标签:baidu protoc use protocol lse direct remote 评估 ado
最近两天一直在为客户解决主机和站点的漏洞问题(绿盟科技“远程安全评估系统”),针对相关漏洞,最常见的就是升级相关软件版本。
一般升级到最新版本即可,本次就将nginx从1.13.6升级到1.17.9,tomcat从8.5.16升级到了8.5.51。
先将部署结构图简单描述如下:
1、tomcat配置
软件升级完之后最常见的就是配置了,tomcat的配置相对简单,需要修改的地方有两处:
\conf\server.xml
<Connector port="9005" protocol="org.apache.coyote.http11.Http11Nio2Protocol" redirectPort="8443" connectionTimeout="20000" URIEncoding="UTF-8" minSpareThreads="25" enableLookups="false" maxThreads="500" acceptCount="500" />
\conf\web.xml 紧挨着web-app根标签修改为如下结构:
<security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet>
2、nginx的配置
\conf\nginx.conf 配置如下:
#user nobody; worker_processes 16; error_log logs/error.log; error_log logs/error.log notice; error_log logs/error.log info; events { worker_connections 10240; } http { include mime.types; default_type application/octet-stream; server_token off; log_format main ‘$remote_addr - $remote_user [$time_local] "$request" ‘ ‘$status $body_bytes_sent "$http_referer" ‘ ‘"$http_user_agent" "$http_x_forwarded_for"‘; access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## #gzip on; map $http_upgrade $connection_upgrade { default upgrade; ‘‘ close; } upstream xuehua { ip_hash; server 127.0.0.1:9005; server 127.0.0.1:9006; server 127.0.0.1:9007; server 127.0.0.1:9008; server 127.0.0.1:9009; } upstream xuehua2 { ip_hash; server 127.0.0.1:9019; } upstream myserver { ip_hash; server 127.0.0.1:35001; server 127.0.0.1:35002; } server { listen 8081; server_name localhost; location ^~ /api/Message { proxy_pass http://myserver/Message; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header X-Real-IP $remote_addr; } location ^~ /api/ { proxy_pass http://myserver/; proxy_set_header X-Real-IP $remote_addr; } #配置防盗链 location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ { valid_referers none blocked server_names *.ahcrb.net.cn http://localhost baidu.com; if ($invalid_referer) { rewrite ^/ [img]http://ahcrb.net.cn/images/default/logo.gif[/img]; # return 403; } } #location / { # allow 127.0.0.1; # deny all; #} location / { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 10; proxy_read_timeout 200; proxy_send_timeout 90; proxy_pass http://xuehua2/; } error_page 403 404 /404.html; location =/404.html { internal; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server { listen 8082; server_name 172.16.90.29; location ^~ /api/Message { proxy_pass http://myserver/Message; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header X-Real-IP $remote_addr; } location ^~ /api/ { proxy_pass http://myserver/; proxy_set_header X-Real-IP $remote_addr; } #location / { # allow 127.0.0.1; # deny all; #} location / { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 10; proxy_read_timeout 200; proxy_send_timeout 90; proxy_pass http://xuehua2/; } error_page 403 404 /404.html; location =/404.html { internal; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }
3、tomcat与nginx启动之后,在服务器本地上有两种方式对服务进行访问:
4、与服务器处于同一个局域网的电脑上访问
需要注意服务器上都是开放了哪些端口,只能访问允许的端口,否则需要创建新的入站规则,如果想要开放9005端口,在控制面板-防火墙-新建入站规则,将9005端口添加进去。
5、如果在一个nginx下配置两个测试地址,那么就要在nginx里配置两个server,监听两个端口。每个server映射一个tomcat,两个tomcat下分别放新代码和旧代码,那么就可以做到配置两个环境。
同样需要注意的是监听的端口要对外开放。根据端口的不同访问不同的服务,此时的配置图如下:
windows server 下nginx与tomcat的一些配置心得
标签:baidu protoc use protocol lse direct remote 评估 ado
原文地址:https://www.cnblogs.com/tank073/p/12512573.html