open-files-limit = 8192
log-error=/var/log/mysqld.log
socket=/var/lib/mysql/mysql.sock
pid-file=/var/run/mysqld/mysqld.pid

service mysqld restart//重启mysql

##### MySQL运维小知识 MySQL高占用CPU、内存，有可能是由于进程未能及时释放，可以通过简单的设置，可以有效的解决这个问题。

mysql -uroot -p
mysql> show global variables like \'%timeout\';
mysql> set global interactive_timeout=100;

> 段落引用上述的，在重启mysqld.service后失效

vi /etc/my.cnf
[mysqld]
interactive_timeout=20
wait_timeout=20

> 段落引用上述，任何时候都生效 ##### mysql创建远程用户并授权，尽量不建议，因为这样不安全

mysql -uroot -p
mysql> create user root identified by \'Jeson.123.com\';
mysql> grant all privileges on . to \'root\'@\'%\'identified by \'Jeson.123.com\' with grant option;
mysql> flush privileges;

##### mysql创建数据库

mysql> CREATE DATABASE lottery DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;

##### mysql修改指定用户的密码

update mysql.user set password=password(\'新密码\') where User=" test" and Host=" localhost" ;

##### mysql删除指定用户

delete from user where User=\'test\' and Host=\'localhost\';

#### 6.4、安装php环境

yum install -y php56w php56w-cli php56w-common php56w-gd php56w-ldap php56w-mbstring php56w-mcrypt php56w-mysql php56w-pdo php56w-devel
yum install -y traceroute net-snmp-devel vim sysstat tree mysql-devel ntpdate libjpeg* bind-utils
yum install -y php56w-imap php56w-odbc php56w-pear php56w-xml php56w-xmlrpc php56w-mhash libmcrypt php56w-bcmath
yum install -y php56w-fpm

vi /etc/php-fpm.d/www.conf
user = nginx//默认为apache，修改与nginx一致的用户需要安装nginx后才能改
group = nginx//默认为apache，修改与nginx一致的组需要安装nginx后才能改

vi /etc/php.ini

session.save_path = " /var/lib/php/session" //设置session的位置，否则PHP运行会出错

chmod 777/var/lib/php/session//设置文件夹属性
chkconfig php-fpm on

#### 6.5、安装 REDIS 及 REDIS-php 服务

yum install -y tcl//若不安装tcl，在make test时会出现错误

cd /usr/local/src
wget http://download.redis.io/releases/redis-4.0.9.tar.gz//下载redis安装包
tar zxvf redis-4.0.9.tar.gz//解压

cd redis-4.0.9//进入redis安装文件夹中，该文件为二进制文件，可直接make操作。
make distclean//清理旧的一些编译过的文件
make
make test
make PREFIX=/opt/redis USE_TCMALLOC=yes install
mkdir -p /opt/redis/etc
mkdir -p /opt/redis/run
mkdir -p /opt/redis/data/6379
mkdir -p /opt/redis/log
cp redis.conf /opt/redis/etc/redis.conf
cp /opt/redis/etc/redis.conf /opt/redis/etc/redis_6379.conf

##### 创建自动启动脚本

touch /etc/init.d/redis
vi /etc/init.d/redis

> 段落引用内容如下：

#!/bin/sh
#chkconfig: 2345 80 90
Simple Redis init.d script conceived to work on Linux systems as it does use of the /proc filesystem.PATH=" /opt/redis/bin:$PATH"
EXEC=" /opt/redis/bin/redis-server"
CLIEXEC=" /opt/redis/bin/redis-cli"
PIDFILE=" /opt/redis/run/redis_6379.pid"
CONF=" /opt/redis/etc/redis_6379.conf"
PORT=" 6379"
case " $1" in
start)
if [ -f $$PIDFILE ]
then
echo " $PIDFILE exists, process is already running or crashed."
else
echo " Starting Redis server..."
$EXEC $CONF
fi
; ;
stop)
if [ ! -f $PIDFILE ]
then
echo " $PIDFILE does not exist, process is not running."
else
PID=$(cat $PIDFILE)
echo " Stopping ..."
$CLIEXEC -p $PORT shutdown
while [ -x /proc/${PID} ]
do
echo " Waiting for Redis to shutdown ..."
sleep 1
done
echo " Redis stopped."
fi
; ;
restart)
$0 stop & & $0 start
; ;
*)
echo " Usage: $0 {start|stop|restart}" > & 2
exit 1
; ;
esac

> 赋予运行权限

chmod +x /etc/init.d/redis

##### 修改时区

vi /etc/php.ini
date.timezone = Asia/Shanghai

##### 修改redis配置

cp -r src/redis-* /opt/redis/
cd /opt/redis/
./redis-server etc/redis.conf
vi /opt/redis/etc/redis.conf
daemonize no==> daemonize yes

##### 安装phpredis

cd /root/software
git clone https://github.com/phpredis/phpredis.git

cd phpredis
phpize
./configure --with-php-config=php-config
make
make test
make install

##### 让PHP支持调用redis

vi /etc/php.ini

> 在最后面增加以下内容

[redis]
extension = /usr/lib64/php/modules/redis.so

> 添加到自动启动项中

chkconfig --add redis//开机自启动

#### 6.6、YAF编译安装

cd /root/software
wget http://pecl.php.net/get/yaf-2.3.5.tgz//需与PHP(5.6)版本匹配
tar zxvf yaf-2.3.5.tgz

##### 安装yaf

cd yaf-2.3.5
phpize
./configure --with-php-config=/usr/bin/php-config
make
make test
make install

##### 让PHP支持调用Yaf

vi /etc/php.ini

> 在最后面增加以下内容

[Yaf]
extension=/usr/lib64/php/modules/yaf.so
yaf.use_namespace = 1
yaf.environ = " develop"

##### 测试是否成功

php -i | grep yaf

> 出现下面这些内容，说明安装成功

yaf
yaf support => enabled
Supports => http://pecl.php.net/package/yaf
yaf.action_prefer => Off => Off
yaf.cache_config => Off => Off
yaf.environ => develop => develop
yaf.forward_limit => 5 => 5
yaf.library => no value =https://www.songbingjia.com/android/> no value
yaf.lowcase_path => Off => Off
yaf.name_separator => no value =https://www.songbingjia.com/android/> no value
yaf.name_suffix => On => On
yaf.st_compatible => Off => Off
yaf.use_namespace => On => On
yaf.use_spl_autoload => Off => Off

#### 6.7、安装nginx

yum install -y automake autoconf libtool make
yum install -y nginx
chkconfig nginx on

##### 配置虚拟机

cd /etc/nginx
mkdir vhost//放虚拟主机配置文件的位置

vi nginx.conf

> 在server{}中添加如下内容 > 在server的root下添加如下内容，默认首页文件名

indexindex.php default.php index.html index.htm;

> 在server中添加支持PHP的语句

location ~ .php$ { root html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; }

> 在http{}的最后，添加如下内容

include vhost/*.conf; //添加完成后保存退出

##### 检查配置结果

nginx -t//检查nginx.conf及vhost下的配置文件是否正确
service php-fpm start//启动PHP-FPM
service nginx restart//重启nginx服务

##### 虚拟主机配置示例

server {
listen 808;
server_name 10.17.162.113:808;
root /home/website/phpmyadmin/wwwroot;
location / {
index index.php index.html index.shtml;
}
location ~ .php$ {
fastcgi_pass127.0.0.1:9000;
fastcgi_indexindex.php;
fastcgi_paramSCRIPT_FILENAME/home/website/phpmyadmin/wwwroot$fastcgi_script_name;
includefastcgi_params;
}
#log...
}

##### Nginx 反向代理转发(无条件访问HTTPS)

server {
listen80;
server_name域名;
rewrite ^(.*)$https://$host$1 permanent;
}
server {
listen443;
server_name域名;
sslon;
ssl_certificate/etc/nginx/vhost/ssl/certificate.crt;
ssl_certificate_key/etc/nginx/vhost/ssl/private.key;
ssl_session_timeout5m;
ssl_protocols TLSv1;
ssl_ciphersHIGH:!aNULL:!MD5;
ssl_prefer_server_cipherson;
location / {
client_max_body_size16m;
client_body_buffer_size 128k;
proxy_passhttps://10.17.162.113:6443;
proxy_set_headerREMOTE-HOST $remote_addr;
proxy_set_headerHost $host;
proxy_set_headerX-Real-IP $remote_addr;
proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_headerX-Forwarded-Proto https;
proxy_next_upstreamoff;
proxy_buffer_size 32k;
proxy_buffers 64 32k;
proxy_busy_buffers_size 1m;
proxy_temp_file_write_size 512k;
proxy_connect_timeout30;
proxy_read_timeout300;
proxy_send_timeout300;
}
}

##### Nginx访问TomCat WebApps下某个目录

server {
listen80;
server_name域名;
#charset koi8-r;
#access_loglogs/host.access.logmain;
location / {
client_max_body_size16m;
client_body_buffer_size 128k;
proxy_pass 具体域名或IP/文件夹/;
proxy_set_headerREMOTE-HOST $remote_addr;
proxy_set_headerHost $host;
proxy_set_headerX-Real-IP $remote_addr;
proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for;
#roothtml;
#indexindex.html;
proxy_next_upstreamoff;
proxy_buffer_size 32k;
proxy_buffers 64 32k;
proxy_busy_buffers_size 1m;
proxy_temp_file_write_size 512k;
proxy_connect_timeout30;
proxy_read_timeout300;
proxy_send_timeout300;
}
location /文件夹/ {
client_max_body_size16m;
client_body_buffer_size 128k;
proxy_pass 具体域名或IP/文件夹/;
proxy_set_headerREMOTE-HOST $remote_addr;
proxy_set_headerHost $host;
proxy_set_headerX-Real-IP $remote_addr;
proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for;
#roothtml;
#indexindex.html;
proxy_next_upstreamoff;
proxy_buffer_size 32k;
proxy_buffers 64 32k;
proxy_busy_buffers_size 1m;
proxy_temp_file_write_size 512k;
proxy_connect_timeout30;
proxy_read_timeout300;
proxy_send_timeout300;
}
}

#### 6.8、java开发环境安装

yum search java-1.8//搜索java-1.7的版本
yum install -y java-1.8.0-openjdk-devel.x86_64//安装java-1.8.0版本开发环境
cd /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64///进入安装目录

##### 环境配置

vi /etc/profile//环境配置

> 在文件最后面，添加上

export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.el7_5.x86_64//版本不同，路径不一样，需要注意这个问题
export PATH=$JAVA_HOME/bin:$PATH
export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar

##### 立即生效

source /etc/profile//立即生效

##### 测试

javac//运行测试

> 显示以下内容说明配置成功

[root@TempLate ~]# javac
用法: javac < options> < source files>
其中, 可能的选项包括:
-g生成所有调试信息
-g:none不生成任何调试信息
-g:{lines,vars,source}只生成某些调试信息
-nowarn不生成任何警告
-verbose输出有关编译器正在执行的操作的消息
-deprecation输出使用已过时的 API 的源位置
-classpath < 路径> 指定查找用户类文件和注释处理程序的位置
-cp < 路径> 指定查找用户类文件和注释处理程序的位置
-sourcepath < 路径> 指定查找输入源文件的位置
-bootclasspath < 路径> 覆盖引导类文件的位置
-extdirs < 目录> 覆盖所安装扩展的位置
-endorseddirs < 目录> 覆盖签名的标准路径的位置
-proc:{none,only}控制是否执行注释处理和/或编译。
-processor < class1> [,< class2> ,< class3> ...] 要运行的注释处理程序的名称; 绕过默认的搜索进程
-processorpath < 路径> 指定查找注释处理程序的位置
-parameters生成元数据以用于方法参数的反射
-d < 目录> 指定放置生成的类文件的位置
-s < 目录> 指定放置生成的源文件的位置
-h < 目录> 指定放置生成的本机标头文件的位置
-implicit:{none,class}指定是否为隐式引用文件生成类文件
-encoding < 编码> 指定源文件使用的字符编码
-source < 发行版> 提供与指定发行版的源兼容性
-target < 发行版> 生成特定 VM 版本的类文件
-profile < 配置文件> 请确保使用的 API 在指定的配置文件中可用
-version版本信息
-help输出标准选项的提要
-A关键字[=值]传递给注释处理程序的选项
-X输出非标准选项的提要
-J< 标记> 直接将 < 标记> 传递给运行时系统
-Werror出现警告时终止编译
@< 文件名> 从文件读取选项和文件名

> 注：若输入javac显示：bash: javac: 未找到命令…则说明配置失败，检查环境变量路径是否正确。#### 6.8、Tomcat安装

sudo groupadd tomcat
sudo useradd -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
mkdir /root/software//创建专用于存放下载的软件，个人习惯，也可放在/usr/local下等。
cd /root/software
wget https://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.30/bin/apache-tomcat-8.5.30.tar.gz
sudo tar -zxvf apache-tomcat-8.5.30.tar.gz -C /opt/tomcat --strip-components=1
cd /opt/tomcat
chmod -R 754 bin/
chgrp -R tomcat /opt/tomcat
chmod -R g+r conf
chmod g+x conf
chown -R tomcat webapps/ work/ temp/ logs/

##### 创建服务启动文件

sudo vi /etc/systemd/system/tomcat.service

> 脚本内容如下：

[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target
[Service]
Type=forking
Environment=JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment=\'CATALINA_OPTS=-Xms1024M -Xmx1024M -server -XX:+UseParallelGC\'
Environment=\'JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom\'
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh
User=root
Group=root
[Install]
WantedBy=multi-user.target

##### 配置生效

systemctl daemon-reload//重载一下服务单元
systemctl enable tomcat.service
systemctl start tomcat.service

#### 6.9、安装haveged

sudo yum install -y haveged
sudo systemctl start haveged.service
sudo systemctl enable haveged.service

> 访问 http://[Your-Host-IP]:8080 预览是否正常。#### 7.0、配置Tomcat 管理界面

sudo vi /opt/tomcat/tomcat/conf/tomcat-users.xml

> 在< tomcat-users> 与< /tomcat-users> 内输入以下内容

< role rolename=" admin-gui" />
< role rolename=" manager-gui" />
< role rolename=" manager-script" />
< role rolename=" manager-jmx" />
< role rolename=" manager-status" />
< user username=" tomcat" password=" s3cret" roles=" admin-gui,manager-gui,manager-script,manager-jmx,manager-status" />

##### 重启生效

sudo systemctl restart tomcat.service

##### 修改service.xml配置(若需端口配置)

cd /opt/tomcat/conf/
vi server.xml
【CentOS+Nginx+Tomcat+Mysql+PHP】< Server port=" 9005" shutdown=" SHUTDOWN" > //修改端口
< Connector port=" 9080" protocol=" HTTP/1.1" //修改端口
connectionTimeout=" 20000"
redirectPort=" 8443"
maxPostSize=" -1"
URIEncoding=" UTF-8" /> //上传大小不限，tomcat7以后，值必须为“-1”，不可为" 0" ，
为“0”会造成参数传输的时候，全部变成" null"

##### catalina.out 日志分割

yum install -y cronolog

> 修改bin/catalina.sh文件下面第2、15、16、23、24需修改的内容，

shift
touch " $CATALINA_OUT"
if [ “$1” = “-security” ] ; then
if [ $have_tty -eq 1 ]; then
echo “Using Security Manager”
fi
shift
eval “\\”$_RUNJAVA\\”” “\\”$LOGGING_CONFIG\\”” $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \\
-Djava.endorsed.dirs=”\\”$JAVA_ENDORSED_DIRS\\”” -classpath “\\”$CLASSPATH\\”” \\
-Djava.security.manager \\
-Djava.security.policy==”\\”$CATALINA_BASE/conf/catalina.policy\\”” \\
-Dcatalina.base=”\\”$CATALINA_BASE\\”” \\
-Dcatalina.home=”\\”$CATALINA_HOME\\”” \\
-Djava.io.tmpdir=”\\”$CATALINA_TMPDIR\\”” \\
org.apache.catalina.startup.Bootstrap “$@” start \\
在nginx的conf中，进行做对应的修改

server { listen80; server_namelottery001.itrxm.com; rewrite ^(.*)$https://$host$1 permanent; }

server {
listen443;
server_namex;
sslon;
ssl_certificate/etc/nginx/vhost/ssl/certificate.crt;
ssl_certificate_key/etc/nginx/vhost/ssl/private.key;
ssl_session_timeout5m;
ssl_protocols TLSv1;
ssl_ciphersHIGH:!aNULL:!MD5;
ssl_prefer_server_cipherson;

location / { client_max_body_size16m; client_body_buffer_size 128k; proxy_passhttp://10.17.162.113:8080; proxy_set_headerHost $host; proxy_set_headerX-Real-IP $remote_addr; proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_headerX-Forwarded-Proto https; proxy_next_upstreamoff; proxy_connect_timeout30; proxy_read_timeout300; proxy_send_timeout300; } }

> 在tomcat 中的server.xml中修改：

< !--
< Connector port=" 8443" protocol=" org.apache.coyote.http11.Http11Protocol"
maxThreads=" 150" SSLEnabled=" true" scheme=" https" secure=" true"
clientAuth=" false" sslProtocol=" TLS" />
-->

##### 修改为：

< Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/opt/tomcat/huizhong/conf/cert/201802031124.pfx"//绝对路径，否则容易出错 keystoreType="PKCS12" keystorePass="201802031124" clientAuth="false" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>

##### 并新加节点：

< Valve className=" org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader=" x-forwarded-for"
remoteIpProxiesHeader=" x-forwarded-by"
protocolHeader=" x-forwarded-proto" />

##### 重启tomcat服务

systemctl restart tomcat.service

> 注：没有若只有key及crt文件的证书，可以进入 https://www.myssl.cn/tools/merge-pfx-cert.html 中进行生成一个pfx文件的证书，并设置一个密码。##### 通过VisualVM对Tomcat性能监控 > JMX下载地址：http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-7/v7.0.81/bin/extras/catalina-jmx-remote.jar catalina-jmx-remote.jar包下载完成后放到Tomcat的lib目录下

vim catalina.sh

> 在注释下面添加如下内容

CATALINA_OPTS=" $CATALINA_OPTS -Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=7090
-Dcom.sun.management.jmxremote.ssl=false
-Djava.rmi.server.hostname=被监控的服务器IP地址
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.password.file=/var/tomcat/tomcat7/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/var/tomcat/tomcat7/conf/jmxremote.access"

cd /var/tomcat/tomcat7/conf
vim jmxremote.access

monitorRole readonly
controlRole readwrite

vim jmxremote.password//要与运行tomcat的权限一致

monitorRole 25DWdl2& D^W
controlRole 25DWdl2& D^W