SUNScholar/Optimisations/Tomcat

Back to Optimisations

Server Configuration
Best system administration practice tells us not modify any of the files packaged for installation using the "dpkg" method, however in this instance modifications of the packaged Tomcat server files are required. For this reason take note of any Tomcat software updates in the future and refer to this page after the Tomcat upgrade.

UTF-8
Add the following to the Tomcat server config file (/etc/tomcatX/server.xml); URIEncoding="UTF-8" Please refer to: https://blog.oio.de/2010/12/31/solving-tomcat-encoding-problems-in-utf-8-webapps

Log Files
Edit the following file: sudo nano /etc/default/tomcat7 Check and modify the log file settings as needed.

In addition, disabled access log with Tomcat7 in the /etc/tomcat7/server.xml file.

See example below:

Server Security

 * http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S05/Ubuntu-14.04#Step_5.5_Setup_Tomcat_server_permissions
 * http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S05/Ubuntu-12.04#Step_5.5_Setup_Tomcat_server_permissions

Also see: https://www.owasp.org/index.php/Securing_tomcat

Relative Redirects
Required for Tomcat 8 and recent versions of Tomcat 7 (most likely on Ubuntu 16.04)

The redirect issue can be encountered on the logout action: https://jira.duraspace.org/browse/DS-3505 and displays the error message "The page isn't redirecting properly" in Firefox.

Add the following to /etc/tomcat8/server.xml /etc/tomcat8/context.xml or /etc/tomcat7/context.xml. useRelativeRedirects="false" Inside the  tag. E.g.: 

Restart tomcat:

systemctl tomcat{7..8} restart

NIO Connector
Please note: This is now the default for Tomcat versions => 8.

Please refer to: https://dzone.com/refcardz/getting-started-with-apache-tomcat and https://dzone.com/articles/understanding-tomcat-nio

Notice the use of the NIO protocol (protocol="org.apache.coyote.http11.Http11NioProtocol") in the example Tomcat server config file (/etc/tomcat7/server.xml) below; <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" enableLookups="false" maxThreads="150" URIEncoding="UTF-8" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" keystoreFile="/etc/ssl/certs/scholar.sun.ac.za.pkcs12" keystoreType="PKCS12" keystorePass="XXXXXX" />

APR Library
Disable the APR listener.

See: http://sourceforge.net/p/dspace/mailman/message/34380091/

Apache mod_jk module
Remove "mod_jk", use "authbind" exclusively in order to reduce the CPU and memory load http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S05

Max Threads
Added the following to '''/etc/tomcat6/server.xml". maxThreads="450" To able to handle many connections at once.

DNS Lookups
Added the following to '''/etc/tomcat6/server.xml". enableLookups="false" Remove "development mode" of Tomcat by adding the above to reduce DNS lookups.

Http Header Errors
Added the following to '''/etc/tomcat6/server.xml".  maxHttpHeaderSize="16384" This was required after an upgrade from DSpace 1.8.2 to 3.2.

This stopped excessive header size errors.

See: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#HTTP/1.1_and_HTTP/1.0_Support for further help

Another possible solution is here from the DSpace mailing lists.

If the number of group is hight you can reach the HTTP header limit already managed in this thread or a "tooManyClause Exception" in solr, that can be "solved" incrementing this parameter. https://github.com/DSpace/DSpace/blob/master/dspace/solr/search/conf/solrconfig.xml#L474 When the number is to large you could also consider to disable the awareness right feature, commenting this line https://github.com/DSpace/DSpace/blob/master/dspace/config/spring/api/discovery.xml#L25

Default Application Context
Edit the following file and then rebuild DSpace: nano $HOME/source/dspace/config/default.context.xml

Production Settings
reloadable="false" cachingAllowed="true" allowLinking="false"

Development Settings
reloadable="true" cachingAllowed="false" allowLinking="true"

It is worth noting that the Apache Tomcat documentation recommends production sites leave the default values in place.

See example below:   WEB-INF/web.xml  

See Tomcat documentation links below;
 * http://tomcat.apache.org/tomcat-8.0-doc/config/context.html
 * http://tomcat.apache.org/tomcat-7.0-doc/config/context.html
 * http://tomcat.apache.org/tomcat-6.0-doc/config/context.html