JWorld@TW the best professional Java site in Taiwan
      註冊 | 登入 | 全文檢索 | 排行榜  

» JWorld@TW » Application Server » Tomcat  

按列印兼容模式列印這個話題 列印話題    把這個話題寄給朋友 寄給朋友   
reply to topicthreaded modego to previous topicgo to next topic
己加入精華區
by browser at 2007-05-26 21:27
本主題所含的標籤
無標籤
作者 Tomcat 5.0/5.5 with SSL + cluster + load balance 心得筆記 [精華]
wing_zero

Keroro捕獲~~是也



發文: 213
積分: 9
於 2007-05-26 18:24 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
Tomcat如果作cluster的話,通常都會同時配合load balance的方案。而Tomcat的load balance解決方案,最多人用的是利用apache http server搭配jk module來當Tomcat前端的load balance server。不過在網路上查到的大多是apache http server與tomcat都走http protocol的設置說明。如果tomcat要走https的話,前端當load balance的apache http server當然也一定要走https才行。但是這部份的文件實在是少的不行,讓人很...囧rz

以下是自己試過後確定可以同時讓tomcat與前端load balance的apache http server都可以走https的設置方式,有需要的可以參考一下,有錯的部份也麻煩指正一下。

1.安裝軟體清單
Win32 Operation System
N個Tomcat 5.0/5.5 (N >= 2)
Apache HTTP Server 2.2.4 with SSL version
JK module for Apache HTTP Server 2.2.4

2.Tomcat with SSL
2.1 官方文件
http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html (for Tomcat 5.0)
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html (for Tomcat 5.5)

2.2 設置方式
step1 : 在Console執行%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA指令,將password的值設成changeit
step2 : 將$CATALINA_HOME/conf/server.xml中<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->的comment給拿掉


3.Tomcat with cluster
3.1 官方文件
http://tomcat.apache.org/tomcat-5.0-doc/cluster-howto.html (for Tomcat 5.0)
http://tomcat.apache.org/tomcat-5.5-doc/cluster-howto.html (for Tomcat 5.5)

3.2 設置方式
Step1 : 將要做cluster的所有Tomcat APServer裡$CATALINA_HOME/conf/server.xml中<Cluster>...</Cluster>的comment給拿掉,在<Engine>tag中加入jvmRoute="你指定的woker"此項attribute
Step2 : 要做cluster的所有Tomcat APServer用的multicast address,multicast port都要相同

3.3 注意事項
3.3.1 如果是同台Server上裝多個Tomcat的話必需要把下列的几個Port調開
Server port
non-SSL Coyote HTTP/1.1 Connector port
SSL Coyote HTTP/1.1 Connector port
Coyote/JK2 AJP 1.3 Connector on port
Cluster tcpListenPort

3.3.2 存放在HttpSession的Object都必需實作java.io.Serializable Interface

3.3.3 可用下列jsp文檔進行測試,測成功的話不同url取回的session id值會相同
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<%@ page contentType="text/html; charset=UTF-8" import="java.util.*"%>
<html>
<head>
<title>Cluster App Test</title>
</head>
<body>
Server Info:
<%
  out.print(request.getLocalAddr() + " : " + request.getLocalPort());
%>
<%
  out.println("<br> ID " + session.getId());
 
  // 如果有新的 Session 屬性設置
  String dataName = request.getParameter("dataName");
  if (dataName != null && dataName.length() > 0) {
    String dataValue = request.getParameter("dataValue");
    session.setAttribute(dataName, dataValue);
  }
 
  out.print("<b>Session 列表</b>");
 
  Enumeration e = session.getAttributeNames();
  while (e.hasMoreElements()) {
    String name = (String) e.nextElement();
    String value = session.getAttribute(name).toString();
    out.println(name + " = " + value);
  }
%>
 
  <form action="index.jsp" method="POST">
    名稱:<input type=text size=20 name="dataName"> <br>
    值:<input type=text size=20 name="dataValue"> <br>
    <input type=submit>
  </form>
</body>
</html>



4.Tomcat with load balance
4.1 官方文件
http://tomcat.apache.org/tomcat-5.0-doc/balancer-howto.html (for Tomcat 5.0)
http://tomcat.apache.org/tomcat-5.5-doc/balancer-howto.html (for Tomcat 5.5)

4.2 設置方式
Step1 : 將ApacheHttpServer安裝目錄/conf/httpd.conf加入下述設定片段
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#(httpd.conf)
#載入 mod_jk 模組
LoadModule jk_module modules/mod_jk.so
 
#
# Configure mod_jk
#
JkWorkersFile conf/workers.properties
JkMountFile conf/uriworkermap.properties
JkLogFile logs/mod_jk.log
JkLogLevel info
 
<Location /jkmanager>
  JkMount jkstatus
  Order deny,allow
  Deny from all
  Allow from 127.0.0.1
</Location>

Step2 : 在ApacheHttpServer安裝目錄/conf中加入workers.properties文字檔,該檔的設置可參考下述範例(記的改host跟port的值以符合實際的狀況)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# The advanced router LB worker
worker.list=router,jkstatus
 
# Define a worker using ajp13
worker.worker1.port=8009
worker.worker1.host=localhost
worker.worker1.type=ajp13
worker.worker1.lbfactor=1
# Define prefered failover node for worker1
#worker.worker1.redirect=worker2
 
# Define another worker using ajp13
worker.worker2.port=9009
worker.worker2.host=localhost
worker.worker2.type=ajp13
worker.worker2.lbfactor=1
# Disable worker2 for all requests except failover
#worker.worker2.activation=disabled
 
# Define the LB worker
worker.router.type=lb
worker.router.balance_workers=worker1,worker2
 
# Define a 'jkstatus' worker using status
worker.jkstatus.type=status    

Step3 : 在ApacheHttpServer安裝目錄/conf中加入uriworkermap.properties文字檔,該檔的設置可參考下述範例
1
/*=router


4.3 load balance監控方式
在安裝balance程式的那台電腦本機利用browser開啟http://localhost/jkmanager進行監控


5.Apache HTTP Server with SSL
5.1 設置方式
Step1 : 將ApacheHttpServer安裝目錄/conf/httpd.conf裡的LoadModule ssl_module modules/mod_ssl.so的comment給拿掉

Step2 : 將ApacheHttpServer安裝目錄/conf/httpd.conf裡的Include conf/extra/httpd-ssl.conf的comment給拿掉

Step3 : 產生CA相關憑証
在Console中切換到ApacheHttpServer安裝目錄/bin路徑
在Console中執行openssl req -config ../conf/openssl.cnf -new -out ../conf/server.csr,並輸入自己指定的密碼
在Console中執行openssl rsa -in privkey.pem -out ../conf/server.key,並輸入剛剛自己指定的那組密碼
在Console中執行openssl x509 -in ../conf/server.csr -out ../conf/server.crt -req -signkey ../conf/server.key -days 3650
在Console中執行openssl x509 -in ../conf/server.crt -out ../conf/server.der.crt -outform DER

有關Step3寫的產生憑証設定,我是看的很頭大不確定這樣設置所產生的憑証有沒有問題,有高人知道怎麼設最安全的話,麻煩指點一下...<(_ _)>

6.補充事項
6.1 如果想讓User只能經由HTTPS的連線連至Tomcat,可以改下述設定
ApacheHttpServer安裝目錄/conf/httpd.conf裡的Listen 80給comment起來
$CATALINA_HOME/conf/server.xml中的<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->那段設定給comment起來

6.2 Tomcat的cluster是利用multicast的方式達成,要做cluster的Tomcat APServer最好在同個switch的網段內,否則cluster很可能會失效。因為有可能跨switch後multicast就送不出去了。

7.參考文檔
http://zanyking.java.pro/post/23/81
http://www.ibm.com/developerworks/cn/opensource/os-lo-apache-tomcat/index.html
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
http://www.pczone.com.tw/vbb3/thread/47/96241/
http://www.pczone.com.tw/vbb3/thread/47/96447/
http://xiaoant.blog.sohu.com/40503251.html


wing_zero edited on 2007-08-25 09:22
reply to postreply to post
俺的部落格
作者 Re:Tomcat 5.0/5.5 with SSL + cluster + load balance 心得筆記 [Re:wing_zero]
choykawairicky





發文: 10
積分: 0
於 2008-05-23 18:05 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
假如有兩台Server,用了Apache + mod_jk做Load Balance(沒有做Tomcat Cluster部份)
Server 1 關掉,自動轉去Server 2
所有用Session保留的值都保留
只是Session ID變了
這樣子是正常的嗎?Session ID都也不是會一樣嗎?


reply to postreply to post
作者 Re:Tomcat 5.0/5.5 with SSL + cluster + load balance 心得筆記 [Re:wing_zero]
mycomic1201





發文: 1
積分: 0
於 2009-10-15 17:47 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
請問
3.3.3 可用下列jsp文檔進行測試,測成功的話不同url取回的session id值會相同

是指用http://Server1:8080/index.jsp 看到的ID
與 用http://Server2:8080/index.jsp 看到的ID

會是相同的嗎?

感謝您


reply to postreply to post
» JWorld@TW »  Application Server » Tomcat

reply to topicthreaded modego to previous topicgo to next topic
  已讀文章
  新的文章
  被刪除的文章
Jump to the top of page

JWorld@TW 本站商標資訊

Powered by Powerful JuteForum® Version Jute 1.5.8