Difference between revisions of "SUNScholar/Optimisations/Tomcat"

From Libopedia
Jump to navigation Jump to search
 
(47 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
</center>
 
</center>
  
{{Tomcat7}}
+
{{Tomcat}}
 +
 
 +
==Server Configuration==
 +
Best system administration practice tells us not modify any of the files packaged for installation using the "dpkg" method, however in this instance modifications of the packaged Tomcat server files are required. For this reason take note of any Tomcat software updates in the future and refer to this page after the Tomcat upgrade.
 +
===UTF-8===
 +
Add the following to the Tomcat server config file (/etc/tomcatX/server.xml);
 +
URIEncoding="UTF-8"
 +
Please refer to: https://blog.oio.de/2010/12/31/solving-tomcat-encoding-problems-in-utf-8-webapps
 +
 
 
===Log Files===
 
===Log Files===
 
Edit the following file:
 
Edit the following file:
Line 26: Line 34:
 
*http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S05/Ubuntu-12.04#Step_5.5_Setup_Tomcat_server_permissions
 
*http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S05/Ubuntu-12.04#Step_5.5_Setup_Tomcat_server_permissions
  
 +
Also see: https://www.owasp.org/index.php/Securing_tomcat
 +
 +
===Relative Redirects===
 +
'''Required for Tomcat 8 and recent versions of Tomcat 7 (most likely on Ubuntu 16.04)'''
 +
 +
The redirect issue can be encountered on the logout action: https://jira.duraspace.org/browse/DS-3505 and displays the error message "The page isn't redirecting properly" in Firefox.
 +
 +
Add the following to <s>'''/etc/tomcat8/server.xml'''</s> '''/etc/tomcat8/context.xml''' or '''/etc/tomcat7/context.xml'''.
 +
useRelativeRedirects="false"
 +
Inside the <Context> tag. E.g.:
 +
<Context useRelativeRedirects="false">
 +
 +
Restart tomcat:
 +
 +
systemctl tomcat{7..8} restart
 +
 +
===NIO Connector===
 +
Please note: This is now the default for Tomcat versions => 8.
 +
 +
Please refer to: https://dzone.com/refcardz/getting-started-with-apache-tomcat and https://dzone.com/articles/understanding-tomcat-nio
 +
 +
Notice the use of the NIO protocol ('''''protocol="org.apache.coyote.http11.Http11NioProtocol"''''') in the example Tomcat server config file (''/etc/tomcat7/server.xml'') below;
 +
<pre>
 +
    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
 +
      enableLookups="false"
 +
              maxThreads="150"
 +
              URIEncoding="UTF-8"
 +
              SSLEnabled="true"
 +
              scheme="https"
 +
              secure="true"
 +
              clientAuth="false"
 +
              sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
 +
              ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
 +
      keystoreFile="/etc/ssl/certs/scholar.sun.ac.za.pkcs12"
 +
      keystoreType="PKCS12"
 +
              keystorePass="XXXXXX" />
 +
</pre>
 +
 +
===APR Library===
 +
Disable the APR listener.
 +
 +
See: http://sourceforge.net/p/dspace/mailman/message/34380091/
 
===Apache mod_jk module===
 
===Apache mod_jk module===
*Remove "mod_jk", use "authbind" exclusively with no need of the Tomcat AJP connector in order to reduce the CPU and memory load
+
Remove "mod_jk", use "authbind" exclusively in order to reduce the CPU and memory load
 
  http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S05
 
  http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S05
 +
 
===Max Threads===
 
===Max Threads===
 
Added the following to '''/etc/tomcat6/server.xml".
 
Added the following to '''/etc/tomcat6/server.xml".
 
  maxThreads="450"
 
  maxThreads="450"
 
To able to handle many connections at once.
 
To able to handle many connections at once.
 +
 
===DNS Lookups===
 
===DNS Lookups===
 
Added the following to '''/etc/tomcat6/server.xml".
 
Added the following to '''/etc/tomcat6/server.xml".
Line 53: Line 105:
 
  https://github.com/DSpace/DSpace/blob/master/dspace/config/spring/api/discovery.xml#L25
 
  https://github.com/DSpace/DSpace/blob/master/dspace/config/spring/api/discovery.xml#L25
  
===Default Context===
+
==Default Application Context==
 
Edit the following file and then rebuild DSpace:
 
Edit the following file and then rebuild DSpace:
 
  nano $HOME/source/dspace/config/default.context.xml
 
  nano $HOME/source/dspace/config/default.context.xml
Add ''cachingAllowed="true" allowLinking="true"'' parameters and make reloadable false.
 
  
====Production Settings====
+
===Production Settings===
  reloadable="false" cachingAllowed="false" allowLinking="false"
+
  reloadable="false" cachingAllowed="true" allowLinking="false"
  
====Development Settings====
+
===Development Settings===
 
  reloadable="true" cachingAllowed="false" allowLinking="true"
 
  reloadable="true" cachingAllowed="false" allowLinking="true"
  
Line 78: Line 129:
  
 
''See Tomcat documentation links below;''
 
''See Tomcat documentation links below;''
 +
*http://tomcat.apache.org/tomcat-8.0-doc/config/context.html
 
*http://tomcat.apache.org/tomcat-7.0-doc/config/context.html
 
*http://tomcat.apache.org/tomcat-7.0-doc/config/context.html
 
*http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
 
*http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
  
===Sample "server.xml" file for Tomcat 7===
+
==References==
<pre>
 
<?xml version='1.0' encoding='utf-8'?>
 
<!--
 
  Licensed to the Apache Software Foundation (ASF) under one or more
 
  contributor license agreements.  See the NOTICE file distributed with
 
  this work for additional information regarding copyright ownership.
 
  The ASF licenses this file to You under the Apache License, Version 2.0
 
  (the "License"); you may not use this file except in compliance with
 
  the License.  You may obtain a copy of the License at
 
 
 
      http://www.apache.org/licenses/LICENSE-2.0
 
 
 
  Unless required by applicable law or agreed to in writing, software
 
  distributed under the License is distributed on an "AS IS" BASIS,
 
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 
  See the License for the specific language governing permissions and
 
  limitations under the License.
 
-->
 
<!-- Note:  A "Server" is not itself a "Container", so you may not
 
    define subcomponents such as "Valves" at this level.
 
    Documentation at /docs/config/server.html
 
-->
 
<Server port="8005" shutdown="SHUTDOWN">
 
  <!-- Security listener. Documentation at /docs/config/listeners.html
 
  <Listener className="org.apache.catalina.security.SecurityListener" />
 
  -->
 
  <!--APR library loader. Documentation at /docs/apr.html -->
 
  <!--
 
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
 
  -->
 
  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
 
  <Listener className="org.apache.catalina.core.JasperListener" />
 
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
 
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
 
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
 
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
 
 
 
  <!-- Global JNDI resources
 
      Documentation at /docs/jndi-resources-howto.html
 
  -->
 
  <GlobalNamingResources>
 
    <!-- Editable user database that can also be used by
 
        UserDatabaseRealm to authenticate users
 
    -->
 
    <Resource name="UserDatabase" auth="Container"
 
              type="org.apache.catalina.UserDatabase"
 
              description="User database that can be updated and saved"
 
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
 
              pathname="conf/tomcat-users.xml" />
 
  </GlobalNamingResources>
 
 
 
  <!-- A "Service" is a collection of one or more "Connectors" that share
 
      a single "Container" Note:  A "Service" is not itself a "Container",
 
      so you may not define subcomponents such as "Valves" at this level.
 
      Documentation at /docs/config/service.html
 
  -->
 
  <Service name="Catalina">
 
 
 
    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
 
    <!--
 
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
 
        maxThreads="150" minSpareThreads="4"/>
 
    -->
 
 
 
 
 
    <!-- A "Connector" represents an endpoint by which requests are received
 
        and responses are returned. Documentation at :
 
        Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
 
        Java AJP  Connector: /docs/config/ajp.html
 
        APR (HTTP/AJP) Connector: /docs/apr.html
 
        Define a non-SSL HTTP/1.1 Connector on port 8080
 
    -->
 
    <Connector port="80" protocol="HTTP/1.1"
 
              enableLookups="false"
 
              maxConnections="-1"
 
              maxThreads="450"
 
              maxHttpHeaderSize="16384"
 
              connectionTimeout="20000"
 
              URIEncoding="UTF-8"
 
              redirectPort="443" />
 
    <!-- A "Connector" using the shared thread pool-->
 
    <!--
 
    <Connector executor="tomcatThreadPool"
 
              port="8080" protocol="HTTP/1.1"
 
              connectionTimeout="20000"
 
              redirectPort="8443" />
 
    -->
 
    <!-- Define a SSL HTTP/1.1 Connector on port 8443
 
        This connector uses the JSSE configuration, when using APR, the
 
        connector should be using the OpenSSL style configuration
 
        described in the APR documentation -->
 
 
 
    <Connector port="443" protocol="HTTP/1.1"
 
      enableLookups="false"
 
              maxThreads="150"
 
              URIEncoding="UTF-8"
 
              SSLEnabled="true"
 
              scheme="https"
 
              secure="true"
 
              clientAuth="false"
 
              sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
 
      keystoreFile="/etc/ssl/certs/scholar.sun.ac.za.pkcs12"
 
      keystoreType="PKCS12"
 
              keystorePass="XXXXXXX" />
 
 
 
    <!-- Define an AJP 1.3 Connector on port 8009 -->
 
    <!--
 
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
 
    -->
 
 
 
 
 
    <!-- An Engine represents the entry point (within Catalina) that processes
 
        every request.  The Engine implementation for Tomcat stand alone
 
        analyzes the HTTP headers included with the request, and passes them
 
        on to the appropriate Host (virtual host).
 
        Documentation at /docs/config/engine.html -->
 
 
 
    <!-- You should set jvmRoute to support load-balancing via AJP ie :
 
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
 
    -->
 
    <Engine name="Catalina" defaultHost="localhost">
 
 
 
      <!--For clustering, please take a look at documentation at:
 
          /docs/cluster-howto.html  (simple how to)
 
          /docs/config/cluster.html (reference documentation) -->
 
      <!--
 
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
 
      -->
 
 
 
      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
 
          via a brute-force attack -->
 
      <Realm className="org.apache.catalina.realm.LockOutRealm">
 
        <!-- This Realm uses the UserDatabase configured in the global JNDI
 
            resources under the key "UserDatabase".  Any edits
 
            that are performed against this UserDatabase are immediately
 
            available for use by the Realm.  -->
 
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
 
              resourceName="UserDatabase"/>
 
      </Realm>
 
 
 
      <Host name="localhost"  appBase="webapps"
 
            unpackWARs="true" autoDeploy="true">
 
 
 
        <!-- SingleSignOn valve, share authentication between web applications
 
            Documentation at: /docs/config/valve.html -->
 
        <!--
 
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
 
        -->
 
 
 
        <!-- Access log processes all example.
 
            Documentation at: /docs/config/valve.html
 
            Note: The pattern used is equivalent to using pattern="common" -->
 
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
 
              prefix="localhost_access_log." suffix=".txt"
 
              pattern="%h %l %u %t &quot;%r&quot; %s %b" />
 
 
 
      </Host>
 
    </Engine>
 
  </Service>
 
</Server>
 
</pre>
 
 
 
===UTF-8===
 
*https://blog.oio.de/2010/12/31/solving-tomcat-encoding-problems-in-utf-8-webapps
 
 
 
===References===
 
 
*https://wiki.duraspace.org/display/DSDOC5x/Performance+Tuning+DSpace
 
*https://wiki.duraspace.org/display/DSDOC5x/Performance+Tuning+DSpace
 
*https://wiki.duraspace.org/display/DSDOC4x/Performance+Tuning+DSpace
 
*https://wiki.duraspace.org/display/DSDOC4x/Performance+Tuning+DSpace
Line 254: Line 140:
 
*https://wiki.duraspace.org/display/DSDOC4x/Installing+DSpace#InstallingDSpace-ServletEngine(ApacheTomcat7orlater,Jetty,CauchoResinorequivalent)
 
*https://wiki.duraspace.org/display/DSDOC4x/Installing+DSpace#InstallingDSpace-ServletEngine(ApacheTomcat7orlater,Jetty,CauchoResinorequivalent)
 
*https://wiki.duraspace.org/display/DSDOC3x/Installation#Installation-ServletEngine(ApacheTomcat5.5orlater,Jetty,CauchoResinorequivalent)
 
*https://wiki.duraspace.org/display/DSDOC3x/Installation#Installation-ServletEngine(ApacheTomcat5.5orlater,Jetty,CauchoResinorequivalent)
 +
*http://tomcat.apache.org/tomcat-8.0-doc
 +
*http://tomcat.apache.org/tomcat-7.0-doc
 +
*http://tomcat.apache.org/tomcat-6.0-doc
 
*http://www.turnkeylinux.org/tomcat
 
*http://www.turnkeylinux.org/tomcat
 +
*https://gist.github.com/hardyoyo/8664b2171d26adcf7b7e
 +
[[Category:System Administration]]
 +
[[Category:Optimisations]]

Latest revision as of 14:21, 23 April 2018

Back to Optimisations

When using the Ubuntu 16.04 LTS server change all instances of tomcat to tomcat8.

When using the Ubuntu 14.04 LTS server change all instances of tomcat to tomcat7.

When using the Ubuntu 12.04 LTS server change all instances of tomcat to tomcat6.

Server Configuration

Best system administration practice tells us not modify any of the files packaged for installation using the "dpkg" method, however in this instance modifications of the packaged Tomcat server files are required. For this reason take note of any Tomcat software updates in the future and refer to this page after the Tomcat upgrade.

UTF-8

Add the following to the Tomcat server config file (/etc/tomcatX/server.xml); 

URIEncoding="UTF-8"

Please refer to: https://blog.oio.de/2010/12/31/solving-tomcat-encoding-problems-in-utf-8-webapps

Log Files

Edit the following file: 

sudo nano /etc/default/tomcat7

Check and modify the log file settings as needed.

In addition, disabled access log with Tomcat7 in the /etc/tomcat7/server.xml file.

See example below: 

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <!-- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t "%r" %s %b" />
       -->

Server Security

Also see: https://www.owasp.org/index.php/Securing_tomcat

Relative Redirects

Required for Tomcat 8 and recent versions of Tomcat 7 (most likely on Ubuntu 16.04)

The redirect issue can be encountered on the logout action: https://jira.duraspace.org/browse/DS-3505 and displays the error message "The page isn't redirecting properly" in Firefox.

Add the following to /etc/tomcat8/server.xml /etc/tomcat8/context.xml or /etc/tomcat7/context.xml. 

useRelativeRedirects="false"

Inside the <Context> tag. E.g.: 

<Context useRelativeRedirects="false">

Restart tomcat: 

systemctl tomcat{7..8} restart

NIO Connector

Please note: This is now the default for Tomcat versions => 8.

Please refer to: https://dzone.com/refcardz/getting-started-with-apache-tomcat and https://dzone.com/articles/understanding-tomcat-nio

Notice the use of the NIO protocol (protocol="org.apache.coyote.http11.Http11NioProtocol") in the example Tomcat server config file (/etc/tomcat7/server.xml) below; 

    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
	       enableLookups="false"
               maxThreads="150"
               URIEncoding="UTF-8"
               SSLEnabled="true"
               scheme="https"
               secure="true"
               clientAuth="false"
               sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
	       keystoreFile="/etc/ssl/certs/scholar.sun.ac.za.pkcs12" 
	       keystoreType="PKCS12"
               keystorePass="XXXXXX" />

APR Library

Disable the APR listener.

See: http://sourceforge.net/p/dspace/mailman/message/34380091/

Apache mod_jk module

Remove "mod_jk", use "authbind" exclusively in order to reduce the CPU and memory load 

http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S05

Max Threads

Added the following to /etc/tomcat6/server.xml". 

maxThreads="450"

To able to handle many connections at once.

DNS Lookups

Added the following to /etc/tomcat6/server.xml". 

enableLookups="false"

Remove "development mode" of Tomcat by adding the above to reduce DNS lookups.

Http Header Errors

Added the following to /etc/tomcat6/server.xml". 

  maxHttpHeaderSize="16384"

This was required after an upgrade from DSpace 1.8.2 to 3.2.

This stopped excessive header size errors.

See: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#HTTP/1.1_and_HTTP/1.0_Support for further help

Another possible solution is here from the DSpace mailing lists.

If the number of group is hight you can reach the HTTP header limit already managed in this thread or a "tooManyClause Exception" in solr, that can be "solved" incrementing this parameter. 

https://github.com/DSpace/DSpace/blob/master/dspace/solr/search/conf/solrconfig.xml#L474

When the number is to large you could also consider to disable the awareness right feature, commenting this line 

https://github.com/DSpace/DSpace/blob/master/dspace/config/spring/api/discovery.xml#L25

Default Application Context

Edit the following file and then rebuild DSpace: 

nano $HOME/source/dspace/config/default.context.xml

Production Settings

reloadable="false" cachingAllowed="true" allowLinking="false"

Development Settings

reloadable="true" cachingAllowed="false" allowLinking="true"

It is worth noting that the Apache Tomcat documentation recommends production sites leave the default values in place.

See example below: 

<?xml version="1.0" ?>
<Context debug="0" reloadable="false" cachingAllowed="true" allowLinking="true" crossContext="true">
	<WatchedResource>WEB-INF/web.xml</WatchedResource>
	<Parameter name="dspace-config" override="false"
		value="/home/dspace/config/dspace.cfg"
		description="Path to the DSpace configuration file." />
</Context>

See Tomcat documentation links below;

References

Retrieved from "http://wiki.lib.sun.ac.za/index.php?title=SUNScholar/Optimisations/Tomcat&oldid=45247"